Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
WordPress 2FA Plugin Allows Bypassing Security Checks
CVE-2025-13587
Summary
The Two Factor Authentication via Email plugin for WordPress has a security flaw that allows attackers to bypass the two-factor authentication process. This means that hackers can access accounts without needing a second form of verification. To fix this, update the plugin to version 1.9.9 or later.
Original title
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_logi...
Original description
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.
nvd CVSS3.1
6.5
Vulnerability type
CWE-20
Improper Input Validation
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026