Login Sign Up

CVE-2025-12628

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

The WP 2FA WordPress plugin generates backup codes with insufficient entropy, allowing attackers to brute-force these codes and bypass two-factor authentication. This affects all WordPress sites using vulnerable versions of the WP 2FA plugin.

💻 Affected Systems

Products:
  • WP 2FA WordPress plugin
Versions: All versions before 2.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites where WP 2FA plugin is installed and backup codes feature is enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized administrative access to WordPress sites, leading to complete site compromise, data theft, malware injection, or defacement.

🟠

Likely Case

Attackers bypass 2FA for user accounts, potentially gaining access to sensitive content or performing unauthorized actions.

🟢

If Mitigated

With strong passwords and proper monitoring, impact is limited to potential account compromise rather than full site takeover.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires knowledge of a valid username and ability to attempt backup code guesses. No authentication bypass for initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP 2FA plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.7.0+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Backup Codes

all

Temporarily disable backup code functionality in WP 2FA settings

Rate Limit Login Attempts

all

Implement login attempt rate limiting via security plugin or server configuration

🧯 If You Can't Patch

  • Disable WP 2FA plugin entirely and use alternative 2FA solution
  • Implement IP-based access restrictions for WordPress admin area

🔍 How to Verify

Check if Vulnerable:

Check WP 2FA plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin list --name=wp-2fa --field=version

Verify Fix Applied:

Verify plugin version is 2.7.0 or higher and test 2FA functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed backup code attempts for same user
  • Successful login after multiple backup code attempts

Network Indicators:

  • Unusual login patterns from same IP addresses

SIEM Query:

source="wordpress" (event="login_failed" AND reason="backup_code") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-12628
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score: 0.06% exploit probability (17.1th percentile)
Published: November 24, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON