The vulnerability exists in the Keyy Two Factor Authentication (like Clef) plugin for WordPress, versions up to 1.2.3. The flaw arises because the plugin fails to validate the identity associated with tokens it generates. As a result, any authenticated user with at least subscriber level can fabricate a valid authentication token and use it to bypass two‑factor authentication, effectively logging in as another account, including administrators if they have 2FA enabled. This enables privilege escalation, allowing attackers to compromise the site’s integrity and confidentiality (CWE‑287).

The flaw affects WordPress sites that have the Keyy Two Factor Authentication (like Clef) plugin installed at version 1.2.3 or earlier. The vulnerability is confined to the plugin itself; it requires an active WordPress installation with the plugin enabled. All users with subscriber or higher privileges are potentially capable of exploiting it if the system has no additional protections.

The Common Vulnerability Scoring System rates this issue at 8.8, classifying it as high severity. EPSS indicates a very low exploitation probability (<1%) at the moment, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is authenticated; an attacker must first obtain valid credentials with subscriber‑level access. Once inside, they can generate forged tokens through the plugin’s token‑generation endpoint and instantly hijack any target account that has two‑factor authentication activated, resulting in immediate privilege escalation across the site.