Weak Backup Code Generation in WP 2FA Plugin by WordPress
CVE-2025-12628

6.3MEDIUM

Key Information:

Vendor: WordPress
Status: WP 2fa
Vendor: CVE Published:; 24 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-12628?

The WP 2FA WordPress plugin is compromised by a vulnerability that stems from insufficient randomness in the generation of backup codes. This weakness allows potential attackers to exploit the two-factor authentication mechanism by brute forcing the predictable backup codes. Consequently, this significantly undermines the protective layer of the plugin, potentially granting unauthorized access to users' accounts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP 2FA 0 < 3.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-12628 - Proof of Concept

References

https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 24, 2025
👾
Exploit known to exist
Nov 24, 2025
Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Benjamin Nadarević

WPScan

JSON

WordPress