CRITICAL🇵🇱 Wersja polska

CVE-2023-6272

CVSS 9.8v3.1pub. 2023-12-18upd. 2024-11-21

The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

🤖 AI Analysis
How it works

An attacker can send multiple 2FA code verification requests without any limit on the number of attempts (no rate limiting mechanism). The 2FA code consists of 6 digits, giving a space of 1,000,000 possible combinations. Without a lockout after a certain number of failed attempts, an attacker can systematically try all possible codes until obtaining the correct one. The vulnerability is classified as CWE-307, which is improper limitation of excessive authentication attempts.

Impact

An attacker can bypass the two-factor authentication mechanism and gain full access to a WordPress user account, taking control of it. Depending on the account permissions, this can lead to complete site takeover.

Mitigation & patch

The Theme My Login 2FA plugin should be updated to version 1.2 or later, which introduces a mechanism to limit the number of 2FA code verification attempts.

Who is affected

Theme My Login 2FA plugin for WordPress in versions prior to 1.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Thememylogin 2fa

    APP
    Thememylogin
    < 1.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References