CVE-2026-12988
WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding
CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th
The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and take over the account.
| Vendor | unknown |
| Product | wp 2fa |
| Published | Jul 14, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown wp 2fa
Be the first to know when new medium vulnerabilities affecting unknown wp 2fa are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / WP 2FA
0 < 3.1.1.2
References
Credits
Janger WPScan