PT-2018-15298 · WordPress · Two-Factor Authentication

Martijn Korse

Published

2018-12-19

Updated

2019-03-15

CVE-2018-20231

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WordPress two-factor-authentication plugin versions prior to 1.3.13

Description The issue allows remote attackers to disable two-factor authentication (2FA) due to missing nonce validation. This can be achieved by exploiting the tfa enable tfa parameter.

Recommendations For versions prior to 1.3.13, update the two-factor-authentication plugin to version 1.3.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable tfa enable tfa parameter until the plugin is updated.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-20231

Affected Products

Two-Factor Authentication

PT-2018-15298 · WordPress · Two-Factor Authentication

CVE-2018-20231

Weakness Enumeration

Related Identifiers

Affected Products

References · 5