CVE-2022-4943: Authorization Bypass Vulnerability in miniOrange's Google Authenticator Plugin for WordPress

A critical vulnerability, assigned the identifier CVE-2022-4943, has been discovered in the miniOrange’s Google Authenticator plugin for WordPress. The vulnerability allows unauthorized users to bypass the authentication process and change the plugin’s settings. This could potentially lead to unauthorized access to your WordPress website.

This post will delve into the technical details surrounding this vulnerability, including a code snippet that explains the root cause, links to original references, and information on how the exploit works. As always, we'll provide you with the tools and information necessary to protect your WordPress websites from unauthorized access.

Affected Versions

The vulnerability impacts miniOrange's Google Authenticator plugin versions up to, and including, 5.6.5.

Exploit Details

The issue stems from a missing capability check during the plugin's settings change process, which allows unauthenticated attackers to change the plugin's settings. More specifically, the vulnerability allows the attackers to disable the two-factor authentication (2FA) mechanism enforced by the plugin, potentially granting unauthorized access to the administrative backend of the targeted WordPress website.

Code Snippet

Here’s the code snippet for the offending function mo_authenticator_save_settings() within the plugin (located in the miniorange_2fa_settings.php file):

function mo_authenticator_save_settings() {
    if(isset($_POST['option']) && $_POST['option'] == "mo_authenticator_save_settings"){
        update_option( 'mo2f_activate_plugin', isset( $_POST['mo2f_activate_plugin'] ) ? $_POST['mo2f_activate_plugin'] :  );
    }
}
add_action( 'admin_init', 'mo_authenticator_save_settings' );

As you can see, this code updates the 'mo2f_activate_plugin' setting when the 'mo_authenticator_save_settings' action is triggered. The crucial problem is that there's no capability check before updating the option. Therefore, this function allows an unauthenticated attacker to change the value of 'mo2f_activate_plugin,' effectively enabling or disabling the 2FA protection.

Exploit Steps

An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable WordPress website. Here’s an example of a simple HTTP POST request that would disable the 2FA protection:

POST /wp-admin/admin-post.php HTTP/1.1
Host: target-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

action=mo_authenticator_save_settings&mo2f_activate_plugin=

To protect your WordPress site from this vulnerability, you should update the miniOrange's Google Authenticator plugin to version 5.6.6 or higher as soon as possible.

Original References

Here are some original references and resources you can consult to learn more about this vulnerability:

1. CVE-2022-4943 on NVD
2. miniOrange's Google Authenticator plugin at WordPress.org

Conclusion

CVE-2022-4943 is a severe vulnerability that affects the miniOrange Google Authenticator plugin for WordPress, potentially allowing unauthenticated attackers to bypass authorization and change plugin settings. By understanding the underlying issue and implementing the recommended security updates, you can effectively secure your website and user data.

Timeline

Published on: 10/20/2023 08:15:00 UTC
Last modified on: 11/07/2023 03:59:00 UTC