The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
References
Configurations
History
21 Nov 2024, 08:43
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 - Third Party Advisory | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40?source=cve - Product, Third Party Advisory |
16 Jan 2024, 23:56
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-11 07:15
Updated : 2024-11-21 08:43
NVD link : CVE-2023-6506
Mitre link : CVE-2023-6506
CVE.ORG link : CVE-2023-6506
JSON object : View
Products Affected
wpwhitesecurity
- wp_2fa
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource