Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities found for WP 2FA

    CVE-2026-12988 (GCVE-0-2026-12988)

    Vulnerability from nvd – Published: 2026-07-14 06:00 – Updated: 2026-07-14 12:24
    VLAI
    Title
    WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding
    Summary
    The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/8aa6bf91-54ee-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.1.1.2 (semver)
    Create a notification for this product.
    Credits
    Janger WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12988",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T12:24:03.709249Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T12:24:36.125Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.1.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Janger"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA  WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user\u0027s credentials to redirect the setup verification code to an attacker-controlled email address and take over the account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T06:00:02.858Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/8aa6bf91-54ee-4326-a477-31f42284be22/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.1.1.2 - Account Takeover via 2FA Setup Email Binding",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12988",
        "datePublished": "2026-07-14T06:00:02.858Z",
        "dateReserved": "2026-06-23T11:48:46.764Z",
        "dateUpdated": "2026-07-14T12:24:36.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12628 (GCVE-0-2025-12628)

    Vulnerability from nvd – Published: 2025-11-24 12:58 – Updated: 2025-11-24 15:09
    VLAI
    Title
    WP 2FA < 3.0.0 - Second Factor Bypass
    Summary
    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/5e2d033c-dde6-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.0.0 (semver)
    Create a notification for this product.
    Credits
    Benjamin Nadarević WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12628",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-24T15:09:08.290659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-24T15:09:10.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Benjamin Nadarevi\u0107"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-331 Insufficient Entropyy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T12:58:37.015Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.0.0 - Second Factor Bypass",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-12628",
        "datePublished": "2025-11-24T12:58:37.015Z",
        "dateReserved": "2025-11-03T09:14:18.190Z",
        "dateUpdated": "2025-11-24T15:09:10.780Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32568 (GCVE-0-2024-32568)

    Vulnerability from nvd – Published: 2024-04-18 09:49 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress WP 2FA plugin <= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA wp-2fa.This issue affects WP 2FA: from n/a through <= 2.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Melapress WP 2FA Affected: 0 , ≤ 2.6.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:25
    Credits
    Rafie Muhammad | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-18T13:19:06.544110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T17:20:34.421Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:13:40.070Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-2fa",
              "product": "WP 2FA",
              "vendor": "Melapress",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafie Muhammad | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:25:06.649Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Melapress WP 2FA wp-2fa.\u003cp\u003eThis issue affects WP 2FA: from n/a through \u003c= 2.6.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Melapress WP 2FA wp-2fa.This issue affects WP 2FA: from n/a through \u003c= 2.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:37.752Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-2fa/vulnerability/wordpress-wp-2fa-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WP 2FA plugin \u003c= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-32568",
        "datePublished": "2024-04-18T09:49:39.787Z",
        "dateReserved": "2024-04-15T09:14:25.964Z",
        "dateUpdated": "2026-04-28T16:09:37.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-44595 (GCVE-0-2022-44595)

    Vulnerability from nvd – Published: 2024-03-21 17:12 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress WP2FA plugin <= 2.2.0 - Broken Authentication vulnerability
    Summary
    Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Melapress WP 2FA Affected: n/a , ≤ 2.2.0 (custom)
    Create a notification for this product.
    melapress wp_2fa Affected: 0 , ≤ 2.2.0 (custom)
        cpe:2.3:a:melapress:wp_2fa:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Calvin Alkan / Snicco (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:54:03.923Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp2fa-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:melapress:wp_2fa:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "wp_2fa",
                "vendor": "melapress",
                "versions": [
                  {
                    "lessThanOrEqual": "2.2.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-44595",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-28T19:10:26.211660Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-09T20:15:26.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-2fa",
              "product": "WP 2FA",
              "vendor": "Melapress",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.2.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Calvin Alkan / Snicco (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.\u003cp\u003eThis issue affects WP 2FA: from n/a through 2.2.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:51.646Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp2fa-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 2.2.1 or a higher version."
                }
              ],
              "value": "Update to 2.2.1 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WP2FA plugin \u003c= 2.2.0 - Broken Authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-44595",
        "datePublished": "2024-03-21T17:12:32.657Z",
        "dateReserved": "2022-11-01T19:51:27.398Z",
        "dateUpdated": "2026-04-28T16:07:51.646Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2891 (GCVE-0-2022-2891)

    Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:53
    VLAI
    Title
    WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
    Summary
    The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/301b3dce-2584-46… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 2.3.0 (custom)
    Create a notification for this product.
    Credits
    Calvin Alkan WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:53:00.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Alkan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don\u0027t mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-203 Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-24T09:59:20.811Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 2.3.0 - Time-Based Side-Channel Attack",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2891",
        "datePublished": "2022-10-10T00:00:00.000Z",
        "dateReserved": "2022-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:53:00.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-12988 (GCVE-0-2026-12988)

    Vulnerability from cvelistv5 – Published: 2026-07-14 06:00 – Updated: 2026-07-14 12:24
    VLAI
    Title
    WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding
    Summary
    The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/8aa6bf91-54ee-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.1.1.2 (semver)
    Create a notification for this product.
    Credits
    Janger WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12988",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T12:24:03.709249Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T12:24:36.125Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.1.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Janger"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA  WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user\u0027s credentials to redirect the setup verification code to an attacker-controlled email address and take over the account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T06:00:02.858Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/8aa6bf91-54ee-4326-a477-31f42284be22/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.1.1.2 - Account Takeover via 2FA Setup Email Binding",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12988",
        "datePublished": "2026-07-14T06:00:02.858Z",
        "dateReserved": "2026-06-23T11:48:46.764Z",
        "dateUpdated": "2026-07-14T12:24:36.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12628 (GCVE-0-2025-12628)

    Vulnerability from cvelistv5 – Published: 2025-11-24 12:58 – Updated: 2025-11-24 15:09
    VLAI
    Title
    WP 2FA < 3.0.0 - Second Factor Bypass
    Summary
    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/5e2d033c-dde6-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 3.0.0 (semver)
    Create a notification for this product.
    Credits
    Benjamin Nadarević WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12628",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-24T15:09:08.290659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-24T15:09:10.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Benjamin Nadarevi\u0107"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-331 Insufficient Entropyy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T12:58:37.015Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 3.0.0 - Second Factor Bypass",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-12628",
        "datePublished": "2025-11-24T12:58:37.015Z",
        "dateReserved": "2025-11-03T09:14:18.190Z",
        "dateUpdated": "2025-11-24T15:09:10.780Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32568 (GCVE-0-2024-32568)

    Vulnerability from cvelistv5 – Published: 2024-04-18 09:49 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress WP 2FA plugin <= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA wp-2fa.This issue affects WP 2FA: from n/a through <= 2.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Melapress WP 2FA Affected: 0 , ≤ 2.6.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:25
    Credits
    Rafie Muhammad | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-18T13:19:06.544110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T17:20:34.421Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:13:40.070Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-2fa",
              "product": "WP 2FA",
              "vendor": "Melapress",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafie Muhammad | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:25:06.649Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Melapress WP 2FA wp-2fa.\u003cp\u003eThis issue affects WP 2FA: from n/a through \u003c= 2.6.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Melapress WP 2FA wp-2fa.This issue affects WP 2FA: from n/a through \u003c= 2.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:37.752Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-2fa/vulnerability/wordpress-wp-2fa-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WP 2FA plugin \u003c= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-32568",
        "datePublished": "2024-04-18T09:49:39.787Z",
        "dateReserved": "2024-04-15T09:14:25.964Z",
        "dateUpdated": "2026-04-28T16:09:37.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-44595 (GCVE-0-2022-44595)

    Vulnerability from cvelistv5 – Published: 2024-03-21 17:12 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress WP2FA plugin <= 2.2.0 - Broken Authentication vulnerability
    Summary
    Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Melapress WP 2FA Affected: n/a , ≤ 2.2.0 (custom)
    Create a notification for this product.
    melapress wp_2fa Affected: 0 , ≤ 2.2.0 (custom)
        cpe:2.3:a:melapress:wp_2fa:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Calvin Alkan / Snicco (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:54:03.923Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp2fa-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:melapress:wp_2fa:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "wp_2fa",
                "vendor": "melapress",
                "versions": [
                  {
                    "lessThanOrEqual": "2.2.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-44595",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-28T19:10:26.211660Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-09T20:15:26.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-2fa",
              "product": "WP 2FA",
              "vendor": "Melapress",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.2.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Calvin Alkan / Snicco (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.\u003cp\u003eThis issue affects WP 2FA: from n/a through 2.2.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:51.646Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp2fa-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 2.2.1 or a higher version."
                }
              ],
              "value": "Update to 2.2.1 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WP2FA plugin \u003c= 2.2.0 - Broken Authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-44595",
        "datePublished": "2024-03-21T17:12:32.657Z",
        "dateReserved": "2022-11-01T19:51:27.398Z",
        "dateUpdated": "2026-04-28T16:07:51.646Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2891 (GCVE-0-2022-2891)

    Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:53
    VLAI
    Title
    WP 2FA < 2.3.0 - Time-Based Side-Channel Attack
    Summary
    The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/301b3dce-2584-46… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP 2FA Affected: 0 , < 2.3.0 (custom)
    Create a notification for this product.
    Credits
    Calvin Alkan WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:53:00.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "WP 2FA",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Alkan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don\u0027t mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-203 Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-24T09:59:20.811Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP 2FA \u003c 2.3.0 - Time-Based Side-Channel Attack",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2891",
        "datePublished": "2022-10-10T00:00:00.000Z",
        "dateReserved": "2022-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:53:00.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }