| Affected plugin | WordFence Login Security |
| Active installs | 50,000+ |
| Vulnerable version | <= 1.0.10 |
| Audited version | 1.0.10 |
| Fully patched version | 1.0.11 |
| Recommended remediation | Immediately update to version 1.0.11 |
Description
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured.
The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities.
Neither the target user’s primary credentials are required nor any form of authentication.
Proof of concept
The proof of concept is identical to the same vulnerability in the WordFence plugin.
Timeline
| Vendor contacted | September 08, 2022 |
| First Response | September 08, 2022 |
| Fully patched at | September 16, 2022 |
| Publicly disclosed | April 24, 2023 |
Miscellaneous
- The vendor did not disclose that patch 1.0.11 fixed a critical security vulnerability. Instead, the vendor used the following changelog message, which, in our opinion, does not adequately reflect the severity of the issue.
The changelog message is:
“Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database”
- The vendor was the only one out of 26 that implemented proper security best practices, like offering a public GPG key to secure the POC.
Leave a Reply