Home

Description

The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

PUBLISHED Reserved 2026-06-23 | Published 2026-07-14 | Updated 2026-07-14 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version before 3.1.1.2
affected

Credits

Janger finder

WPScan coordinator

References

wpscan.com/...rability/8aa6bf91-54ee-4326-a477-31f42284be22/ exploit vdb-entry technical-description

cve.org (CVE-2026-12988)

nvd.nist.gov (CVE-2026-12988)

Download JSON