← voltar
CVE-2022-0992

SiteGround Security <= 1.2.5 - Authentication Bypass via 2FA Setup

CVSS 9.8 CRITICALEPSS 2.9%CWE-288CWE-306
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
siteground · Security Optimizer – The All-In-One Protection Plugin

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://plugins.trac.wordpress.org/changeset/2706302https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-9566-574d2bb35c4f?source=cve