CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2891 – WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
https://notcve.org/view.php?id=CVE-2022-2891
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared. El plugin WP 2FA de WordPress versiones anteriores a 2.3.0, usa operadores de comparación que no mitigan los ataques basados en el tiempo, lo que podría ser abusado para filtrar información sobre los códigos de autenticación que son comparados The WP 2FA plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.2.1 due to the use of a linear-time comparison operator when comparing token hashes. This allows an attacker to gain information about authentication tokens by observing small time differences in server response times. This is a vulnerability that is generally not realistically exploitable over the internet due to other factors that will have a greater influence on response times. • https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120 • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1527 – WP 2FA < 2.2.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1527
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin WP 2FA de WordPress versiones anteriores a 2.2.1, no sanea y escapa de un parámetro antes de devolverlo a una página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado The WP 2FA WordPress plugin before 2.2.1 does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue. • https://wpscan.com/vulnerability/0260d5c0-52a9-44ce-b7be-aff642056d16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •