VYPR

Wp 2fa

by WordPress

Source repositories

CVEs (7)

  • CVE-2024-32568HigApr 18, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA wp-2fa.This issue affects WP 2FA: from n/a through <= 2.6.2.

  • CVE-2025-12628MedNov 24, 2025
    risk 0.41cvss 6.3epss 0.00

    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them

  • CVE-2022-44595MedMar 21, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.

  • CVE-2023-6520MedJan 11, 2024
    risk 0.28cvss 4.3epss 0.00

    The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it…

  • CVE-2023-6506MedJan 11, 2024
    risk 0.28cvss 4.3epss 0.00

    The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible…

  • CVE-2022-2891Oct 10, 2022
    risk 0.00cvss epss 0.01

    The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.

  • CVE-2022-1527May 30, 2022
    risk 0.00cvss epss 0.01

    The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting