CVE-2022-0229
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
El plugin Google Authenticator de miniOrange de WordPress versiones anteriores a 5.5, no presenta comprobaciones apropiadas de autorización y de tipo CSRF cuando maneja el reconfigureMethod, y no comprueba apropiadamente los parámetros que se le pasan. Como resultado, los usuarios no autenticados podrían eliminar opciones arbitrarias del blog, haciéndolo inusable
*Credits:
Krzysztof Zając, WPScan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-14 CVE Reserved
- 2022-02-28 CVE Published
- 2023-10-12 EPSS Updated
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Miniorange Search vendor "Miniorange" | Google Authenticator Search vendor "Miniorange" for product "Google Authenticator" | < 5.5 Search vendor "Miniorange" for product "Google Authenticator" and version " < 5.5" | wordpress |
Affected
| ||||||