Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Network attack requiring pre-compromised credentials (AC:H, PR:L); account takeover yields high confidentiality and integrity impact, not availability, correcting the provided vector's C:L/I:L/A:H miscalibration.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
AnalysisAI
Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has already obtained valid credentials - username and password - for the target WordPress account; this is the hard prerequisite reflected in CVSS PR:L and AC:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H, score 6.4) correctly captures the network attack surface and low-privilege prerequisite but appears miscalibrated on impact: A:H (high availability impact) is not well-supported by the description, while C:L and I:L understate the effective account takeover, which grants the attacker full control of the victim's WordPress account including its content, settings, and identity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains the username and password for a WordPress account through credential stuffing, phishing, or a third-party data breach. They log in as the victim user, navigate to the 2FA setup flow provided by the WP 2FA plugin, and supply an attacker-controlled email address in place of the victim's real address. … |
| Remediation | Update the WP 2FA WordPress plugin to version 3.1.1.2 or later, which introduces proper ownership verification of the email address supplied during 2FA enrollment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could b
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.2.0. Rated medium severity (CVSS
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43628
GHSA-ghqr-w463-c6wr