CVE-2025-15370
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fernleafsystems | wp-simple-firewall | to 21.0.9 (inc) |
| fernleafsystems | wp-simple-firewall | 21.0.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Shield: Blocks Bots, Protects Users, and Prevents Security Breaches WordPress plugin (also known as wp-simple-firewall) up to version 21.0.9. It occurs in the MfaGoogleAuthToggle class due to missing validation on a user-controlled key, allowing authenticated attackers with Subscriber-level access or higher to disable Google Authenticator multi-factor authentication (MFA) for any user without proper authorization. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with at least Subscriber-level access to disable Google Authenticator MFA for any user, potentially reducing the security of user accounts by removing an important layer of authentication. This could lead to unauthorized access if attackers exploit this to bypass MFA protections, increasing the risk of account compromise and security breaches. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Update the wp-simple-firewall WordPress plugin to version 21.0.10 or later, as this version includes security fixes that address CVE-2025-15370 by hardening data handling, improving MFA configuration validation, and preventing unauthorized disabling of Google Authenticator MFA. [2]