Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
WordPress Shield Security Plugin: Unauthenticated Email 2FA Disabling
CVE-2025-14427
Summary
The Shield Security plugin for WordPress allows attackers with Subscriber-level access and above to disable site-wide Email 2-Factor Authentication. This means that even authorized users may not receive security alerts or notifications. Update the plugin to a fixed version to prevent unauthorized access.
Original title
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Mf...
Original description
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026