CVE-2025-13587
Two-Factor Authentication Bypass in WordPress 2FA Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neoboffin | two_factor_2fa_authentication_via_email | to 1.9.8 (inc) |
| neoboffin | two_factor_2fa_authentication_via_email | 1.9.9 |
| ss88 | two_factor_authentication_via_email | to 1.9.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Two Factor (2FA) Authentication via Email plugin for WordPress allows an attacker to bypass two-factor authentication (2FA). This happens because the plugin's login method only enforces the 2FA check if the 'token' HTTP GET parameter is not present. If any value, including an empty one, is supplied in the 'token' parameter during login, the 2FA requirement is bypassed, allowing login without completing the second authentication step.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to user accounts protected by the plugin's two-factor authentication. Since the 2FA can be bypassed by manipulating the 'token' parameter, attackers with valid usernames and passwords can log in without needing the second authentication factor. This compromises the security of accounts, potentially allowing attackers to perform actions as the legitimate user.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress plugin "Two Factor (2FA) Authentication via Email" up to version 1.9.8. Detection involves identifying if this plugin version is installed and if the login process improperly accepts any value in the 'token' HTTP GET parameter to bypass two-factor authentication.
To detect the vulnerability on your system, you can check the installed plugin version and monitor login requests for suspicious usage of the 'token' parameter.
- Check the plugin version installed on your WordPress site by running a command or inspecting the plugin directory, for example:
- grep -r 'Version' wp-content/plugins/two-factor-2fa-via-email/
- Monitor web server logs for login requests containing the 'token' GET parameter with unusual or empty values, for example using grep:
- grep 'token=' /var/log/apache2/access.log
- Use curl or similar tools to test login behavior by sending requests with and without the 'token' parameter to see if 2FA is bypassed.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the "Two Factor (2FA) Authentication via Email" WordPress plugin to a version later than 1.9.8 where this vulnerability is fixed.
If updating is not immediately possible, consider temporarily disabling the plugin or the 2FA feature until a patched version is applied.
Additionally, monitor login attempts for suspicious activity involving the 'token' parameter and enforce strict access controls on the WordPress admin area.