CVE-2022-0229 - OpenCVE

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Miniorange	Google Authenticator

Configuration 1 [-]

cpe:2.3:a:miniorange:google_authenticator:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2022-03-21T18:55:42

Updated: 2023-07-24T09:24:30.129Z

Reserved: 2022-01-14T00:00:00

Link: CVE-2022-0229

JSON object: View

NVD Information

Status : Modified

Published: 2022-03-21T19:15:10.180

Modified: 2023-11-07T03:41:10.007

Link: CVE-2022-0229

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miniorange:google_authenticator:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8191C29A-60DC-4534-8B8D-D5EE6F44AF84", "versionEndExcluding": "5.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable."}, {"lang": "es", "value": "El plugin Google Authenticator de miniOrange de WordPress versiones anteriores a 5.5, no presenta comprobaciones apropiadas de autorizaci\u00f3n y de tipo CSRF cuando maneja el reconfigureMethod, y no comprueba apropiadamente los par\u00e1metros que se le pasan. Como resultado, los usuarios no autenticados podr\u00edan eliminar opciones arbitrarias del blog, haci\u00e9ndolo inusable"}], "id": "CVE-2022-0229", "lastModified": "2023-11-07T03:41:10.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-21T19:15:10.180", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}