WP 2FA – Two-factor authentication for WordPress, CVE-2025-12628

CVE, Research URL: CVE-2025-12628
Home page URL: Security reports for WP 2FA – Two-factor authentication for WordPress
Application: WP 2FA – Two-factor authentication for WordPress
Published on: Nov 24, 2025
Research Description: The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
Affected versions: max 3.0.0.
Status: vulnerable

WP 2FA &#8211; Two-factor authentication for WordPress, CVE-2025-12628