WordPress Two-Factor Authentication Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Two-Factor Authentication (formerly IP Vault) plugin, affecting all versions through 2.1. The vulnerability arises from inadequate nonce validation in the 'ipv_save_changes' function, allowing unauthenticated attackers to manipulate the plugin's firewall and authentication settings. This includes changes to the operational mode, request inclusion/exclusion rules, authentication slug, and log retention period. Exploitation could disable protection entirely by sending a forged request that tricks a site administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings, potentially disabling its protective features.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the vulnerable plugin installed. The request should be crafted to exploit the missing nonce validation in the 'ipv_save_changes' function. This can be done by tricking an administrator into clicking a link that activates the forged request, such as through a social engineering tactic.