CVE-2025-10293
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: Wordfence

Description
The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10293
EUVD
EUVD-2025-34570
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nexist keyy *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Keyy Two Factor Authentication plugin for WordPress allows authenticated users with subscriber-level access or higher to escalate their privileges by taking over other user accounts. This happens because the plugin does not properly validate the identity associated with generated authentication tokens. As a result, an attacker can generate valid tokens and automatically log in as other users, including administrators who have two-factor authentication enabled.

Impact Analysis

This vulnerability can allow an attacker with low-level access to gain unauthorized access to higher-privileged accounts, including administrators. This can lead to full site compromise, unauthorized changes, data theft, or other malicious activities since the attacker can bypass two-factor authentication protections.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include disabling or removing the Keyy Two Factor Authentication plugin from your WordPress site, especially if you are using version 1.2.3 or earlier. Since the plugin has been closed and removed from download availability as of October 14, 2025, pending a full review, you should avoid using it until a secure version is released. Additionally, consider reviewing user accounts with subscriber-level access and above for suspicious activity and ensure administrators using 2FA are aware of the risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart