WordPress Plugin Vulnerabilities

WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding

Description

The plugin does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

Proof of Concept

Affects Plugins

Fixed in 3.1.1.2

References

Classification

Type
NO AUTHORISATION
CWE

Miscellaneous

Original Researcher
Janger
Submitter
Janger
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-06-23 (about 11 days ago)
Added
2026-06-23 (about 10 days ago)
Last Updated
2026-06-23 (about 10 days ago)

Other