CVE-2026-11883
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
The WebAuthn Provider for Two Factor WordPress plugin before version 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.
Risk Assessment
The risk is that an attacker with a stolen password can gain unauthorized access to a user account by bypassing the second-factor protection, leading to account takeover and potential data breach.
Recommendation
It is recommended to immediately update the WebAuthn Provider for Two Factor plugin to version 2.5.6 or later, which includes a fix for the authentication response validation.
Original NVD description (English source)
The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

