CVE Catalog

CVE-2026-11883

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

28th percentile — higher than 28% of all known CVEs

Summary

The WebAuthn Provider for Two Factor WordPress plugin before version 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Risk Assessment

The risk is that an attacker with a stolen password can gain unauthorized access to a user account by bypassing the second-factor protection, leading to account takeover and potential data breach.

Recommendation

It is recommended to immediately update the WebAuthn Provider for Two Factor plugin to version 2.5.6 or later, which includes a fix for the authentication response validation.

Original NVD description (English source)

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS