WordPress Plugin Vulnerabilities

Two Factor (2FA) Authentication via Email < 1.9.9 - Two-Factor Authentication Bypass via token

Description

The plugin is vulnerable to Two-Factor Authentication Bypass due to the SS88_2FAVE::wp_login() method only enforcing the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.

Affects Plugins

Plugin icon
two-factor-2fa-via-email
Fixed in 1.9.9

References

CVE
CVE-2025-13587
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/11fbe76c-dc5c-413c-b6a8-d0f4aa56935d

Miscellaneous

Original Researcher
Ulyses Saicha
Verified
No
WPVDB ID
f7f6d758-3049-4031-9f1d-c0096cf914ce

Timeline

Publicly Published
2026-02-18 (about 3 months ago)
Added
2026-02-18 (about 3 months ago)
Last Updated
2026-02-18 (about 3 months ago)

Other

Published
Title
Published
2019-08-25
Title
WooCommerce PayU India <= 2.1.1 - Price Tampering
Published
2016-09-26
Title
W3 Total Cache < 0.9.5 – Unauthenticated Security Token Bypass
Published
2024-01-31
Title
BookIt <= 2.4.0 - Price Bypass
Published
2022-05-17
Title
iQ Block Country < 1.2.20 - Protection Bypass due to IP Spoofing
Published
2022-12-27
Title
WP Limit Login Attempts <= 2.6.5 - IP Spoofing