Description
The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.
Published: 2026-07-01
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WebAuthn Provider for Two Factor WordPress plugin before version 2.5.6 fails to validate the second‑factor authentication response. An attacker who already knows the victim’s password can submit a malformed request that tricks the plugin into accepting the login without the second factor, effectively bypassing the two‑factor authentication mechanism. This permits the attacker to access the victim’s account with full privileges, potentially compromising confidentiality, integrity, and availability of the site.

Affected Systems

The affected product is the WordPress plugin WebAuthn Provider for Two Factor. The vulnerability is present in all releases prior to 2.5.6. No other vendors or product variants are listed.

Risk and Exploitability

The exploit requires that the attacker has valid user credentials, but they need only to forge the authentication request. Without a password the exploit is ineffective, so the likelihood of exploitation is limited to scenarios where credentials are compromised. No exploit probability score (EPSS) is available, and the vulnerability is not in the CISA KEV catalog. The CVSS score is not provided in the data, but the security implications of bypassing two‑factor authentication suggest a high‑severity risk for any site that relies on this plugin for the second‑factor step.

Generated by OpenCVE AI on July 1, 2026 at 08:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WebAuthn Provider for Two Factor plugin to version 2.5.6 or later, which includes proper validation of second‑factor responses.
  • If an immediate upgrade is not possible, disable the plugin or block the 2FA bypass path until a patch is available.
  • Verify that the 2FA mechanism remains effective by performing test logins with valid credentials and checking that a second‑factor challenge is presented.

Generated by OpenCVE AI on July 1, 2026 at 08:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-285

Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.
Title WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-01T10:16:55.102Z

Reserved: 2026-06-10T13:48:22.029Z

Link: CVE-2026-11883

cve-icon Vulnrichment

Updated: 2026-07-01T10:16:45.653Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-285

    Improper Authorization