snicco

Taking the pain out of enterprise WordPress development

WordPress plugin vulnerabilities

This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

There are three reasons a vulnerability might be listed here:

  • The vendor has already fixed the vulnerability.
  • The vendor did not indicate any progress toward a resolution
  • The vendor stated that they did not consider our findings to be a
    security issue.

Search by vendor
Search by classification
Search everything

For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.

  • Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can abuse…

  • DOS through IP spoofing – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin is vulnerable to IP spoofing, which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Proof of concept The plugin…

  • Time-Based-Side-Channel-Attack on 2FA secrets – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can…

  • Compromise of 2FA secrets through read-only SQLi – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ TOTP secrets in plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all…

  • DOS through IP spoofing – (iThemes Security <= 8.1.2)

    The plugin is wide open to IP spoofing which an attacker can use to exploit to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.

  • Site takeover through broken 2FA in combination with SQLi – (miniOrange <= 5.5.82)

    An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.

  • Site takeover through stolen API credentials in combination with SQLi – (miniOrange <= 5.5.82)

    Affected plugin miniOrange Active installs 20,000+ Vulnerable version <= 5.5.82 Audited version 5.5.82 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses remote APIs in almost all authentication-related contexts. In addition, the plugin authenticates itself using information stored exclusively as plaintext in the database. An attacker, armed with a read-only…

  • Compromise of 2FA secrets and backup codes possible through read-only SQLi – (miniOrange <= 5.5.82)

    The plugin stores users’ emergency backup codes as plain text in the database. Furthermore, users’ TOTP secret keys are encrypted but the encryption keys are stored in the same database as the encrypted ciphertexts. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA…

  • Insecure Randomness for encryption keys – (miniOrange <= 5.5.82)

    The plugin uses a non-randomly-generated, eight-character string as OpenSSL encryption keys.

  • Rate limit bypass through User-Agent spoofing – (miniOrange <= 5.5.82)

    An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.

  • DOS through IP spoofing – (miniOrange <= 5.5.82)

    The plugin is wide open to IP spoofing all over the board which an attacker can exploit to permanently ban search-engine crawlers, legitimate users, or the site’s reverse proxy.

Search vulnerabilities by vendor:

All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) CleanTalk (1) Google Authenticator (2) iThemes (3) Jetpack (2) Limit Login Attempts Reloaded (1) Loginizer (1) Magic Login Pro (2) MalCare (1) miniOrange (7) SecuPress (1) Shield Security (3) SiteGround Security (5) Sucuri Security (1) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WP fail2ban (1) WPMU Defender (6) WPUmbrella (1) Zero Spam for WordPress (1)

Search vulnerabilities by classification

Broken Authentication (13) Insufficient Cryptography (16) IP spoofing (23) Sensitive Data Exposure (16)