Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for google_authenticator by miniorange
CVE-2022-44589 (GCVE-0-2022-44589)
Vulnerability from nvd – Published: 2023-12-29 09:40 – Updated: 2025-04-17 20:20
VLAI?
Title
WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.
Severity ?
8.1 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miniOrange | miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login |
Affected:
n/a , ≤ 5.6.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-03T16:14:51.806540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T20:20:11.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "miniorange-2-factor-authentication",
"product": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login",
"vendor": "miniOrange",
"versions": [
{
"changes": [
{
"at": "5.6.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Calvin Alkan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login.\u003cp\u003eThis issue affects miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T09:40:07.425Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;5.6.2 or a higher version."
}
],
"value": "Update to\u00a05.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress miniOrange\u0027s Google Authenticator Plugin \u003c= 5.6.1 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44589",
"datePublished": "2023-12-29T09:40:07.425Z",
"dateReserved": "2022-11-01T19:51:27.397Z",
"dateUpdated": "2025-04-17T20:20:11.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4943 (GCVE-0-2022-4943)
Vulnerability from nvd – Published: 2023-10-20 07:29 – Updated: 2026-04-08 17:00
VLAI?
Title
miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change
Summary
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) |
Affected:
0 , ≤ 5.6.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:46.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T18:14:40.722825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:14:57.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange 2FA \u2013 Two-Factor Authentication for WordPress (SMS, Email \u0026 Google Authenticator)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "5.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:44.475Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-19T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "miniOrange\u0027s Google Authenticator \u003c= 5.6.5 - Missing Authorization to Plugin Settings Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4943",
"datePublished": "2023-10-20T07:29:21.001Z",
"dateReserved": "2023-04-19T14:13:49.149Z",
"dateUpdated": "2026-04-08T17:00:44.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-42461 (GCVE-0-2022-42461)
Vulnerability from nvd – Published: 2022-11-18 19:06 – Updated: 2025-02-20 19:52
VLAI?
Title
WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability
Summary
Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress.
Severity ?
5.4 (Medium)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miniOrange | miniOrange's Google Authenticator (WordPress plugin) |
Affected:
<= 5.6.1 , ≤ 5.6.1
(custom)
|
Date Public ?
2022-10-31 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:40.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-42461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:20:17.948428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:52:10.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "miniOrange\u0027s Google Authenticator (WordPress plugin)",
"vendor": "miniOrange",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "\u003c= 5.6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Lana Codes (Patchstack Alliance)"
}
],
"datePublic": "2022-10-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Broken Access Control vulnerability in miniOrange\u0027s Google Authenticator plugin \u003c= 5.6.1 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress miniOrange\u0027s Google Authenticator plugin \u003c= 5.6.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-42461",
"datePublished": "2022-11-18T19:06:13.058Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:52:10.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1321 (GCVE-0-2022-1321)
Vulnerability from nvd – Published: 2022-06-27 08:56 – Updated: 2024-08-03 00:03
VLAI?
Title
miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
Summary
The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | miniOrange's Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login |
Affected:
5.5.6 , < 5.5.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5.6",
"status": "affected",
"version": "5.5.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Niraj Mahajan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T08:56:27.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange\u0027s Google Authenticator \u003c 5.5.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1321",
"STATE": "PUBLIC",
"TITLE": "miniOrange\u0027s Google Authenticator \u003c 5.5.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.5.6",
"version_value": "5.5.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Niraj Mahajan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1321",
"datePublished": "2022-06-27T08:56:28.000Z",
"dateReserved": "2022-04-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:03:05.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0875 (GCVE-0-2022-0875)
Vulnerability from nvd – Published: 2022-06-27 08:55 – Updated: 2024-08-02 23:40
VLAI?
Title
miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting
Summary
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Google Authenticator |
Affected:
1.0.5 , < 1.0.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Google Authenticator",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Niraj Mahajan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T08:55:54.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange Google Authenticator \u003c 1.0.5 - CSRF to Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0875",
"STATE": "PUBLIC",
"TITLE": "miniOrange Google Authenticator \u003c 1.0.5 - CSRF to Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Google Authenticator",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.0.5",
"version_value": "1.0.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Niraj Mahajan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0875",
"datePublished": "2022-06-27T08:55:54.000Z",
"dateReserved": "2022-03-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:04.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0229 (GCVE-0-2022-0229)
Vulnerability from nvd – Published: 2022-03-21 18:55 – Updated: 2024-08-02 23:18
VLAI?
Title
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
Summary
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | miniOrange's Google Authenticator |
Affected:
0 , < 5.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "miniOrange\u0027s Google Authenticator",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T09:24:30.129Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange\u0027s Google Authenticator \u003c 5.5 - Unauthenticated Arbitrary Options Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0229",
"datePublished": "2022-03-21T18:55:42.000Z",
"dateReserved": "2022-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44589 (GCVE-0-2022-44589)
Vulnerability from cvelistv5 – Published: 2023-12-29 09:40 – Updated: 2025-04-17 20:20
VLAI?
Title
WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.
Severity ?
8.1 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miniOrange | miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login |
Affected:
n/a , ≤ 5.6.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-03T16:14:51.806540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T20:20:11.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "miniorange-2-factor-authentication",
"product": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login",
"vendor": "miniOrange",
"versions": [
{
"changes": [
{
"at": "5.6.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Calvin Alkan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login.\u003cp\u003eThis issue affects miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T09:40:07.425Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;5.6.2 or a higher version."
}
],
"value": "Update to\u00a05.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress miniOrange\u0027s Google Authenticator Plugin \u003c= 5.6.1 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44589",
"datePublished": "2023-12-29T09:40:07.425Z",
"dateReserved": "2022-11-01T19:51:27.397Z",
"dateUpdated": "2025-04-17T20:20:11.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4943 (GCVE-0-2022-4943)
Vulnerability from cvelistv5 – Published: 2023-10-20 07:29 – Updated: 2026-04-08 17:00
VLAI?
Title
miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change
Summary
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) |
Affected:
0 , ≤ 5.6.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:46.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T18:14:40.722825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:14:57.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange 2FA \u2013 Two-Factor Authentication for WordPress (SMS, Email \u0026 Google Authenticator)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "5.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:44.475Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-19T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "miniOrange\u0027s Google Authenticator \u003c= 5.6.5 - Missing Authorization to Plugin Settings Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4943",
"datePublished": "2023-10-20T07:29:21.001Z",
"dateReserved": "2023-04-19T14:13:49.149Z",
"dateUpdated": "2026-04-08T17:00:44.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-42461 (GCVE-0-2022-42461)
Vulnerability from cvelistv5 – Published: 2022-11-18 19:06 – Updated: 2025-02-20 19:52
VLAI?
Title
WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability
Summary
Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress.
Severity ?
5.4 (Medium)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miniOrange | miniOrange's Google Authenticator (WordPress plugin) |
Affected:
<= 5.6.1 , ≤ 5.6.1
(custom)
|
Date Public ?
2022-10-31 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:40.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-42461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:20:17.948428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:52:10.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "miniOrange\u0027s Google Authenticator (WordPress plugin)",
"vendor": "miniOrange",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "\u003c= 5.6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Lana Codes (Patchstack Alliance)"
}
],
"datePublic": "2022-10-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Broken Access Control vulnerability in miniOrange\u0027s Google Authenticator plugin \u003c= 5.6.1 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress miniOrange\u0027s Google Authenticator plugin \u003c= 5.6.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-42461",
"datePublished": "2022-11-18T19:06:13.058Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:52:10.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1321 (GCVE-0-2022-1321)
Vulnerability from cvelistv5 – Published: 2022-06-27 08:56 – Updated: 2024-08-03 00:03
VLAI?
Title
miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
Summary
The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | miniOrange's Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login |
Affected:
5.5.6 , < 5.5.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5.6",
"status": "affected",
"version": "5.5.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Niraj Mahajan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T08:56:27.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange\u0027s Google Authenticator \u003c 5.5.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1321",
"STATE": "PUBLIC",
"TITLE": "miniOrange\u0027s Google Authenticator \u003c 5.5.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "miniOrange\u0027s Google Authenticator \u2013 WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.5.6",
"version_value": "5.5.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Niraj Mahajan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1321",
"datePublished": "2022-06-27T08:56:28.000Z",
"dateReserved": "2022-04-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:03:05.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0875 (GCVE-0-2022-0875)
Vulnerability from cvelistv5 – Published: 2022-06-27 08:55 – Updated: 2024-08-02 23:40
VLAI?
Title
miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting
Summary
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Google Authenticator |
Affected:
1.0.5 , < 1.0.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Google Authenticator",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Niraj Mahajan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T08:55:54.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange Google Authenticator \u003c 1.0.5 - CSRF to Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0875",
"STATE": "PUBLIC",
"TITLE": "miniOrange Google Authenticator \u003c 1.0.5 - CSRF to Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Google Authenticator",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.0.5",
"version_value": "1.0.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Niraj Mahajan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0875",
"datePublished": "2022-06-27T08:55:54.000Z",
"dateReserved": "2022-03-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:04.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0229 (GCVE-0-2022-0229)
Vulnerability from cvelistv5 – Published: 2022-03-21 18:55 – Updated: 2024-08-02 23:18
VLAI?
Title
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
Summary
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | miniOrange's Google Authenticator |
Affected:
0 , < 5.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "miniOrange\u0027s Google Authenticator",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T09:24:30.129Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "miniOrange\u0027s Google Authenticator \u003c 5.5 - Unauthenticated Arbitrary Options Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0229",
"datePublished": "2022-03-21T18:55:42.000Z",
"dateReserved": "2022-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}