Description
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.
Published: 2026-01-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disabling of Google Authenticator (MFA)
Action: Patch
AI Analysis

Impact

The Shield plugin for WordPress suffers from an insecure direct object reference in the class that toggles Google Authenticator. An attacker who has any authenticated role at the Subscriber level or higher can supply a user-controlled key and bypass the authorization check, enabling them to turn off two-factor authentication for any account. This action removes a critical protective factor and allows the attacker convenient foothold for subsequent account compromise.

Affected Systems

The vulnerability affects the Shield: Blocks Bots, Protects Users, and Prevents Security Breaches WordPress plugin, specifically all releases up to and including version 21.0.9.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% signals a low probability of exploitation at the time of analysis. The vulnerability requires that an attacker already be logged in with Subscriber‑level rights or higher, so any breach would need prior credential compromise. Because disabling MFA removes an essential authentication barrier, the potential damage is significant even though it is not a remote code execution flaw. The issue is not listed in the CISA KEV catalog, implying no widespread exploitation has been documented yet. However, the ability to remove MFA is a valuable capability for attackers, warranting prompt remediation.

Generated by OpenCVE AI on April 21, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shield plugin to the latest released version that addresses the IDOR flaw (at least 21.1.0 if available);
  • Restrict the ability to toggle Google Authenticator to administrator‑only roles by tightening the plugin’s role permissions or using a role manager to revoke subscriber‑level access to the MFA toggle feature;
  • Implement monitoring of MFA configuration changes and alert on any unexpected disabling of two-factor authentication.

Generated by OpenCVE AI on April 21, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 16 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.
Title Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:36.042Z

Reserved: 2025-12-30T17:25:48.869Z

Link: CVE-2025-15370

cve-icon Vulnrichment

Updated: 2026-01-16T14:44:26.935Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T05:16:12.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses