PT-2026-57967 · WordPress · Wp 2Fa

Janger

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-12988

CVSS v3.1

6.4

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Name of the Vulnerable Software and Affected Versions WP 2FA versions prior to 3.1.1.2
Description The plugin fails to verify if the email address provided during the two-factor authentication setup belongs to the user. This allows an attacker with valid user credentials to redirect the setup verification code to an email address under their control, leading to full account takeover.
Recommendations Update to version 3.1.1.2 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12988

Affected Products

Wp 2Fa