Two Factor Authentication
by WordPress
Source repositories
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8903 | Med | 0.28 | 4.3 | — | May 27, 2026 | The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for… | ||
| CVE-2024-5658 | 0.00 | — | 0.00 | Jun 6, 2024 | The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. | |||
| CVE-2024-5657 | 0.00 | — | 0.00 | Jun 6, 2024 | The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. | |||
| CVE-2015-9355 | 0.00 | — | 0.00 | Aug 28, 2019 | The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area. | |||
| CVE-2018-20231 | 0.00 | — | 0.00 | Dec 19, 2018 | Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation. |
- risk 0.28cvss 4.3epss —
The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for…
- CVE-2024-5658Jun 6, 2024risk 0.00cvss —epss 0.00
The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.
- CVE-2024-5657Jun 6, 2024risk 0.00cvss —epss 0.00
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
- CVE-2015-9355Aug 28, 2019risk 0.00cvss —epss 0.00
The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area.
- CVE-2018-20231Dec 19, 2018risk 0.00cvss —epss 0.00
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.