Shield Security < 21.0.10 – Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator | CVE 2025-15370 | Plugin Vulnerabilities

Description

The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.

Affects Plugins

wp-simple-firewall

Fixed in 21.0.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

2c3c65f7-905a-45f7-9108-07977ec7bb23

Timeline

Publicly Published

2026-01-15 (about 5 months ago)

Added

2026-01-15 (about 5 months ago)

Last Updated

2026-01-16 (about 5 months ago)

Other

Published

Title

Published

2024-11-22

Title

Enter Addons – Ultimate Template Builder for Elementor < 2.2.0 - Authenticated (Contributor+) Post Disclosure

Published

2024-04-05

Title

BookingPress < 1.0.82 - Authenticated (Customer+) Insecure Direct Object Reference

Published

2023-10-22

Title

wpDiscuz < 7.6.4 - Author+ IDOR

Published

2025-04-14

Title

Projectopia <= 5.1.23 - Unauthenticated Privilege Escalation via Account Takeover

Published

2025-02-23

Title

Filebird < 6.4.6 - Authenticated (Author+) Insecure Direct Object Reference