vulnerability

WordPress Plugin: miniorange-google-authenticator: CVE-2022-0875: Cross-Site Request Forgery (CSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Jun 6, 2022

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

Solution

miniorange-google-authenticator-plugin-cve-2022-0875

References

https://www.cve.org/CVERecord?id=CVE-2022-0875
https://www.wordfence.com/threat-intel/vulnerabilities/id/22b539c8-a6f1-4543-9e63-08ee4d468ee0?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-15913
CVE-2022-0875
https://attackerkb.com/topics/CVE-2022-0875
CWE-352
EUVD-EUVD-2022-15913

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report