CVE-2026-8903
Description
The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin's firewall and two-factor authentication settings — including the operating mode, request include/exclude rules, authentication slug, and log retention period — potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The IP Vault WordPress plugin ≤2.1 lacks CSRF protection on its settings save function, allowing attackers to disable firewall/2FA via a forged admin request.
Vulnerability
The Two-factor authentication (IP Vault) plugin for WordPress versions up to and including 2.1 is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the ipv_save_changes function [1]. This function handles saving of plugin settings including operating mode (soft/hard), request include/exclude rules, authentication slug, log retention period, and other options [2][3]. The vulnerability exists in all versions up to 2.1.
Exploitation
An unauthenticated attacker can craft a malicious request that modifies any of the plugin's settings. To exploit, the attacker must trick a logged-in site administrator into performing an action such as clicking a link or visiting a page that triggers the forged request. No authentication or prior access is required from the attacker beyond social engineering.
Impact
Successful exploitation allows the attacker to alter the plugin's firewall and two-factor authentication settings arbitrarily. For example, the attacker could switch the operating mode to "soft" (which only redirects unauthorized requests) or disable logging entirely, effectively weakening or disabling protection. The attacker could also change the authentication slug, potentially bypassing two-factor authentication. The impact is a loss of integrity and availability of the security controls, potentially exposing the site to further attacks.
Mitigation
The vendor has not released a patched version as of the publication date (2026-05-27). Users should monitor the plugin's update channel for a fix. As a workaround, administrators can implement additional CSRF protection mechanisms or restrict access to the plugin's settings page. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.1
- Range: <=2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.phpnvd
- plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/includes/admin-settings.phpnvd
- plugins.trac.wordpress.org/browser/ip-vault-wp-firewall/trunk/ip-vault.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/5a58f809-d051-4841-a1da-7bc1cf59e1a2nvd
News mentions
0No linked articles in our index yet.