WordPress Plugin Vulnerabilities

miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

Description

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
miniorange-2-factor-authentication
Fixed in 5.5.75

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
136f662c-3857-4802-93f6-3fc0322e2c58

Timeline

Publicly Published
2022-06-27 (about 3 years ago)
Added
2022-06-27 (about 3 years ago)
Last Updated
2022-06-27 (about 3 years ago)

Other

Published
Title
Published
2024-05-21
Title
UserPro < 5.1.9 - Unauthenticated Account Takeover to Privilege Escalation
Published
2024-03-20
Title
WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification
Published
2024-02-26
Title
Restrict User Access – Ultimate Membership & Content Protection < 2.6 - Information Exposure
Published
2021-08-31
Title
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Import to Stored XSS
Published
2025-07-03
Title
DocCheck Login < 1.1.6 - Unauthorized Post Access