CVE-2023-6506

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpwhitesecurity:wp_2fa:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:43

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 - Third Party Advisory () https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 - Third Party Advisory
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= - Patch () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40?source=cve - Product, Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40?source=cve - Product, Third Party Advisory

16 Jan 2024, 23:56

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-11 07:15

Updated : 2024-11-21 08:43


NVD link : CVE-2023-6506

Mitre link : CVE-2023-6506

CVE.ORG link : CVE-2023-6506


JSON object : View

Products Affected

wpwhitesecurity

  • wp_2fa
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource