WordPress Plugin Vulnerabilities
WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding
Description
The plugin does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
Proof of Concept
Affects Plugins
References
CVE
YouTube Video
YouTube Video
YouTube Video
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Janger
Submitter
Janger
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-23 (about 11 days ago)
Added
2026-06-23 (about 10 days ago)
Last Updated
2026-06-23 (about 10 days ago)