CVE-2025-10293HIGH 8.8EPSS p25.3%

CVE-2025-10293CVE-2025-10293

Description

The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.3% · 2026-06-19T12:03:05Z
Published2025-10-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-287

References

  1. https://wordpress.org/plugins/keyy/
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/1850e6bd-04bc-4510-aba9-e51431363231?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3746
CVE
CVE-2025-3607
CVE
CVE-2026-1994
CVE
CVE-2025-9967
CVE
CVE-2025-12374
CVE
CVE-2025-6813
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.