CVE-2022-4943

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:miniorange:google_authenticator:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 7.5
References	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail= - Product	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail= - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve - Third Party Advisory~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve - Third Party Advisory

Information

Published : 2023-10-20 08:15

Updated : 2024-11-21 07:36

NVD link : CVE-2022-4943

Mitre link : CVE-2022-4943

CVE.ORG link : CVE-2022-4943

JSON object : View

Products Affected

miniorange

google_authenticator

CWE

CWE-862

Missing Authorization

{"id": "CVE-2022-4943", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-10-20T08:15:11.983", "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings."}, {"lang": "es", "value": "El complemento Google Authenticator de miniOrange para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n debido a una falta de verificaci\u00f3n de capacidad al cambiar la configuraci\u00f3n del complemento en versiones hasta la 5.6.5 incluida. Esto hace posible que atacantes no autenticados cambien la configuraci\u00f3n del complemento."}], "lastModified": "2024-11-21T07:36:18.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:miniorange:google_authenticator:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "FA5D80D0-7543-49BC-8D9F-9C33C26EF1EE", "versionEndIncluding": "5.6.5"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}

7.5 /10