Primary

Context

WordPress Shield Plugin Insecure Direct Object Reference Vulnerability in Google Authenticator Management

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WordPress Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin, affecting all versions through 21.0.9. The issue arises in the MfaGoogleAuthToggle class, where insufficient validation on a user-controlled key allows authenticated attackers with Subscriber-level access or higher to disable Google Authenticator for any user.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to disable Google Authenticator for any user, potentially leading to unauthorized access or account takeover.

Remediation

Users can update to version 21.0.10 or a newer patched version to address this vulnerability.

Added: Jan 16, 2026, 5:23 AM

Updated: Jan 16, 2026, 5:23 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Shield Plugin Insecure Direct Object Reference Vulnerability in Google Authenticator Management

Vulnerability

Impact

Remediation

Affected Products

FernleafSystems Shield

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating