CVE-2026-42411

CloudSecure WP Security <= 1.4.7 - Two-Factor Authentication Bypass

mediumAuthentication Bypass by Alternate Name
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.4.8
Patched in
5d
Time to patch

Description

The CloudSecure WP Security plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to bypass two-factor authentication.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.7
PublishedMay 28, 2026
Last updatedJune 2, 2026

What Changed in the Fix

Changes introduced in v1.4.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-42411 (CloudSecure WP Security) ## 1. Vulnerability Summary The **CloudSecure WP Security** plugin (up to 1.4.7) is vulnerable to a **Two-Factor Authentication (2FA) Bypass** due to an "Authentication Bypass by Alternate Name" flaw. In WordPress contexts, thi…

Show full research plan

Exploitation Research Plan - CVE-2026-42411 (CloudSecure WP Security)

1. Vulnerability Summary

The CloudSecure WP Security plugin (up to 1.4.7) is vulnerable to a Two-Factor Authentication (2FA) Bypass due to an "Authentication Bypass by Alternate Name" flaw. In WordPress contexts, this typically occurs when a security plugin performs a case-sensitive check on the username to determine if 2FA should be enforced, while the WordPress core authentication mechanism is case-insensitive.

An attacker who has obtained a user's password can bypass the 2FA requirement by logging in with a variation of the username (e.g., using different casing or the user's email address) that does not match the plugin's internal 2FA-enabled user list but is still accepted by WordPress core as a valid identifier for the target account.

2. Attack Vector Analysis

  • Endpoint: wp-login.php (Standard WordPress login).
  • Attack Type: Logic Bypass / Case Sensitivity Manipulation.
  • Authentication Required: None (unauthenticated attacker with a known password).
  • Vulnerable Parameter: log (the username/email field).
  • Preconditions:
    • The target user must have 2FA enabled within the CloudSecure WP settings.
    • The attacker must have the target user's password.

3. Code Flow

The vulnerability likely resides in modules/two-factor-authentication.php (referenced in modules/cloudsecure-wp.php).

  1. Initialization: CloudSecureWP (in modules/cloudsecure-wp.php) instantiates CloudSecureWP_Two_Factor_Authentication.
  2. Hook: The 2FA module likely hooks into wp_login or authenticate.
  3. Logic Gap:
    • When a user logs in, the plugin retrieves the username from the request ($_POST['log']).
    • It checks if 2FA is active for that specific username string by querying its settings or a custom database table.
    • If the lookup is case-sensitive (e.g., isset($enabled_users['admin'])), providing an alternate name like Admin returns false.
  4. Bypass: The plugin permits the login to proceed without redirecting to the 2FA verification screen.
  5. Core Success: WordPress core receives Admin, finds the user admin, and completes the authentication.

4. Nonce Acquisition Strategy

This vulnerability exploits the primary login flow, which does not require a WordPress nonce for the initial wp-login.php POST request. No nonce acquisition is required for the exploit.

5. Exploitation Strategy

Step 1: Baseline Verification

Attempt a normal login with the correct casing to confirm 2FA is active.

  • Request: POST /wp-login.php
  • Body: log=admin&pwd=Password123!&wp-submit=Log+In
  • Expected Response: Redirect to a 2FA prompt or a 200 OK with a 2FA input field.

Step 2: Exploitation via Alternate Name (Casing)

Attempt login using an alternate casing for the username.

  • Request: POST /wp-login.php
  • Body: log=AdMiN&pwd=Password123!&wp-submit=Log+In
  • Expected Response: A 302 Found redirect directly to /wp-admin/, setting authentication cookies and skipping the 2FA screen.

Step 3: Exploitation via Alternate Name (Email)

Attempt login using the user's email address (if known).

  • Request: POST /wp-login.php
  • Body: log=admin@example.com&pwd=Password123!&wp-submit=Log+In
  • Expected Response: Redirect to /wp-admin/, skipping 2FA.

6. Test Data Setup

To verify this in an automated environment:

  1. Create User:
    wp user create victim victim@example.com --role=administrator --user_pass=password123
    
  2. Enable 2FA Globally:
    The plugin's CLI can be used to enable the feature:
    wp cldsec-wp-security enable two-factor-authentication --enabled_roles=administrator
    
  3. Register User for 2FA:
    Ensure the user victim is marked as registered. If the plugin uses user meta:
    # (Example meta key, adjust based on actual discovery)
    wp usermeta update victim _cloudsecurewp_2fa_enabled 't'
    
    Note: If the registration requires a TOTP secret, navigate to admin.php?page=cloudsecurewp_two_factor_authentication_registration as the victim to complete setup.

7. Expected Results

  • Failure Condition (Secured): Both victim and VICTIM logins lead to the 2FA verification page.
  • Success Condition (Vulnerable): victim prompts for 2FA, but VICTIM logs directly into the dashboard.

8. Verification Steps

After performing the HTTP POST request with the alternate name:

  1. Check Cookies: Ensure the response contains wordpress_logged_in_... cookies.
  2. Check Redirect: The Location header should point to .../wp-admin/ and NOT a 2FA-specific URL.
  3. Validate Session: Use the obtained cookies to request wp-admin/index.php and verify the content contains "Dashboard".
    # Using wp-cli to verify the user state
    wp user get victim --field=user_login
    

9. Alternative Approaches

If case-insensitivity is handled but email login is not, focus on the email bypass. If neither works, check for Parameter Pollution:

  • Payload: log=admin&log=nonexistent_user&pwd=password123
  • If the plugin's 2FA check picks the last log parameter (empty/invalid) but WordPress core picks the first, 2FA may be skipped.

If the "Alternate Name" refers to the wp_signon logic, try providing the username via the user_login parameter instead of log (some plugins check one but not both).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.