Michiel Bijland

**Name of the Vulnerable Software and Affected Versions** wagtail-2fa versions prior to 1.3.0 **Description** The issue allows an attacker to bypass the 2FA check by changing the URL after gaining access to someone's Wagtail login credentials. They can then add a new device and gain full access to the CMS. **Recommendations** For versions prior to 1.3.0, update to version 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the device addition functionality until the update is applied.