WordPress Plugin Vulnerabilities

miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
miniorange-google-authenticator
Fixed in 1.0.5

References

CVE
CVE-2022-0875

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Niraj Mahajan
Submitter
Niraj Mahajan
Submitter website
https://www.linkedin.com/in/niraj1mahajan/
Submitter twitter
niraj1mahajan
Verified
Yes
WPVDB ID
fefc1411-594d-465b-aeb9-78c141b23762

Timeline

Publicly Published
2022-06-06 (about 3 years ago)
Added
2022-06-06 (about 3 years ago)
Last Updated
2023-03-07 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
WP-Ban-User <= 1.0 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2025-03-28
Title
LWS SMS <= 2.4.1 - Cross-Site Request Forgery
Published
2025-03-11
Title
Skrill Official < 1.0.67 - Settings Update via CSRF
Published
2020-01-06
Title
WP Simple Spreadsheet Fetcher For Google < 0.3.7 - Arbitrary API Key update via CSRF
Published
2022-09-01
Title
GetResponse < 5.5.21 - API Key Update via CSRF