WordPress Plugin Vulnerabilities

WP 2FA < 2.6.0 - Subscriber+ Arbitrary Email Sending

Description

The plugin is vulnerable to Insecure Direct Object Reference via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.

Affects Plugins

Plugin icon
wp-2fa
Fixed in 2.6.0

References

CVE
CVE-2023-6506
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ulyses Saicha
Verified
No
WPVDB ID
f5515518-4cdb-4a9b-a88d-b450a6755038

Timeline

Publicly Published
2024-01-02 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-20
Title
Button Block – Get fully customizable & multi-functional buttons < 1.1.5 - Authenticated (Contributor+) Post Disclosure
Published
2024-09-24
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Published
2025-12-02
Title
Projectopia <= 5.1.22 - Authenticated (Custom+) Insecure Direct Object Reference
Published
2025-12-03
Title
HUSKY – Products Filter Professional for WooCommerce < 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'
Published
2025-05-08
Title
Frontend Login and Registration Blocks < 1.2.0 - Unauthenticated Privilege Escalation via Account Takeover