Security vulnerabilities in WordFence (3)
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
The plugin is vulnerable to IP spoofing if the target site is behind a reverse proxy and WordFence is configured to fetch the IP address from any source besides REMOTE_ADDR (the default). An attacker can exploit this to ban legitimate users, search-engine crawlers, or the site’s reverse proxy.