Privilege Escalation in Keyy Two Factor Authentication Plugin for WordPress
CVE-2025-10293

8.8HIGH

Key Information:

Vendor: WordPress
Status: Keyy Two Factor Authentication (like Clef)
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-10293?

The Keyy Two Factor Authentication plugin for WordPress is susceptible to a privilege escalation vulnerability due to inadequate validation of user identities associated with generated tokens. This flaw enables authenticated attackers, even with subscriber-level access, to forge valid authentication tokens. As a result, they can execute an auto-login to other users' accounts, including those of administrators who have set up two-factor authentication, thus compromising account security and user data.

Affected Version(s)

Keyy Two Factor Authentication (like Clef) * <= 1.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/keyy/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Sep 11, 2025

Credit

Jonas Benjamin Friedli

JSON