CVE-2025-10293 identifies a critical improper authentication vulnerability (CWE-287) in the Keyy Two Factor Authentication plugin for WordPress, developed by nexisT, affecting all versions up to and including 1.2.3. The vulnerability arises because the plugin does not properly validate the identity of users associated with generated authentication tokens. This flaw allows authenticated attackers with subscriber-level privileges or higher to generate valid authentication tokens arbitrarily. Consequently, they can bypass the intended two-factor authentication protections and auto-login as other users, including administrators who have 2FA enabled. The attack vector is network-based (remote), requires low attack complexity, and no user interaction, making exploitation feasible for any authenticated user. The vulnerability impacts confidentiality, integrity, and availability by enabling privilege escalation and full site takeover. Despite no known exploits currently in the wild, the CVSS v3.1 base score is 8.8 (high), reflecting the severity of the issue. The plugin's failure to bind tokens securely to user identities undermines the core security guarantees of two-factor authentication, exposing WordPress sites to account takeover and potential further compromise. No official patches have been linked yet, emphasizing the need for immediate attention from site administrators.

The vulnerability allows attackers with minimal privileges (subscriber-level access) to escalate their privileges to administrator level by bypassing two-factor authentication protections. This can lead to complete site compromise, including unauthorized access to sensitive data, modification or deletion of content, installation of backdoors or malware, and disruption of site availability. Organizations relying on this plugin for 2FA security are at risk of losing control over their WordPress environments, potentially affecting customer data confidentiality and business operations. The ease of exploitation and the critical nature of administrative access make this vulnerability particularly dangerous. Additionally, compromised administrator accounts can be leveraged for further lateral movement within organizational networks, increasing the overall security risk. The absence of known exploits in the wild currently provides a window for mitigation, but the high severity score indicates urgent remediation is necessary to prevent future attacks.

1. Immediately audit WordPress sites using the Keyy Two Factor Authentication plugin and identify affected versions (up to 1.2.3). 2. If an official patch or updated plugin version is released, apply it promptly to remediate the vulnerability. 3. In the absence of patches, consider disabling the Keyy 2FA plugin temporarily to prevent exploitation. 4. Implement additional access controls to restrict subscriber-level users from sensitive areas or functions as a temporary measure. 5. Monitor authentication logs for unusual token generation or login activities indicative of exploitation attempts. 6. Enforce strong password policies and consider alternative, more secure 2FA solutions with verified security track records. 7. Conduct thorough post-incident investigations if compromise is suspected, including checking for unauthorized admin accounts or backdoors. 8. Educate site administrators about the risks of using unpatched plugins and the importance of timely updates. 9. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious token generation or login patterns related to this vulnerability. 10. Regularly back up site data and configurations to enable recovery in case of compromise.