WordPress Plugin Vulnerabilities

Theme My Login 2FA < 1.2 - Lack of Rate Limiting

Description

The plugin does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

Proof of Concept

Affects Plugins

Plugin icon
tml-2fa
Fixed in 1.2

References

CVE
CVE-2023-6272
URL
https://packetstormsecurity.com/2309-exploits/wpmylogin-bruteforce.txt

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.6 (medium)

Miscellaneous

Original Researcher
Joost Grunwald
Submitter
Joost Grunwald
Submitter website
https://www.iecetee.com
Verified
Yes
WPVDB ID
a03243ea-fee7-46e4-8037-a228afc5297a

Timeline

Publicly Published
2023-11-24 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2019-12-12
Title
Ultimate Addons for Beaver Builder <= 1.24.0 - Authentication Bypass
Published
2025-08-01
Title
Brave Conversion Engine (PRO) < 0.8.0 - Authentication Bypass
Published
2024-10-25
Title
Wp Social Login and Register Social Counter < 3.0.8 - Authentication Bypass
Published
2021-07-20
Title
NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports
Published
2023-12-27
Title
Checkout Mestres WP < 7.1.9.8 - Authentication Bypass via Password Reset