CVE-2022-0992

Name of the Vulnerable Software and Affected Versions SiteGround Security plugin for WordPress versions up to, and including, 1.2.5

Description The issue allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up. This enables unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair, which is the expected first form of authentication.

Recommendations For versions up to, and including, 1.2.5, update to a version that includes a fix for this issue to prevent authentication bypass. As a temporary workaround, consider disabling the 2FA set-up feature until a patch is available.