PT-2025-42290 · WordPress · Keyy Two Factor Authentication

Published

2025-10-15

Updated

2025-10-15

CVE-2025-10293

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Keyy Two Factor Authentication plugin for WordPress versions prior to 1.2.4

Description The Keyy Two Factor Authentication plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. The issue stems from inadequate validation of a user’s identity associated with a generated token. Authenticated attackers with subscriber-level access or higher can generate valid authentication tokens and use them to log in as other accounts, including administrators, provided the administrator has two-factor authentication enabled. The token is not properly validated, allowing attackers to bypass security measures.

Recommendations Update Keyy Two Factor Authentication plugin to version 1.2.4 or later.

Fix

LPE

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2025-10293

Affected Products

Keyy Two Factor Authentication

PT-2025-42290 · WordPress · Keyy Two Factor Authentication

CVE-2025-10293

Weakness Enumeration

Related Identifiers

Affected Products

References · 7