Description
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Two-factor authentication bypass
Action: Immediate Patch
AI Analysis

Impact

The WordPress Two Factor (2FA) Authentication via Email plugin fails to enforce the second factor when the HTTP GET parameter ‘token’ is present, even if it is empty. This flaw, based on improper input validation (CWE‑20), enables an attacker to log in without completing the two‑factor step. A successful bypass undermines account security and grants an attacker unauthorized access to any account credentials that reach the login endpoint.

Affected Systems

Users of the Two Factor (2FA) Authentication via Email WordPress plugin from ss88_uk, versions 1.9.8 and earlier, are affected. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1 % suggests a low likelihood of widespread exploitation at present, and the vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a ‘token’ value during login, which most current login implementations do not reject. If the vulnerable plugin is enabled, credential holders can be compromised with this simple parameter manipulation.

Generated by OpenCVE AI on April 22, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Two Factor (2FA) Authentication via Email plugin to a version newer than 1.9.8 that removes the token‑bypass logic.
  • Reconfigure or patch the plugin to reject any ‘token’ value that is not a valid, cryptographically signed token before allowing authentication to proceed.
  • Verify that the site’s login flow requires a second factor after successful credential validation, and monitor logs for unexpected ‘token’ parameters in login attempts.

Generated by OpenCVE AI on April 22, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Ss88 Uk
Ss88 Uk two Factor (2fa) Authentication Via Email
Wordpress
Wordpress wordpress
Vendors & Products Ss88 Uk
Ss88 Uk two Factor (2fa) Authentication Via Email
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.
Title Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Ss88 Uk Two Factor (2fa) Authentication Via Email
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:20.584Z

Reserved: 2025-11-23T14:04:31.558Z

Link: CVE-2025-13587

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:08.899Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:31.087

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses