Wp 2Fa
Monthly
Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.