CVE-2025-12628
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-25
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_2fa | wp_2fa | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP 2FA WordPress plugin versions prior to 3.0.0, where the plugin generates backup codes with insufficient entropy. Because these backup codes are only 6 digits and lack randomness, an attacker who already knows the first factor (username and password) can brute force these backup codes to bypass the second factor authentication. Essentially, the attacker can automate login attempts by guessing backup codes until one works, allowing them to access the account without the second factor. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has obtained your username and password to bypass the second factor authentication by brute forcing the weak backup codes. This means your account's additional layer of security can be defeated, potentially leading to unauthorized access to your WordPress admin dashboard and sensitive data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to brute force the 6-digit backup codes used by the WP 2FA plugin prior to version 3.0.0. A proof of concept script exists that automates login attempts using Python with the requests and BeautifulSoup libraries. The script logs in with valid credentials, extracts the authentication nonce, and iteratively submits backup codes from 000000 upwards until a successful bypass is detected by a redirect to the admin dashboard. Running such a script or similar automated login attempts can help detect if the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WP 2FA WordPress plugin to version 3.0.0 or later, where the issue of insufficient entropy in backup codes has been fixed. Until the update is applied, consider disabling the backup code feature or enforcing additional security measures to prevent brute force attempts on the second factor authentication. [1]