Affected plugin | WPMU Defender |
Active installs | 70,000+ |
Vulnerable version | 3.3.1 |
Audited version | 3.3.1 |
Fully patched version | 3.3.3 |
Recommended remediation | Immediately update to version 3.3.3 or higher and reset all TOTP secrets. |
Description
The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server configurations and an attacker will be able to download this file by simply visiting the correct URL. At that point, An attacker can bypass two-factor authentication for all users.
Proof of concept
The plugin uses the following code to generate a new TOTP secret:
Ultimately, the plugin stores the TOTP secrets for all users at the location:
An attacker can download all secrets without authentication by running the below command:
Timeline
Vendor contacted | September 26, 2022 |
First Response | September 27, 2022 |
Fully patched at | October 20, 2022 |
Publicly disclosed | April 24, 2023 |
Leave a Reply