CVE-2022-42461: 
WordPress vulnerability analysis and mitigation

A Broken Access Control vulnerability was identified in miniOrange's Google Authenticator WordPress plugin versions 5.6.1 and below (CVE-2022-42461). The vulnerability was discovered and disclosed on October 31, 2022. The security flaw affects the plugin's settings functionality, potentially exposing WordPress installations to unauthorized access (Patchstack).

The vulnerability stems from the plugin's lack of proper authorization checks when updating its settings. This security flaw could allow any authenticated users, including those with subscriber-level access, to modify the plugin's settings. The vulnerability has been assigned a CVSS v3 Base Score of 8.8, with attack vector being Network, attack complexity Low, and requiring Low privileges with No user interaction (AttackerKB).

The vulnerability allows authenticated users with low-level privileges (such as subscribers) to modify the plugin's settings, potentially compromising the two-factor authentication security measures implemented on the WordPress site (WPScan).

The vulnerability has been patched in version 5.6.2 of the miniOrange's Google Authenticator plugin. Site administrators are advised to update to version 5.6.2 or later to resolve the security issue (Patchstack).