snicco

Taking the pain out of enterprise WordPress development

Security vulnerabilities in WPMU Defender (6)

  • Encryption key is stored in version control – (WPMU Defender – 3.3.2)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.2 Audited version 3.3.2 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and…

  • TOTP Secrets stored as plaintext in a world-readable file – (WPMU Defender 3.3.1)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.1 Audited version 3.3.1 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server…

  • Total site takeover through broken 2FA in combination with SQLi – (WPMU Defender <= 3.3.0)

    An attacker can compromise any site using the plugin’s 2FA functionality by logging in as any user with two-factor authentication configured. The precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Furthermore, the attacker needs to obtain a valid WordPress nonce which he can…

  • Compromise of 2FA secrets and emergency codes through read-only SQLi – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to…

  • Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can abuse…

  • DOS through IP spoofing – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin is vulnerable to IP spoofing, which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Proof of concept The plugin…