vulnerability
WordPress Plugin: miniorange-2-factor-authentication: CVE-2022-0229: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:N/I:P/A:P) | Feb 28, 2022 | May 15, 2025 | May 4, 2026 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
Published
Feb 28, 2022
Added
May 15, 2025
Modified
May 4, 2026
Description
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
Solution
miniorange-2-factor-authentication-plugin-cve-2022-0229
References
- https://www.cve.org/CVERecord?id=CVE-2022-0229
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f53875aa-9347-464c-aaeb-e8248628fca2?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-15426
- CVE-2022-0229
- https://attackerkb.com/topics/CVE-2022-0229
- CWE-352
- CWE-862
- EUVD-EUVD-2022-15426
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.