Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026

With one in three cyber-attacks now involving compromised employee accounts, insurers and regulators are placing far greater emphasis on identity posture when assessing cyber risk. For many organizations, however, these assessments remain largely opaque. Elements such as password hygiene,...

CVE-2025-14427

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

CVE-2025-13587

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

WordPress Two Factor (2FA) Authentication via Email plugin <= 1.9.8 - Two-Factor Authentication Bypass via token vulnerability

Two-Factor Authentication Bypass via token vulnerability discovered by Ulyses Saicha in WordPress Plugin Two Factor 2FA Authentication via Email versions = 1.9.8...

CVE-2025-14427

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

CVE-2025-13587

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

CVE-2025-14427

CVE-2025-14427 affects the Shield: Blocks Bots, Protects Users, and Prevents Security Breaches WordPress plugin (Shield Security) with versions up to 21.0.9. Root cause is a missing capability check on the MfaEmailDisable action, enabling authenticated attackers with Subscriber-level access or hi...

CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

CVE-2025-13587

CVE-2025-13587 affects the WordPress plugin “Two Factor (2FA) Authentication via Email” up to version 1.9.8. The root cause is that SS88_2FAVE::wp_login() only enforces 2FA when the 'token' parameter is undefined; providing any value (including empty) for token during login bypasses 2FA. The acco...

CVE-2025-13587 Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

CVE-2025-13587 Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

WordPress plugin Two Factor (2FA) Authentication via Email 输入验证错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There wa...

WordPress plugin Shield Security 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-20601

Name of the Vulnerable Software and Affected Versions Two Factor 2FA Authentication via Email plugin for WordPress versions up to and including 1.9.8 Description The Two Factor 2FA Authentication via Email plugin for WordPress is susceptible to a bypass of the two-factor authentication mechanism...

PT-2026-20617

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

CVE-2026-20138

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster SHC deployment who holds a role with access to the Splunk internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor...

CVE-2026-20138 Sensitive Information Disclosure in "_internal" index in Splunk Enterprise

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster SHC deployment who holds a role with access to the Splunk internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor...

GO-2026-4449 Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs

Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an...

Information Exposure

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Information Exposure via the WebSocket component. An attacker can obtain sensitive information, including password hashes and MFA secrets, by...