WordPress Plugin Vulnerabilities

Two Factor Authentication <= 1.3.12 - Disable Two Factor Authentication CSRF

Description

According to the changelog:

"Fix a logged-in CSRF vulnerability reported by Martijn Korse (www.bitnesswise.com). Due to a missing nonce check, if an attacker was able to persuade a personally-targetted victim who was currently logged in to their WordPress account to visit a personally-crafted (for the individual victim) page in the same browser session, then the attacker would be able to de-activate two-factor authentication for the victim on that WordPress site (thus leaving the targetted account protected by the user's password, but not by a second factor - the absence of a request for a TFA code would be apparent on the user's next login). This vulnerability was inherited from the original "Two Factor Auth" plugin that this plugin was forked from, and so is present in all versions before this one."

Affects Plugins

Plugin icon
two-factor-authentication
Fixed in 1.3.13

References

CVE
CVE-2018-20231
URL
https://plugins.trac.wordpress.org/changeset/1997568/two-factor-authentication

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Martijn Korse
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
b9f3abd6-4543-4d6d-89bc-9e1eca26f384

Timeline

Publicly Published
2018-12-18 (about 7 years ago)
Added
2019-01-07 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-10-25
Title
Spider Facebook <= 1.0.15 - Cross-Site Request Forgery
Published
2024-04-11
Title
Sync Post With Other Site < 1.5.2 - Cross-Site Request Forgery
Published
2014-08-01
Title
Event Easy Calendar 1.0.0 - Multiple Administrator Action CSRF
Published
2025-04-09
Title
DeBounce Email Validator < 5.8.2 - Stored XSS via CSRF
Published
2025-01-24
Title
Attire Blocks < 1.9.7 - Cross-Site Request Forgery