CVE-2025-10293 HIGH

CVE-2025-10293: Keyy Two Factor Authentication (like Clef) <= 1.2.3 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Vendor Nexist
Product Keyy Two Factor Authentication (like Clef)
Weakness CWE-287 · Improper authentication
Published October 15, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.

Explanation of Vulnerability in Simple Terms

02Summary

Keyy Two Factor Authentication versions 1.2.3 and earlier contain an authentication bypass vulnerability. An attacker with low-level user access can bypass the two-factor authentication mechanism, gaining unauthorized access to accounts. This affects all installations using the vulnerable version range. Update to a version newer than 1.2.3 immediately.

What an attacker can do

03Attacker Capabilities

Bypass two-factor authentication and gain unauthorized access to user accounts.

Potential impact on your site

04Site Impact

User accounts protected by this 2FA plugin can be compromised by attackers with basic site access.

Conditions required to exploit

05Prerequisites

Attacker must have low-level user account access to the system.

Key dates

06Disclosure timeline

October 15, 2025 CVE published
April 8, 2026 Record updated