CVE-2025-15370 affects Shield Security and it is a privilege boundary failure that weakens authentication rather than changing content or reading data. The vulnerability allows any authenticated user, including a Subscriber, to target another account and toggle that account’s Google Authenticator setting through a request parameter. That matters because MFA is one of the most important compensating controls in WordPress. When a plugin that is meant to harden security can be used by low privilege users to disable MFA on administrators, it becomes a security downgrade primitive. The practical consequence is that attackers only need a second ingredient like a password leak or phishing success to turn this downgrade into a full admin takeover.
| CVE | CVE-2025-15370 |
| Plugin Version | Shield Security <= 21.0.9 |
| All Time | 12 649 524 |
| Active installations | 40 000+ |
| Publicly Published | January 15, 2026 |
| Last Updated | January 15, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15370 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-simple-firewall/shield-security-2109-authenticated-subscriber-insecure-direct-object-reference-to-disable-google-authenticator https://t.me/cleantalk_researches/399 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 29, 2025 | Plugin testing and vulnerability detection in the Shield Security have been completed |
| December 29, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 26, 2026 | Registered CVE-2025-15370 |
Discovery of the Vulnerability
The issue is missing object level authorization in the handler for the action mfa_profile_toggle_ga. The action chooses which account to modify using a user controlled parameter named active_wp_user. The server side authorization checks only that the caller has the capability read, which every logged in user has. There is no requirement that the caller is toggling their own account and there is no requirement that the caller has a user management capability that would justify changing MFA settings for someone else. The vulnerable route uses the plugin action router, which accepts query parameters, merges them into the action data, and passes them into the handler. That merge behavior makes the attack especially straightforward because the attacker does not need to craft a complex request body. They just supply a victim user ID in the URL and the action uses it.
Understanding of IDOR attack’s
In WordPress, user security settings must be protected with both capability checks and object binding. Even if a user can manage their own profile, they should not be able to manage another user’s profile without explicit authority. This is why core actions like editing users require permissions like edit_users, and why plugins that implement profile related actions must enforce either self only restrictions or proper administrative capabilities. CVE-2025-15370 breaks that model by allowing any logged in user to act on any other user. The risk is not abstract. Many compromise chains start with a low privilege account gained through registration or weak passwords, then escalate by disabling defenses before attempting takeover. When MFA is disabled, the attacker reduces friction for credential stuffing and phishing. This kind of flaw is particularly damaging because it turns security tooling into an attacker tool. Instead of defending the site, the plugin becomes a way to remove a protective layer.
Exploiting the IDOR Vulnerability
To exploit CVE-2025-15370, an attacker with subscriber+ any cookies:
POC:
/wordpress/?action=shield_action&ex=mfa_profile_toggle_ga&active_wp_user=1____
The immediate impact is reduction of account security for targeted users. If the victim is an administrator, disabling TOTP removes the extra factor that often blocks password only attacks. The attacker can then use phishing, leaked credentials, or password reuse to access the admin account without being challenged for a second factor. This is especially dangerous on sites where administrators share passwords across environments or where login rate limiting is weak. Another realistic scenario is internal abuse. A malicious Subscriber could target staff accounts, disable their MFA, and later attempt takeovers through social engineering. Because MFA toggles may not be monitored as closely as content edits, this downgrade can be stealthy. The broader consequence is that the site may falsely believe it has strong MFA coverage while in reality an attacker has selectively disabled it for high value accounts. That makes incident response harder because defenders will look for password compromise signals while missing the earlier quiet MFA suppression step.
Recommendations for Improved Security
The fix is to enforce strict object binding and proper capabilities for MFA actions. The handler must ensure that the active_wp_user value matches the currently authenticated user when the intent is self service, and it must reject any attempt to toggle MFA for another user unless the caller has an explicit administrative capability appropriate for user management. In WordPress terms that typically means requiring edit_users or a plugin specific capability reserved for administrators, and validating with a nonce bound to the actor and action to prevent CSRF. It is also important to log MFA state changes with actor, target user, IP, and timestamp, and to surface alerts for administrator MFA disable events because those are high risk events. Site owners should update Shield Security to a fixed version once available, review MFA status for privileged accounts, and rotate or strengthen administrator passwords because MFA downgrades are most damaging when combined with credential compromise. If exposure is suspected, force re enrollment of MFA for administrators and invalidate sessions to reduce the attacker window.
By taking proactive measures to address IDOR like CVE-2025-15370 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.