CVE-2025-13587
Awaiting Analysis Awaiting Analysis - Queue
Two-Factor Authentication Bypass in WordPress 2FA Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13587
EUVD
EUVD-2025-207872
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
neoboffin two_factor_2fa_authentication_via_email to 1.9.8 (inc)
neoboffin two_factor_2fa_authentication_via_email 1.9.9
ss88 two_factor_authentication_via_email to 1.9.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Two Factor (2FA) Authentication via Email plugin for WordPress allows an attacker to bypass two-factor authentication (2FA). This happens because the plugin's login method only enforces the 2FA check if the 'token' HTTP GET parameter is not present. If any value, including an empty one, is supplied in the 'token' parameter during login, the 2FA requirement is bypassed, allowing login without completing the second authentication step.

Impact Analysis

This vulnerability can lead to unauthorized access to user accounts protected by the plugin's two-factor authentication. Since the 2FA can be bypassed by manipulating the 'token' parameter, attackers with valid usernames and passwords can log in without needing the second authentication factor. This compromises the security of accounts, potentially allowing attackers to perform actions as the legitimate user.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the WordPress plugin "Two Factor (2FA) Authentication via Email" up to version 1.9.8. Detection involves identifying if this plugin version is installed and if the login process improperly accepts any value in the 'token' HTTP GET parameter to bypass two-factor authentication.

To detect the vulnerability on your system, you can check the installed plugin version and monitor login requests for suspicious usage of the 'token' parameter.

  • Check the plugin version installed on your WordPress site by running a command or inspecting the plugin directory, for example:
  • grep -r 'Version' wp-content/plugins/two-factor-2fa-via-email/
  • Monitor web server logs for login requests containing the 'token' GET parameter with unusual or empty values, for example using grep:
  • grep 'token=' /var/log/apache2/access.log
  • Use curl or similar tools to test login behavior by sending requests with and without the 'token' parameter to see if 2FA is bypassed.
Mitigation Strategies

The immediate mitigation step is to update the "Two Factor (2FA) Authentication via Email" WordPress plugin to a version later than 1.9.8 where this vulnerability is fixed.

If updating is not immediately possible, consider temporarily disabling the plugin or the 2FA feature until a patched version is applied.

Additionally, monitor login attempts for suspicious activity involving the 'token' parameter and enforce strict access controls on the WordPress admin area.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart