CVE-2022-0992
moderate-risk
Published 2022-04-19
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
Do I need to act?
~
4.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Security Optimizer
Affected Vendors
References (6)
Release Notes
https://plugins.trac.wordpress.org/changeset/2706302
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-956...
Release Notes
https://plugins.trac.wordpress.org/changeset/2706302
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e5c6bf7-a653-4571-956...
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
8/34 · Low
Exposure
5/34 · Minimal