CVE-2026-8903
Received Received - Intake
Cross-Site Request Forgery in Two-factor Authentication WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin's firewall and two-factor authentication settings β€” including the operating mode, request include/exclude rules, authentication slug, and log retention period β€” potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-8903
EUVD
EUVD-2026-32073
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wp_two_factor_authentication two_factor_authentication to 2.1 (inc)
wordfence two-factor_authentication to 2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Two-factor authentication plugin for WordPress (formerly IP Vault) has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 2.1. This vulnerability arises because the plugin's function ipv_save_changes lacks proper nonce validation. As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to modify critical plugin settings.

  • The attacker can change firewall and two-factor authentication settings.
  • Settings that can be modified include operating mode, request include/exclude rules, authentication slug, and log retention period.
  • This can potentially disable protection entirely on the site.

How can this vulnerability impact me? :

This vulnerability can impact you by allowing an unauthenticated attacker to alter your WordPress site's security settings without your consent. Specifically, they can disable or weaken the two-factor authentication and firewall protections, which are critical for securing your site.

  • Potential disabling of two-factor authentication protection.
  • Modification of firewall rules that could expose the site to further attacks.
  • Changing log retention periods, which may affect your ability to audit or investigate security incidents.
  • Overall increased risk of unauthorized access and compromise of the site.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart