Security vulnerabilities in WordFence (3)

  • Total site takeover in combination with read-only SQLi – (WordFence <= 7.6.1)

    An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.

  • Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence <= 7.6.2)

    The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

  • DOS through IP spoofing – (WordFence <= 7.6.2)

    The plugin is vulnerable to IP spoofing if the target site is behind a reverse proxy and WordFence is configured to fetch the IP address from any source besides REMOTE_ADDR (the default). An attacker can exploit this to ban legitimate users, search-engine crawlers, or the site’s reverse proxy.