← back
CVE-2022-0875

miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

EPSS 0.4%CWE-352
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
27 Jun 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
Affected products
Unknown · Google Authenticator

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762