Back to overview

CVE-2026-12988

Description
The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

Metadata

CVE ID
CVE-2026-12988
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-23 11:48 UTC
Published
2026-07-14 06:00 UTC
Last updated
2026-07-14 06:00 UTC
Vendor / Product
Unknown / WP 2FA
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown WP 2FA 0 < 3.1.1.2
Weakness (CWE)
CWESourceDescription
cna CWE-862 Missing Authorization
Back to overview