cleantalk
Vulnerabilities and Security Researches

WP 2FA – Two-factor authentication for WordPress, CVE-2025-12628

CVE, Research URL

CVE-2025-12628

Home page URL

Security reports for WP 2FA – Two-factor authentication for WordPress

Application

WP 2FA – Two-factor authentication for WordPress

Published on
Nov 24, 2025
Research Description
The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
Affected versions
max 3.0.0.
Status
vulnerable
Previous vulnerability researches
CM Download Manager – Document and File Management (CVE-2025-24758) , Feb 19, 2025
CM Download Manager – Document and File Management (CVE-2020-27344) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2014-8877) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2024-1962) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2014-9129) , Jun 06, 2024
New vulnerability
WP 2FA – Two-factor authentication for WordPress (CVE-2025-12628) , Dec 09, 2025
WooCommerce (CVE-2025-49042) , Dec 09, 2025
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor (CVE-2025-13054) , Dec 04, 2025
Visualizer: Tables and Charts Manager for WordPress (CVE-2025-12483) , Dec 04, 2025
Orbit Fox by ThemeIsle (CVE-2025-12045) , Dec 04, 2025