April 24, 2023

Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)

Calvin Alkan

| in

Affected plugin	WordFence Login Security
Active installs	50,000+
Vulnerable version	<= 1.0.11
Audited version	1.0.10
Fully patched version	–
Recommended remediation	PENDING

Description

The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.
An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

Proof of concept

See https://snicco.io/vulnerability-disclosure/wordfence/compromise-of-2fa-secrets-and-backup-codes-through-read-only-sqli-wordfence-7-6-2

Proposed patch

See https://snicco.io/vulnerability-disclosure/wordfence/compromise-of-2fa-secrets-and-backup-codes-through-read-only-sqli-wordfence-7-6-2

Timeline

Vendor contacted	September 08, 2022
First Response	September 08, 2022
Fully patched at	–
Publicly disclosed	April 24, 2023

snicco

Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)

Description

Proof of concept

Proposed patch

Timeline

Miscellaneous

Leave a Reply Cancel reply