CVE-2023-6506

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...

Design/Logic Flaw

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...

CVE-2023-6506 WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...

CVE-2023-6520 WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the sendbackupcodesemail function. This makes it possible for unauthenticated...