The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2706302 | Release Notes Vendor Advisory |
https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin/ | Exploit Third Party Advisory |
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-9566-574d2bb35c4f?source=cve | Third Party Advisory |
Configurations
History
24 Oct 2023, 20:10
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-9566-574d2bb35c4f?source=cve - Third Party Advisory | |
First Time |
Siteground security Optimizer
|
|
CPE | cpe:2.3:a:siteground:security_optimizer:*:*:*:*:*:wordpress:*:* |
20 Oct 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Jul 2023, 17:12
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-306 |
Information
Published : 2022-04-19 21:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-0992
Mitre link : CVE-2022-0992
CVE.ORG link : CVE-2022-0992
JSON object : View
Products Affected
siteground
- security_optimizer
CWE
CWE-306
Missing Authentication for Critical Function