CVE-2026-12988
Description
The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | WP 2FA | — | 0 < 3.1.1.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-862 Missing Authorization |