CVE-2022-0993
Published: 19 April 2022
Summary
CVE-2022-0993 is a high-severity Improper Authorization (CWE-285) vulnerability in Siteground Siteground Security. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15986
Vulnerability details
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects…
more
versions up to, and including, 1.2.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.
Ensures authorization decisions are always performed by a complete and analyzable reference monitor.
Auditing session actions allows identification of improper authorization decisions and enforcement failures.
The process verifies authorization mechanisms function as intended before system approval.
By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality.
Dedicated authorization servers support policy-based decisions, mitigating improper authorization.
Protecting the shutoff from unauthorized activation enforces proper authorization for this critical operation.