Posts

CVE-2025-13587: Two-Factor Authentication Bypass in Two Factor via Email

A WordPress 2FA plugin issue where token handling could let a user skip the email second factor.

CVE-2025-13587 is a two-factor authentication bypass in the Two Factor (2FA) Authentication via Email WordPress plugin.

The public advisory says the bug affected versions up to and including 1.9.8. The issue was in SS88_2FAVE::wp_login(): the plugin only enforced the 2FA requirement when the token HTTP GET parameter was undefined. Supplying any value for token, including an empty value, could prevent the second-factor requirement from being enforced.

Summary card for CVE-2025-13587 showing affected product, impact, and CVSS score
CVE-2025-13587 affected Two Factor (2FA) Authentication via Email versions up to and including 1.9.8. As of June 2026, WordPress.org lists the plugin at 9,000+ active installations.

The bug

This finding was about control flow more than cryptography. The 2FA token itself did not need to be cracked. The problem was that a request parameter influenced whether the plugin enforced the second step at all.

The CVSS vector includes PR:L, which matters: this was not a no-credential login bypass. An attacker still needed valid primary credentials for the target account. The bug weakened the second factor, not the password check.

Why it mattered

2FA plugins are security controls. When a site owner installs one, they are explicitly relying on it to keep password compromise from becoming account compromise.

That makes bypass bugs in this area worth treating seriously even when they do not immediately grant unauthenticated access. If a phished or reused password gets an attacker past the first step, the second step is supposed to be the point where the attack stops.

Fix

The plugin changelog lists 1.9.9 as a security fix for CVE-2025-13587. Site owners should update to version 1.9.9 or newer.

References