This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.
Most of the vulnerabilities have been validated by:
- GridPane
- The InfoSec team of one of the largest enterprise WordPress hosts.
- A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
- Thomas Raef, CEO at wewatchyourwebsite.com
There are three reasons a vulnerability might be listed here:
- The vendor has already fixed the vulnerability.
- The vendor did not indicate any progress toward a resolution
- The vendor stated that they did not consider our findings to be a
security issue.
Search by vendor
Search by classification
Search everything
For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.
-
DOS through IP spoofing – (Magic Login Pro <= 1.4.1)
The plugin uses the current IP address to rate limit login requests. The implementation is vulnerable to IP spoofing, which an attacker can use to ban arbitrary users or the site’s reverse proxy from accessing the login page.
-
Site takeover by stealing login tokens – (Magic Login Pro < 1.4.1)
The plugin stores login tokens as plain text in the “wp_usermeta” table, which is equally as dangerous as storing passwords in plaintext since anybody with access to the login token can authenticate himself as the target user.
-
Exposure of encryption secrets in world-readable .txt file (WP 2FA <= 2.3.0)
The plugin will, under certain conditions, log all users’ 2FA secrets to a world-readable .txt file in the “wp-uploads” directory.
-
Time-Based-Side-Channel-Attack on secrets – WP 2FA <= 2.3.0
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests can abuse this to reverse secrets using time-based-side-channel attacks.
-
Broken authentication leads to total site takeover in combination with read-only SQLi – (WP 2FA <= 2.2.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing his primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
-
2FA bypass by deleting a hidden input field – (WP 2FA <= 2.2.0)
The entire two-factor authentication can be bypassed by deleting a hidden input field in the 2FA form.
-
Time-Based-Side-Channel-Attack on backup codes – Two Factor Authentication (Updraft) <= 1.14.5
The plugin uses string comparison operators that don’t mitigate time-based-side-channel-attacks, which could be abused to reverse engeneer information about a user’s emegerncy backup cods.
-
Broken encryption allows 2FA bypass – Two Factor Authentication (Updraft) <= 1.14.5
The Two Factor Authentication plugin by Updraft employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks.
Search vulnerabilities by vendor:
All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) CleanTalk (1) Google Authenticator (2) iThemes (3) Jetpack (2) Limit Login Attempts Reloaded (1) Loginizer (1) Magic Login Pro (2) MalCare (1) miniOrange (7) SecuPress (1) Shield Security (3) SiteGround Security (5) Sucuri Security (1) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WP fail2ban (1) WPMU Defender (6) WPUmbrella (1) Zero Spam for WordPress (1)
Search vulnerabilities by classification
Broken Authentication (13) Insufficient Cryptography (16) IP spoofing (23) Sensitive Data Exposure (16)