VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Nov 03, 2025

WP 2FA – Two-factor authentication for WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin WP 2FA – Two-factor authentication for WordPress (`wp-2fa`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-12628, CVE-2022-44587 and CVE-2024-32568, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
0
Patch Coverage
100%
Last Updated
Dec 01, 2025
Priority CVE Quick Links

Fast paths into WP 2FA – Two-factor authentication for WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
8
CVE-2024-32568 Medium 2.6.3
CVE-2024-32568 WP 2FA – Two-factor authentication for WordPress Cross-Site Scripting

WP 2FA – Two-factor authentication for WordPress <= 2.6.2 - Reflected Cross-Site Scripting

CVE-2022-1527 Medium 2.2.1
CVE-2022-1527 WP 2FA – Two-factor authentication for WordPress Cross-Site Scripting

WP 2FA – Two-factor authentication for WordPress <= 2.2.0 - Reflected Cross-Site Scripting

CVE-2025-12628 Medium 3.0.0
CVE-2025-12628 WP 2FA – Two-factor authentication for WordPress Vulnerability

WP 2FA – Two-factor authentication for WordPress <= 2.9.3 - 2-Factor Authentication Bypass

CVE-2022-44587 Medium 2.6.4
CVE-2022-44587 WP 2FA – Two-factor authentication for WordPress Sensitive Information Exposure

WP 2FA <= 2.6.3 - Unauthenticated Information Exposure via Log File

CVE-2022-2891 Medium 2.3.0
CVE-2022-2891 WP 2FA – Two-factor authentication for WordPress Sensitive Information Exposure

WP 2FA <= 2.2.1 - Time-Based TOTP attack to Sensitive Information Exposure

CVE-2023-6506 Medium 2.6.0
CVE-2023-6506 WP 2FA – Two-factor authentication for WordPress Authorization Bypass

WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending

CVE-2023-6520 Medium 2.6.0
CVE-2023-6520 WP 2FA – Two-factor authentication for WordPress Cross-Site Request Forgery

WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery

CVE-2022-44595 Medium 2.2.1
CVE-2022-44595 WP 2FA – Two-factor authentication for WordPress Authorization Bypass

WP 2FA – Two-factor authentication for WordPress <= 2.2.0 - Missing Authorization

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP 2FA – Two-factor authentication for WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 0 high severity findings.
Recent CVEs
CVE-2025-12628, CVE-2022-44587 and CVE-2024-32568
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP 2FA – Two-factor authentication for WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-12628
CVE-2025-12628: WP 2FA – Two-factor authentication for WordPress <= 2.9.3 - 2-Factor Authentication Bypass

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to 2FA bypass in all versions up to, and including, 2.9.3. This makes it possible for unauthenticated attackers to bypass 2FA protection. Please note Wordfence does not consider this a securit...

Published
Nov 03, 2025
Patched Release
3.0.0
Affected Versions
Versions up to 2.9.3
Next Step
Update to 3.0.0 or newer if supported.
Open CVE-2025-12628 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-44587
CVE-2022-44587: WP 2FA <= 2.6.3 - Unauthenticated Information Exposure via Log File

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.3 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensi...

Published
Jun 20, 2024
Patched Release
2.6.4
Affected Versions
Versions up to 2.6.3
Next Step
Update to 2.6.4 or newer if supported.
Open CVE-2022-44587 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-32568
CVE-2024-32568: WP 2FA – Two-factor authentication for WordPress <= 2.6.2 - Reflected Cross-Site Scripting

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...

Published
Apr 16, 2024
Patched Release
2.6.3
Affected Versions
Versions up to 2.6.2
Next Step
Update to 2.6.3 or newer if supported.
Open CVE-2024-32568 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6506
CVE-2023-6506: WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for s...

Published
Jan 02, 2024
Patched Release
2.6.0
Affected Versions
Versions up to 2.5.0
Next Step
Update to 2.6.0 or newer if supported.
Open CVE-2023-6506 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6520
CVE-2023-6520: WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible...

Published
Jan 02, 2024
Patched Release
2.6.0
Affected Versions
Versions up to 2.5.0
Next Step
Update to 2.6.0 or newer if supported.
Open CVE-2023-6520 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-44595
CVE-2022-44595: WP 2FA – Two-factor authentication for WordPress <= 2.2.0 - Missing Authorization

The WP 2FA plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the login_form_validate_2fa function in versions up to, and including, 2.2.0. This makes it possible for authenticated attackers to receive a 2fa login code even if the prov...

Published
Dec 07, 2022
Patched Release
2.2.1
Affected Versions
Versions up to 2.2.0
Next Step
Update to 2.2.1 or newer if supported.
Open CVE-2022-44595 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-2891
CVE-2022-2891: WP 2FA <= 2.2.1 - Time-Based TOTP attack to Sensitive Information Exposure

The WP 2FA plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.2.1 due to the use of a linear-time comparison operator when comparing token hashes. This allows an attacker to gain information about authentication tokens by obse...

Published
Sep 14, 2022
Patched Release
2.3.0
Affected Versions
Versions up to 2.2.1
Next Step
Update to 2.3.0 or newer if supported.
Open CVE-2022-2891 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1527
CVE-2022-1527: WP 2FA – Two-factor authentication for WordPress <= 2.2.0 - Reflected Cross-Site Scripting

The WP 2FA WordPress plugin before 2.2.1 does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.

Published
May 06, 2022
Patched Release
2.2.1
Affected Versions
Versions up to 2.2.0
Next Step
Update to 2.2.1 or newer if supported.
Open CVE-2022-1527 Report Open CVE Reference
Plugin Medium Patched: Yes
WP 2FA – Two-factor authentication for WordPress <= 2.1.0 - Insecure Direct Object Reference

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress make it possible for attackers to disable other user's 2FA settings in versions up to, and including, 2.1.0.

Published
Apr 13, 2022
Patched Release
2.2.0
Affected Versions
Versions up to 2.1.0
Next Step
Update to 2.2.0 or newer if supported.
Open Full Report