Description

WordPress Plugin Google Authenticator-Per User Prompt is prone to a timing attack vulnerability because of an implementation flaw in how the application validates the password for a user account. Exploiting this issue may allow attackers to brute force an application password and gain access to the account. WordPress Plugin Google Authenticator-Per User Prompt version 0.6 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 0.7 or latest

References

https://hackerone.com/reports/277534

https://plugins.svn.wordpress.org/google-authenticator-per-user-prompt/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress Multiple Vulnerabilities (3.3.0)

WordPress Plugin Visual CSS Style Editor Security Bypass (7.1.9)

Magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-8130)

MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2006-0369)

Liferay Portal Deserialization of Untrusted Data Vulnerability (CVE-2020-7961)

Severity

High

Classification

CWE-208 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update