Skip to main content

Webauthn Provider For Two Factor

1 CVEs product

Monthly

CVE-2026-11883 HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy