CVE-2022-0993

HIGH

SiteGround Security < 1.2.5 - Unauthenticated Authentication Bypass via 2FA Backup Code

Title source: llm

Description

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5.

References (3)

Core 3

Core References

Release Notes, Vendor Advisory

https://plugins.trac.wordpress.org/changeset/2706302

Third Party Advisory

https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8e3a5566-eee5-4f71-9c93-e59abf913d04?source=cve

Scores

CVSS v3 8.1

EPSS 0.0747

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-285 CWE-306

Status published

Products (2)

siteground/Security Optimizer – The All-In-One Protection Plugin < 1.2.5

siteground/siteground_security < 1.2.5

Published Apr 19, 2022

Tracked Since Feb 18, 2026