CVE-2022-0229

HIGH

miniOrange's Google Authenticator WordPress <5.5 - CSRF

Title source: llm
STIX 2.1

Description

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351

Scores

CVSS v3 8.1
EPSS 0.0054
EPSS Percentile 41.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
miniorange/google_authenticator < 5.5
Published Mar 21, 2022
Tracked Since Feb 18, 2026