What the vulnerability does
01Description
The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.
Explanation of Vulnerability in Simple Terms
02Summary
Keyy Two Factor Authentication versions 1.2.3 and earlier contain an authentication bypass vulnerability. An attacker with low-level user access can bypass the two-factor authentication mechanism, gaining unauthorized access to accounts. This affects all installations using the vulnerable version range. Update to a version newer than 1.2.3 immediately.
What an attacker can do
03Attacker Capabilities
Bypass two-factor authentication and gain unauthorized access to user accounts.
Potential impact on your site
04Site Impact
User accounts protected by this 2FA plugin can be compromised by attackers with basic site access.
Conditions required to exploit
05Prerequisites
Attacker must have low-level user account access to the system.
Key dates
06Disclosure timeline
October 15, 2025
CVE published
April 8, 2026
Record updated