WordPress · Two-Factor Authentication · CVE-2018-20231
**Name of the Vulnerable Software and Affected Versions**
WordPress two-factor-authentication plugin versions prior to 1.3.13
**Description**
The issue allows remote attackers to disable two-factor authentication (2FA) due to missing nonce validation. This can be achieved by exploiting the `tfa enable tfa` parameter.
**Recommendations**
For versions prior to 1.3.13, update the two-factor-authentication plugin to version 1.3.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `tfa enable tfa` parameter until the plugin is updated.