WordPress Plugin Vulnerabilities

Google Authenticator <= 0.47 - Two Factor Authentication Bypass

Description

WordPress 4.5 introduced the ability to login with an email address instead of a username. Google Authenticator v0.47 wasn't aware of the new feature, and didn't properly handle the case where an email address was used instead of a username. Using an email address would allow an attacker with a valid password to bypass the two-factor OTP.

Affects Plugins

Plugin icon
google-authenticator
Fixed in 0.48

References

URL
https://plugins.trac.wordpress.org/changeset/1406125/google-authenticator

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Submitter
Anonymous
Verified
No
WPVDB ID
5d3b6fa8-3e11-4f01-8157-2d87b4961d43

Timeline

Publicly Published
2016-04-28 (about 10 years ago)
Added
2016-04-29 (about 10 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-04-17
Title
SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access
Published
2024-09-30
Title
Wechat Social login <= 1.3.0 - Authentication Bypass
Published
2014-08-01
Title
portable-phpMyAdmin < 1.3.1 - Authentication Bypass
Published
2008-01-15
Title
Spambam <= 2.1 - Authorisation Bypass
Published
2020-04-28
Title
LearnPress < 3.2.6.9 - Authenticated Post Creation and Status Modification