Vulnerabilities and security researches forwp-2fa wp-2fa

Jun 07, 2024

CVE, Research URL: CVE-2023-6520
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Jan 11, 2024
Research Description: The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if a nonce is set. By omitting a nonce from the request, the check can be bypassed.
Affected versions: max 2.6.0.
Status: vulnerable

CVE, Research URL: CVE-2024-32568
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Apr 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA allows Reflected XSS.This issue affects WP 2FA: from n/a through 2.6.2.
Affected versions: max 2.6.3.
Status: vulnerable

CVE, Research URL: 187b426eea97d75fad4202e60fc8c41a3407977f
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Apr 29, 2022
Research Description: WP 2FA – Two-factor authentication for WordPress [wp-2fa] < 2.2.0 WordPress WP 2FA plugin <= 2.1.0 - Arbitrary 2FA Disabling via Insecure Direct Object References (IDOR) vulnerability Arbitrary 2FA Disabling via Insecure Direct Object References (IDOR) vulnerability discovered by Maycon Vitali in WordPress WP 2FA plugin (versions <= 2.1.0).
Affected versions: max 2.2.0.
Status: vulnerable

CVE, Research URL: CVE-2022-1527
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: May 30, 2022
Research Description: The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Affected versions: max 2.2.1.
Status: vulnerable

CVE, Research URL: CVE-2022-2891
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Oct 11, 2022
Research Description: The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
Affected versions: max 2.2.1.
Status: vulnerable

CVE, Research URL: CVE-2022-44595
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Mar 21, 2024
Research Description: Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.
Affected versions: max 2.2.0.
Status: vulnerable

CVE, Research URL: CVE-2023-6506
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Jan 11, 2024
Research Description: The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
Affected versions: max 2.6.0.
Status: vulnerable

Jun 23, 2024

CVE, Research URL: CVE-2022-44587
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Jun 21, 2024
Research Description: Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3.
Affected versions: max 2.6.4.
Status: vulnerable

Dec 09, 2025

CVE, Research URL: CVE-2025-12628
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Date: Nov 24, 2025
Research Description: The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
Affected versions: max 3.0.0.
Status: vulnerable