CVE-2025-10293
📋 TL;DR
The Keyy Two Factor Authentication plugin for WordPress has a privilege escalation vulnerability that allows authenticated attackers with subscriber-level access to generate valid authentication tokens and automatically log in as other users, including administrators. This affects all WordPress sites using the plugin up to version 1.2.3. Attackers can take over administrator accounts if the administrator has 2FA enabled.
💻 Affected Systems
- Keyy Two Factor Authentication (like Clef) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise where attackers gain administrator access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrator privileges, modify content, install malicious plugins/themes, or exfiltrate user data.
If Mitigated
Attackers can only access subscriber-level accounts with limited permissions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has subscriber-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.4 or later
Vendor Advisory: https://wordpress.org/plugins/keyy/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Keyy Two Factor Authentication (like Clef)'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable the Keyy plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate keyy
Restrict user registration
allPrevent new user registrations to limit attacker access.
In WordPress Settings → General, uncheck 'Anyone can register'
🧯 If You Can't Patch
- Remove the Keyy plugin completely and use an alternative 2FA solution.
- Implement network-level controls to restrict access to WordPress admin areas from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Keyy Two Factor Authentication (like Clef)' version 1.2.3 or lower.Check Version:
wp plugin get keyy --field=versionVerify Fix Applied:
Verify the plugin version is 1.2.4 or higher in WordPress admin → Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns, multiple successful logins from same IP to different accounts, administrator logins from unexpected locations
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action parameters related to Keyy token generation
SIEM Query:
source="wordpress.log" AND (plugin="keyy" OR uri_path="/wp-admin/admin-ajax.php") AND (action="keyy_generate_token" OR status=200)