WordPress Plugin Vulnerabilities

miniOrange's Google Authenticator < 5.6.2 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
miniorange-2-factor-authentication
Fixed in 5.6.2

References

CVE
CVE-2022-42461

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
60d61302-7e9d-4353-92f9-fb64539ef943

Timeline

Publicly Published
2022-10-31 (about 3 years ago)
Added
2022-11-19 (about 3 years ago)
Last Updated
2022-11-19 (about 3 years ago)

Other

Published
Title
Published
2024-08-23
Title
ImageRecycle pdf & image compression < 3.1.15 - Missing Authorization in Several AJAX Actions
Published
2022-07-22
Title
WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion
Published
2023-12-05
Title
Flexible Woocommerce Checkout Field Editor <= 2.0.1 - Missing Authorization
Published
2026-01-29
Title
Easy Hotel Booking <= 1.8.4 - Missing Authorization
Published
2025-12-11
Title
Modalier for Elementor <= 1.0.6 - Missing Authorization