| Affected plugin | WPMU Defender |
| Active installs | 70,000+ |
| Vulnerable version | 3.3.2 |
| Audited version | 3.3.2 |
| Fully patched version | 3.3.3 |
| Recommended remediation | Immediately update to version 3.3.3 or higher and reset all TOTP secrets. |
Description
The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and is used on every active install of the plugin.
Proof of concept
The plugin uses the Crypt::get_decrypted_string method to encrypt/decrypt TOTP secrets for all users.
public static function get_decrypted_string( $data ): string {
$key = file_get_contents( __DIR__ . '/def.key' );
return false !== $key ? self::decrypt_data( $data, $key ) : '';
}The encryption key “def.key” is stored in version control and is the same for all active installations of the plugin.
This renders the encryption useless since an attacker that can obtain the secrets will always be able to decrypt them.
Timeline
| Vendor contacted | September 29, 2022 |
| First Response | October 04, 2022 |
| Fully patched at | October 20, 2022 |
| Publicly disclosed | April 24, 2023 |
Leave a Reply