CVE-2025-15370
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to disable Google Authenticator two-factor authentication for any user account. Attackers can bypass MFA protection, potentially leading to account takeover. All WordPress sites using the Shield Security plugin up to version 21.0.9 are affected.
💻 Affected Systems
- Shield Security (formerly WP Simple Firewall) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers disable MFA for administrators, then compromise admin accounts to take full control of the WordPress site, install backdoors, steal data, or deface the website.
Likely Case
Attackers disable MFA for targeted users, then use stolen credentials or brute force to gain unauthorized access to those accounts for privilege escalation or data theft.
If Mitigated
With proper monitoring and user education, suspicious MFA disablement attempts are detected and investigated before account compromise occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.1.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Shield Security' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 21.1.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporarily disable vulnerable class
allAdd code to WordPress theme functions.php to disable the vulnerable MfaGoogleAuthToggle class
Add to wp-content/themes/your-theme/functions.php:
add_filter('shield/action_router/actions', function($actions) {
unset($actions['MfaGoogleAuthToggle']);
return $actions;
});
Restrict user registration
allTemporarily disable new user registration to prevent attackers from creating Subscriber accounts
In WordPress admin: Settings → General → Membership → Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement network-level restrictions to limit which IP addresses can access WordPress admin/login pages
- Enable detailed logging of all MFA-related actions and monitor for suspicious disablement attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Shield Security version. If version is 21.0.9 or lower, you are vulnerable.Check Version:
wp plugin list --name=shield-security --field=versionVerify Fix Applied:
After updating, verify Shield Security plugin shows version 21.1.0 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual MFA disablement events
- Multiple failed login attempts after MFA disablement
- User accounts with MFA suddenly disabled
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=mfa_google_auth_toggle
- Unusual authentication patterns from Subscriber-level accounts
SIEM Query:
source="wordpress.log" AND ("MFA disabled" OR "mfa_google_auth_toggle")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php
- https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve
