Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for WP 2FA by Unknown

    CVE-2025-12628 (GCVE-0-2025-12628)

    Vulnerability from nvd – Published: 2025-11-24 12:58 – Updated: 2025-11-24 15:09
    VLAI
    Title
    WP 2FA < 3.0.0 - Second Factor Bypass
    Summary
    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/5e2d033c-dde6-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.0.0 (semver)
    Create a notification for this product.
    Credits
    Benjamin Nadarević WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12628",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-24T15:09:08.290659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-24T15:09:10.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Benjamin Nadarevi\u0107"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-331 Insufficient Entropyy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T12:58:37.015Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.0.0 - Second Factor Bypass",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-12628",
        "datePublished": "2025-11-24T12:58:37.015Z",
        "dateReserved": "2025-11-03T09:14:18.190Z",
        "dateUpdated": "2025-11-24T15:09:10.780Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2891 (GCVE-0-2022-2891)

    Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:53
    VLAI
    Title
    WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
    Summary
    The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/301b3dce-2584-46… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 2.3.0 (custom)
    Create a notification for this product.
    Credits
    Calvin Alkan WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:53:00.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Alkan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don\u0027t mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-203 Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-24T09:59:20.811Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 2.3.0 - Time-Based Side-Channel Attack",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2891",
        "datePublished": "2022-10-10T00:00:00.000Z",
        "dateReserved": "2022-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:53:00.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-12628 (GCVE-0-2025-12628)

    Vulnerability from cvelistv5 – Published: 2025-11-24 12:58 – Updated: 2025-11-24 15:09
    VLAI
    Title
    WP 2FA < 3.0.0 - Second Factor Bypass
    Summary
    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/5e2d033c-dde6-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.0.0 (semver)
    Create a notification for this product.
    Credits
    Benjamin Nadarević WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12628",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-24T15:09:08.290659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-24T15:09:10.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Benjamin Nadarevi\u0107"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-331 Insufficient Entropyy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T12:58:37.015Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.0.0 - Second Factor Bypass",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-12628",
        "datePublished": "2025-11-24T12:58:37.015Z",
        "dateReserved": "2025-11-03T09:14:18.190Z",
        "dateUpdated": "2025-11-24T15:09:10.780Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2891 (GCVE-0-2022-2891)

    Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:53
    VLAI
    Title
    WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
    Summary
    The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/301b3dce-2584-46… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 2.3.0 (custom)
    Create a notification for this product.
    Credits
    Calvin Alkan WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:53:00.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Alkan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don\u0027t mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-203 Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-24T09:59:20.811Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 2.3.0 - Time-Based Side-Channel Attack",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2891",
        "datePublished": "2022-10-10T00:00:00.000Z",
        "dateReserved": "2022-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:53:00.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }