CVE-2025-13587 PUBLISHED

Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

Assigner: Wordfence
Reserved: 23.11.2025 Published: 19.02.2026 Updated: 19.02.2026

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	ss88_uk
Product	Two Factor (2FA) Authentication via Email
Versions	Default: unaffected affected from * to 1.9.8 (incl.)

CVE-2025-13587 PUBLISHED

Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

Metrics

Product Status

Credits

References

Problem Types