CVE-2026-11883

Summary

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Affected Software

VendorProductVersion RangeStatus
UnknownWebAuthn Provider for Two Factor0 < 2.5.6affected

Weaknesses

  • CWE-287 Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References