Description
WordPress Plugin Google Authenticator-Per User Prompt is prone to a timing attack vulnerability because of an implementation flaw in how the application validates the password for a user account. Exploiting this issue may allow attackers to brute force an application password and gain access to the account. WordPress Plugin Google Authenticator-Per User Prompt version 0.6 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 0.7 or latest
References
https://hackerone.com/reports/277534
https://plugins.svn.wordpress.org/google-authenticator-per-user-prompt/trunk/readme.txt
Related Vulnerabilities
Joomla! Core 1.5.x Multiple SQL Injection Vulnerabilities (1.5.0 - 1.5.21)
WordPress Plugin Responsive Lightbox by dFactory Cross-Site Scripting (1.4.11)
WordPress Plugin Banner Effect Header Cross-Site Request Forgery (1.2.6)
Serendipity Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-5476)
WordPress Plugin open-flash-chart-core Remote Code Execution (0.4)