This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.
Most of the vulnerabilities have been validated by:
- GridPane
- The InfoSec team of one of the largest enterprise WordPress hosts.
- A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
- Thomas Raef, CEO at wewatchyourwebsite.com
There are three reasons a vulnerability might be listed here:
- The vendor has already fixed the vulnerability.
- The vendor did not indicate any progress toward a resolution
- The vendor stated that they did not consider our findings to be a
security issue.
Search by vendor
Search by classification
Search everything
For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.
-
Site takeover through broken 2FA in combination with SQLi – (miniOrange <= 5.5.82)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
-
Site takeover through stolen API credentials in combination with SQLi – (miniOrange <= 5.5.82)
Affected plugin miniOrange Active installs 20,000+ Vulnerable version <= 5.5.82 Audited version 5.5.82 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses remote APIs in almost all authentication-related contexts. In addition, the plugin authenticates itself using information stored exclusively as plaintext in the database. An attacker, armed with a read-only…
-
Compromise of 2FA secrets and backup codes possible through read-only SQLi – (miniOrange <= 5.5.82)
The plugin stores users’ emergency backup codes as plain text in the database. Furthermore, users’ TOTP secret keys are encrypted but the encryption keys are stored in the same database as the encrypted ciphertexts. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA…
-
Insecure Randomness for encryption keys – (miniOrange <= 5.5.82)
The plugin uses a non-randomly-generated, eight-character string as OpenSSL encryption keys.
-
Rate limit bypass through User-Agent spoofing – (miniOrange <= 5.5.82)
An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.
-
DOS through IP spoofing – (miniOrange <= 5.5.82)
The plugin is wide open to IP spoofing all over the board which an attacker can exploit to permanently ban search-engine crawlers, legitimate users, or the site’s reverse proxy.
-
Site compromise through leaked wp-config – (miniOrange <= 5.5.82)
The plugin stores filesystem and database backups as unencrypted .zip archives in the wp-uploads directory. The only protection is a .htaccess file which is ignored by NGINX. Since most web servers are configured to allow access to zip files in the wp-uploads directory, an attacker can download arbitrary backups and take over the entire site…
-
DOS through IP spoofing – (Jetpack <= 11.3.1)
Jetpack is susceptible to IP spoofing during login rate limiting which an attacker can abuse to prevent legitimate users and/or a site’s reverse proxy from making requests to the wp-login.php endpoint.
-
WAF bypass through IP spoofing – (Jetpack <= 11.3.1)
Jetpack contains are currently NOT exploitable security faux that allows an attacker to bypass all WAF rules.
-
Time-Based-Side-Channel-Attack on 2FA secrets – (Google Authenticator <= 0.54)
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
-
Compromise of 2FA secrets codes possible through read-only SQLi – (Google Authenticator-Factor <= 0.54)
The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Search vulnerabilities by vendor:
All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) Breakdance (1) Bricks (1) Cwicly (1) Google Authenticator (2) iThemes (3) Jetpack (2) Magic Login Pro (2) MalCare (1) miniOrange (7) Pantheon (1) Shield Security (3) SiteGround Security (5) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WPMU Defender (6) WPRemote (1) WPUmbrella (1) XWP (1) Zero Spam for WordPress (1)
Search vulnerabilities by classification
Broken Authentication (15) Injection (4) Insufficient Cryptography (16) IP spoofing (24) Sensitive Data Exposure (16)