Skip to main content

WP 2FA EUVDEUVD-2026-43628

| CVE-2026-12988 MEDIUM
Missing Authorization (CWE-862)
2026-07-14 WPScan GHSA-ghqr-w463-c6wr
6.4
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
vuln.today AI
7.1 HIGH

Network attack requiring pre-compromised credentials (AC:H, PR:L); account takeover yields high confidentiality and integrity impact, not availability, correcting the provided vector's C:L/I:L/A:H miscalibration.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 13:25 vuln.today
CVSS changed
Jul 14, 2026 - 13:22 NVD
6.4 (MEDIUM)
Patch available
Jul 14, 2026 - 11:17 EUVD
CVE Published
Jul 14, 2026 - 06:00 cve.org
MEDIUM 6.4
CVE Published
Jul 14, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

AnalysisAI

Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Acquire target user credentials via phishing or stuffing
Delivery
Authenticate to WordPress as victim
Exploit
Initiate WP 2FA enrollment flow
Install
Supply attacker-controlled email address
C2
Receive setup verification code in attacker inbox
Execute
Complete 2FA enrollment
Impact
Lock victim out and control account

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has already obtained valid credentials - username and password - for the target WordPress account; this is the hard prerequisite reflected in CVSS PR:L and AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H, score 6.4) correctly captures the network attack surface and low-privilege prerequisite but appears miscalibrated on impact: A:H (high availability impact) is not well-supported by the description, while C:L and I:L understate the effective account takeover, which grants the attacker full control of the victim's WordPress account including its content, settings, and identity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains the username and password for a WordPress account through credential stuffing, phishing, or a third-party data breach. They log in as the victim user, navigate to the 2FA setup flow provided by the WP 2FA plugin, and supply an attacker-controlled email address in place of the victim's real address. …
Remediation Update the WP 2FA WordPress plugin to version 3.1.1.2 or later, which introduces proper ownership verification of the email address supplied during 2FA enrollment. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy