Impact
The WebAuthn Provider for Two Factor WordPress plugin before version 2.5.6 fails to validate the second‑factor authentication response. An attacker who already knows the victim’s password can submit a malformed request that tricks the plugin into accepting the login without the second factor, effectively bypassing the two‑factor authentication mechanism. This permits the attacker to access the victim’s account with full privileges, potentially compromising confidentiality, integrity, and availability of the site.
Affected Systems
The affected product is the WordPress plugin WebAuthn Provider for Two Factor. The vulnerability is present in all releases prior to 2.5.6. No other vendors or product variants are listed.
Risk and Exploitability
The exploit requires that the attacker has valid user credentials, but they need only to forge the authentication request. Without a password the exploit is ineffective, so the likelihood of exploitation is limited to scenarios where credentials are compromised. No exploit probability score (EPSS) is available, and the vulnerability is not in the CISA KEV catalog. The CVSS score is not provided in the data, but the security implications of bypassing two‑factor authentication suggest a high‑severity risk for any site that relies on this plugin for the second‑factor step.
OpenCVE Enrichment