Description
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Removal of site‑wide Email 2FA by authenticated users
Action: Immediate patch
AI Analysis

Impact

The Shield Security plugin for WordPress contains a missing capability check on the MfaEmailDisable action. An attacker who can authenticate with a subscriber‑level or higher role can invoke this action and toggle the global Email 2‑factor authentication setting off. That change removes MFA enforcement for all users, exposing accounts to credential‑stuffing and other password‑based attacks. The flaw is a classic Missing Authorization weakness, allowing a privileged user to perform actions intended for administrators.

Affected Systems

WordPress sites running Shield Security version 21.0.9 or earlier, developed by paultgoodchild. The affected product is the Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin, any WordPress installation that has this plugin installed. Specific version details are up to and including 21.0.9.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate impact because the exploit requires an authenticated user with existing access, not a zero‑day. The EPSS score of less than 1% indicates low exploitation probability, and the vulnerability is not listed in CISA KEV. However, the attack vector is local; any user with Subscriber‑level or higher privileges on the site can disable MFA through the plugin’s settings page, raising the risk of credential compromise if MFA is the only defense against brute‑force attempts.

Generated by OpenCVE AI on April 21, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shield Security plugin to a version later than 21.0.9 or apply the vendor’s patch when it becomes available.
  • If an update is not immediately possible, revoke or limit Subscriber‑level access on the affected WordPress site until the plugin is updated, ensuring only administrators can modify security settings.
  • After updating, verify that Email 2FA remains enabled and audit recent role assignments to detect any privileged users who may have disabled it during the breach window.

Generated by OpenCVE AI on April 21, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Paultgoodchild
Paultgoodchild shield: Blocks Bots, Protects Users, And Prevents Security Breaches
Wordpress
Wordpress wordpress
Vendors & Products Paultgoodchild
Paultgoodchild shield: Blocks Bots, Protects Users, And Prevents Security Breaches
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.
Title Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Paultgoodchild Shield: Blocks Bots, Protects Users, And Prevents Security Breaches
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:18.558Z

Reserved: 2025-12-10T02:33:33.560Z

Link: CVE-2025-14427

cve-icon Vulnrichment

Updated: 2026-02-19T21:07:16.662Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:35.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses