This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.
Most of the vulnerabilities have been validated by:
- GridPane
- The InfoSec team of one of the largest enterprise WordPress hosts.
- A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
- Thomas Raef, CEO at wewatchyourwebsite.com
There are three reasons a vulnerability might be listed here:
- The vendor has already fixed the vulnerability.
- The vendor did not indicate any progress toward a resolution
- The vendor stated that they did not consider our findings to be a
security issue.
Search by vendor
Search by classification
Search everything
For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.
-
DOS through IP spoofing – (Zero Spam for WordPress <= 5.4.1
An attacker can spoof his IP while submitting spam comments to ban arbitrary IPs, search-engine crawlers, or the site’s reverse proxy.
-
DOS through IP spoofing – (Banhammer <= 2.9)
An attacker can use IP spoofing to ban legitimate users, search-engine crawlers, or a site’s reverse proxy. This becomes possible as soon as a site owner changes the default IP source of the plugin by using the “banhammer_ip_keys” filter.
-
Blocklist bypass through user agent spoofing – (Blackhole for Bad Bots <= 3.3.3)
A malicious bot spoofing his User-Agent header to one in the plugin’s allowlist can bypass the plugin’s full functionality.
-
DOS through IP spoofing – (Blackhole for Bad Bots <= 3.3.3)
An attacker can use IP spoofing to ban legitimate users, search-engine crawlers, or a site’s reverse proxy. This becomes possible as soon as a site owner changes the default IP source of the plugin by using the “blackhole_ip_keys” filter.
-
Broken authentication leads to total site takeover in combination with read-only SQLi – (Two-Factor <= 0.7.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
-
Compromise of 2FA secrets codes possible in combination with SQLi – (Two-Factor <= 0.7.2)
The plugin stores users’ TOTP secret keys and emergency backup codes as plain text in the database. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Time-Based-Side-Channel-Attack on secrets – (Two-Factor <= 0.7.1)
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
-
Exposure of secrets through insecure HTTP cookies – (SiteGround Security <= 1.3.0)
The plugin uses HTTP cookies to store secret information. However, by using PHP’s “setcookie” function incorrectly, the plugin allows an attacker to read these cookies with JavaScript (XSS) or steal them over insecure HTTP connections (Man-in-the-middle-attack).
-
Compromise of 2FA secrets and backup codes possible in combination with SQLi – (SiteGround Security <= 1.3.0)
The plugin stores users’ TOTP secret keys and emergency backup codes as plain text in the database. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Total site takeover through broken 2FA authentication in combination with SQLi – (SiteGround Security <= 1.3.0)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities. An attacker can take over the entire site by logging in as…
-
Time-based-side-channel-attacks on secrets – (SiteGround Security <= 1.3.0)
The plugin uses string comparison operators that don’t mitigate time-based attacks in several places where secrets are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
Search vulnerabilities by vendor:
All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) Breakdance (1) Bricks (1) Cwicly (1) Google Authenticator (2) iThemes (3) Jetpack (2) Magic Login Pro (2) MalCare (1) miniOrange (7) Pantheon (1) Shield Security (3) SiteGround Security (5) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WPMU Defender (6) WPRemote (1) WPUmbrella (1) XWP (1) Zero Spam for WordPress (1)
Search vulnerabilities by classification
Broken Authentication (15) Injection (4) Insufficient Cryptography (16) IP spoofing (24) Sensitive Data Exposure (16)