This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical auth bypass in ONLYOFFICE Docs plugin for WordPress. π **Consequences**: Attackers can log in as *any* user without credentials. Total loss of confidentiality, integrity, and availability.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). The plugin fails to verify if the user has permission to access specific resources or actions. π« No checks = No protection.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin **ONLYOFFICE Docs**. π **Versions**: **1.1.0** through **2.2.0**. π’ **Vendor**: Onlyoffice. If you use these versions, you are at risk!
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: β **Privileges**: Arbitrary user login (Admin/User). β **Data**: Full access to sensitive docs. β **Impact**: High (CVSS H/H/H). They can read, modify, or delete anything.
π΅οΈ **Public Exploit**: **No PoC provided** in the data. π° **References**: WordFence and WordPress Trac links exist. β οΈ **Risk**: Even without a public script, the flaw is simple. Wild exploitation is likely imminent.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Check WordPress Plugins list. 2. Look for **ONLYOFFICE Docs**. 3. Verify version is **β€ 2.2.0**. 4. Scan for the callback endpoint `/public/class-onlyoffice-plugin-public.php`.β¦
π§ **No Patch Workaround**: 1. **Disable** the plugin immediately. 2. **Remove** ONLYOFFICE Docs from the site. 3. Use alternative document editors. π Do not leave it active without a fix!
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P1**. CVSS is High impact. Remote, unauthenticated access. Patch **NOW** or disable the plugin. Do not wait!