Description The plugin is vulnerable to Insecure Direct Object Reference via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
CPE | Name | Operator | Version |
---|---|---|---|
eq | 2.6.0 |