WordPress Plugin Vulnerabilities

WP 2FA with Telegram < 3.1 - Two-Factor Authentication Bypass

Description

The plugin is vulnerable to Two-Factor Authentication Bypass due to the two-factor code being stored in a cookie, which makes it possible to bypass two-factor authentication.

Affects Plugins

Plugin icon
two-factor-login-telegram
Fixed in 3.1

References

CVE
CVE-2024-9820
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd73030-7185-4302-b3fd-29cbbe716e3e

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
4e2f62a6-6798-41a6-8829-2532054e1edd

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-14 (about 1 year ago)
Last Updated
2024-10-14 (about 1 year ago)

Other

Published
Title
Published
2023-12-15
Title
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
Published
2025-11-04
Title
KiotViet Sync <= 1.8.5 - Authorization Bypass via Use of Hard-coded Password
Published
2014-08-01
Title
WordPress 3.7.1 & 3.8 - Cleartext Admin Credentials Disclosure
Published
2023-11-24
Title
JobSearch WP Job Board < 2.3.4 - Authentication Bypass
Published
2026-03-17
Title
KiviCare – Clinic & Patient Management System (EHR) < 4.1.3 - Unauthenticated Authentication Bypass via Social Login Token