WordPress Plugin Vulnerabilities

Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches < 21.0.10 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

Description

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.

Affects Plugins

Plugin icon
wp-simple-firewall
Fixed in 21.0.10

References

CVE
CVE-2025-14427
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/91dbc521-c24b-4b73-9b70-46d363ccb535

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
d365d025-887e-4de2-82a1-4200ab20e386

Timeline

Publicly Published
2026-02-18 (about 1 month ago)
Added
2026-02-18 (about 1 month ago)
Last Updated
2026-02-19 (about 1 month ago)

Other

Published
Title
Published
2025-02-24
Title
DefendWP Firewall < 1.1.1 - Missing Authorization
Published
2024-03-08
Title
EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Published
2025-10-18
Title
Link Whisper Free <= 0.9.1 - Missing Authorization
Published
2022-01-12
Title
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
Published
2024-10-17
Title
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion