Security vulnerabilities in WordFence Login Security (2)
-
Total site takeover in combination with read-only SQLi – (WordFence Login Security <= 1.0.10)
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.
-
Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.