CVE-2018-20231

HIGH

two-factor-authentication < 1.3.13 - Cross-Site Request Forgery via tfa_enable_tfa Parameter

Title source: llm
STIX 2.1

Description

Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0144
EPSS Percentile 70.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
simbahosting/two-factor-authentication < 1.3.13
Published Dec 19, 2018
Tracked Since Feb 18, 2026