miniOrange's Google Authenticator < 5.5 – Unauthenticated Arbitrary Options Deletion | CVE 2022-0229

Description

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.

Note: The initial issue was fixed in 5.4.49, however v5.5 also fixed the fact that any authenticated could call the reconfigure method against another user

Proof of Concept

https://example.com/?reconfigureMethod=1&transactionId=siteurl&user_id=siteurl

Affects Plugins

miniorange-2-factor-authentication

Fixed in 5.5

References

CVE

CVE-2022-0229

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

d70c5335-4c01-448d-85fc-f8e75b104351

Timeline

Publicly Published

2022-02-28 (about 3 years ago)

Added

2022-02-28 (about 3 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-08-18

Title

Media Library Assistant < 3.28 - Authenticated (Author+) Limited File Deletion

Published

2021-12-20

Title

Tabs < 3.6.0 - Unauthenticated Arbitrary Option Update

Published

2024-06-06

Title

LA-Studio Element Kit for Elementor < 1.3.7.4 - Missing Authorization

Published

2024-04-22

Title

Flexible Shipping < 4.24.16 - Missing Authorization

Published

2023-10-11

Title

IMPress Listings <= 2.6.2 - Missing Authorization