Two Factor Authentication <= 1.3.12 - Disable Two Factor Authentication CSRF



Description
According to the changelog:

"Fix a logged-in CSRF vulnerability reported by Martijn Korse (www.bitnesswise.com). Due to a missing nonce check, if an attacker was able to persuade a personally-targetted victim who was currently logged in to their WordPress account to visit a personally-crafted (for the individual victim) page in the same browser session, then the attacker would be able to de-activate two-factor authentication for the victim on that WordPress site (thus leaving the targetted account protected by the user's password, but not by a second factor - the absence of a request for a TFA code would be apparent on the user's next login). This vulnerability was inherited from the original "Two Factor Auth" plugin that this plugin was forked from, and so is present in all versions before this one."

Affects Plugin

fixed in version 1.3.13

References

CVE 2018-20231
URL https://plugins.trac.wordpress.org/changeset/1997568/two-factor-authentication

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Original Researcher Martijn Korse
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 1090
Verified No
WPVDB ID 9187

Timeline

Publicly Published 2018-12-18 (about 1 month ago)
Added 2019-01-07 (15 days ago)
Last Updated 2019-01-07 (15 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.