PT-2026-20601 · WordPress · Two Factor (2Fa) Authentication Via Email

Ulyses Saicha

Publicado

2026-02-19

Atualizado

2026-02-23

CVE-2025-13587

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Two Factor (2FA) Authentication via Email plugin for WordPress versions up to and including 1.9.8

Description The Two Factor (2FA) Authentication via Email plugin for WordPress is susceptible to a bypass of the two-factor authentication mechanism. The SS88 2FAVE::wp login() function only enforces 2FA if the token HTTP GET parameter is not defined. This allows an attacker to bypass 2FA by providing any value, including an empty one, in the token parameter during login.

Recommendations Update the Two Factor (2FA) Authentication via Email plugin for WordPress to a version later than 1.9.8.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2025-13587

Produtos afetados

Two Factor (2Fa) Authentication Via Email

PT-2026-20601 · WordPress · Two Factor (2Fa) Authentication Via Email

CVE-2025-13587

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5