Keyy Two Factor Authentication Privilege Escalation Vulnerability in WordPress

Vulnerability

A privilege escalation vulnerability allowing account takeover has been identified in the Keyy Two Factor Authentication (like Clef) plugin for WordPress, affecting all versions through 1.2.3. The vulnerability arises because the plugin fails to properly validate a user's identity linked to a generated token. This flaw enables authenticated attackers with subscriber-level access or higher to create valid authentication tokens and use them to automatically log in as other users, including administrators, provided the administrator has two-factor authentication enabled.

Impact

Exploitation of this vulnerability allows authenticated users with subscriber-level access and above to take over other accounts, including those of administrators, by exploiting the two-factor authentication mechanism.

Added: Oct 15, 2025, 9:46 AM

Updated: Oct 15, 2025, 9:46 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keyy Two Factor Authentication Privilege Escalation Vulnerability in WordPress

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating