Feb 18, 2026 CVE-2025-13587: Two-Factor Authentication Bypass in Two Factor via Email A WordPress 2FA plugin issue where token handling could let a user skip the email second factor.