WordPress Plugin Vulnerabilities

miniOrange's Google Authenticator < 5.6.6 - Missing Authorization to Plugin Settings Change

Description

The plugin is vulnerable to authorization bypass due to a missing capability check when changing plugin settings.

Affects Plugins

Plugin icon
miniorange-2-factor-authentication
Fixed in 5.6.6

References

CVE
CVE-2022-4943

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
f05c397d-0fea-4c4b-b66f-10fdb1b53114

Timeline

Publicly Published
2023-04-19 (about 2 years ago)
Added
2023-10-20 (about 2 years ago)
Last Updated
2023-10-20 (about 2 years ago)

Other

Published
Title
Published
2024-09-06
Title
Revision Manager TMC < 2.8.20 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Published
2025-01-24
Title
ExactMetrics < 8.2.0 - Missing Authorization
Published
2024-09-24
Title
Easy Mega Menu Plugin for WordPress – ThemeHunk < 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Settings Updates
Published
2025-12-30
Title
JetBlog < 2.4.7.1 - Missing Authorization
Published
2024-07-11
Title
Seraphinite Post .DOCX Source < 2.16.10 - Missing Authorization