Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Two-factor authentication (formerly IP Vault) by youtag

    CVE-2026-8903 (GCVE-0-2026-8903)

    Vulnerability from nvd – Published: 2026-05-27 05:31 – Updated: 2026-05-27 10:36
    VLAI
    Title
    Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update
    Summary
    The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin's firewall and two-factor authentication settings — including the operating mode, request include/exclude rules, authentication slug, and log retention period — potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Muhammad Afnaan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8903",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T10:17:21.916694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T10:36:08.618Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Two-factor authentication (formerly IP Vault)",
              "vendor": "youtag",
              "versions": [
                {
                  "lessThanOrEqual": "2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Afnaan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin\u0027s firewall and two-factor authentication settings \u2014 including the operating mode, request include/exclude rules, authentication slug, and log retention period \u2014 potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T05:31:25.787Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a58f809-d051-4841-a1da-7bc1cf59e1a2?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.php#L14"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.php#L129"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/ip-vault.php#L482"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-26T17:22:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Two-factor authentication (formerly IP Vault) \u003c= 2.1 - Cross-Site Request Forgery to Settings Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8903",
        "datePublished": "2026-05-27T05:31:25.787Z",
        "dateReserved": "2026-05-18T21:17:54.084Z",
        "dateUpdated": "2026-05-27T10:36:08.618Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-4536 (GCVE-0-2022-4536)

    Vulnerability from nvd – Published: 2024-08-31 08:35 – Updated: 2026-04-08 16:58
    VLAI
    Title
    IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass
    Summary
    The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-348 - Use of Less Trusted Source
    Assigner
    Impacted products
    Vendor Product Version
    youtag Two-factor authentication (formerly IP Vault) Affected: 0 , ≤ 1.1 (semver)
    Create a notification for this product.
    youtag two-factor_authentication Affected: 0 , ≤ 1.1 (custom)
        cpe:2.3:a:youtag:two-factor_authentication:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mohammadreza Rashidi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:youtag:two-factor_authentication:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "two-factor_authentication",
                "vendor": "youtag",
                "versions": [
                  {
                    "lessThanOrEqual": "1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-4536",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T14:18:48.487003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T14:21:17.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Two-factor authentication (formerly IP Vault)",
              "vendor": "youtag",
              "versions": [
                {
                  "lessThanOrEqual": "1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammadreza Rashidi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The IP Vault \u2013 WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-348",
                  "description": "CWE-348 Use of Less Trusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:58:06.162Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2922250%40ip-vault-wp-firewall\u0026new=2922250%40ip-vault-wp-firewall\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-30T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "IP Vault \u2013 WP Firewall \u003c= 1.1 - IP Address Spoofing to Protection Mechanism Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2022-4536",
        "datePublished": "2024-08-31T08:35:18.197Z",
        "dateReserved": "2022-12-16T01:26:59.859Z",
        "dateUpdated": "2026-04-08T16:58:06.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8903 (GCVE-0-2026-8903)

    Vulnerability from cvelistv5 – Published: 2026-05-27 05:31 – Updated: 2026-05-27 10:36
    VLAI
    Title
    Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update
    Summary
    The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin's firewall and two-factor authentication settings — including the operating mode, request include/exclude rules, authentication slug, and log retention period — potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Muhammad Afnaan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8903",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T10:17:21.916694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T10:36:08.618Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Two-factor authentication (formerly IP Vault)",
              "vendor": "youtag",
              "versions": [
                {
                  "lessThanOrEqual": "2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Afnaan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin\u0027s firewall and two-factor authentication settings \u2014 including the operating mode, request include/exclude rules, authentication slug, and log retention period \u2014 potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T05:31:25.787Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a58f809-d051-4841-a1da-7bc1cf59e1a2?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.php#L14"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.php#L129"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/ip-vault.php#L482"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-26T17:22:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Two-factor authentication (formerly IP Vault) \u003c= 2.1 - Cross-Site Request Forgery to Settings Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8903",
        "datePublished": "2026-05-27T05:31:25.787Z",
        "dateReserved": "2026-05-18T21:17:54.084Z",
        "dateUpdated": "2026-05-27T10:36:08.618Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-4536 (GCVE-0-2022-4536)

    Vulnerability from cvelistv5 – Published: 2024-08-31 08:35 – Updated: 2026-04-08 16:58
    VLAI
    Title
    IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass
    Summary
    The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-348 - Use of Less Trusted Source
    Assigner
    Impacted products
    Vendor Product Version
    youtag Two-factor authentication (formerly IP Vault) Affected: 0 , ≤ 1.1 (semver)
    Create a notification for this product.
    youtag two-factor_authentication Affected: 0 , ≤ 1.1 (custom)
        cpe:2.3:a:youtag:two-factor_authentication:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mohammadreza Rashidi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:youtag:two-factor_authentication:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "two-factor_authentication",
                "vendor": "youtag",
                "versions": [
                  {
                    "lessThanOrEqual": "1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-4536",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T14:18:48.487003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T14:21:17.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Two-factor authentication (formerly IP Vault)",
              "vendor": "youtag",
              "versions": [
                {
                  "lessThanOrEqual": "1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammadreza Rashidi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The IP Vault \u2013 WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-348",
                  "description": "CWE-348 Use of Less Trusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:58:06.162Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2922250%40ip-vault-wp-firewall\u0026new=2922250%40ip-vault-wp-firewall\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-30T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "IP Vault \u2013 WP Firewall \u003c= 1.1 - IP Address Spoofing to Protection Mechanism Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2022-4536",
        "datePublished": "2024-08-31T08:35:18.197Z",
        "dateReserved": "2022-12-16T01:26:59.859Z",
        "dateUpdated": "2026-04-08T16:58:06.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }