What the vulnerability does
01Description
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.
Explanation of Vulnerability in Simple Terms
02Summary
Shield version 21.0.9 and earlier contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter information through the application without proper permission checks. The vulnerability affects the integrity of protected data but does not expose sensitive information or disrupt service availability.
What an attacker can do
03Attacker Capabilities
Modify data or settings they should not have permission to change.
Potential impact on your site
04Site Impact
Unauthorized users can alter site data, potentially affecting site configuration or user-facing content.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated