CVE-2026-12988 PUBLISHED

WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding

Assigner: WPScan
Reserved: 23.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

Product Status

Vendor Unknown
Product WP 2FA
Versions Default: unaffected
  • affected from 0 to 3.1.1.2 (excl.)

Credits

  • Janger finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE