CVE-2022-0992

CRITICAL

SiteGround Security Optimizer <= 1.2.5 - Unauthenticated Authentication Bypass via 2FA Setup

Title source: llm

Description

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.

References (3)

Core 3

Core References

Release Notes, Vendor Advisory

https://plugins.trac.wordpress.org/changeset/2706302

Exploit, Third Party Advisory

https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-9566-574d2bb35c4f?source=cve

Scores

CVSS v3 9.8

EPSS 0.0288

EPSS Percentile 85.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-288 CWE-306

Status published

Products (2)

siteground/Security Optimizer – The All-In-One Protection Plugin < 1.2.5

siteground/security_optimizer < 1.2.6

Published Apr 19, 2022

Tracked Since Feb 18, 2026