CVE-2026-11883 PUBLISHED

WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass

Assigner: WPScan
Reserved: 10.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Product Status

Vendor Unknown
Product WebAuthn Provider for Two Factor
Versions Default: unaffected
  • affected from 0 to 2.5.6 (excl.)

Credits

  • Volodymyr Kolesnykov finder
  • WPScan coordinator

References

Problem Types

  • CWE-287 Improper Authentication CWE