๐Ÿ” CVE Alert

CVE-2026-12988

MEDIUM 6.4

WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding

CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th

The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.

Vendor unknown
Product wp 2fa
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for unknown wp 2fa

Be the first to know when new medium vulnerabilities affecting unknown wp 2fa are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / WP 2FA
0 < 3.1.1.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/8aa6bf91-54ee-4326-a477-31f42284be22/

Credits

Janger WPScan