CVE-2023-6520

Name of the Vulnerable Software and Affected Versions WP 2FA – Two-factor authentication for WordPress plugin versions up to, and including, 2.5.0

Description The issue is due to missing or incorrect nonce validation on the send backup codes email function, making it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request. This can be achieved by tricking a site administrator or other registered user into performing an action, such as clicking on a link. The nonce check is only executed if a nonce is set, and by omitting a nonce from the request, the check can be bypassed.

Recommendations For versions up to, and including, 2.5.0, update to a version that includes the fix for the missing or incorrect nonce validation on the send backup codes email function. As a temporary workaround, consider restricting access to the send backup codes email function until a patch is available. Additionally, be cautious when clicking on links from unknown sources to minimize the risk of exploitation.