CVE-2025-10293

Name of the Vulnerable Software and Affected Versions Keyy Two Factor Authentication plugin for WordPress versions prior to 1.2.4

Description The Keyy Two Factor Authentication plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. The issue stems from inadequate validation of a user’s identity associated with a generated token. Authenticated attackers with subscriber-level access or higher can generate valid authentication tokens and use them to log in as other accounts, including administrators, provided the administrator has two-factor authentication enabled. The token is not properly validated, allowing attackers to bypass security measures.

Recommendations Update Keyy Two Factor Authentication plugin to version 1.2.4 or later.