CVE-2026-8903 youtag CVE debrief

Who should care

WordPress site administrators using the Two-factor authentication (IP Vault) plugin; security teams managing WordPress deployments; managed WordPress hosting providers

Technical summary

The ipv_save_changes function in the Two-factor authentication (formerly IP Vault) WordPress plugin fails to properly validate nonces, allowing state-changing requests to be forged. Attackers can modify operating mode, request include/exclude rules, authentication slug, and log retention period. The attack vector is network-based with low attack complexity, requiring user interaction but no privileges. Impact is limited to integrity (low) with no confidentiality or availability impact per CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.

Defensive priority

medium

Recommended defensive actions

• Update the Two-factor authentication (IP Vault) plugin to version 2.2 or later immediately upon availability
• Implement additional CSRF protection at the web application firewall level for WordPress administrative endpoints
• Enable WordPress core nonce verification for all plugin settings modifications as a defense-in-depth measure
• Review and audit plugin settings for unauthorized changes if the site has been active since before May 27, 2026
• Consider implementing Content Security Policy (CSP) headers to mitigate impact of successful CSRF attacks
• Educate site administrators about phishing risks and verify unexpected links before clicking
• Monitor WordPress security advisories for this plugin to confirm patch availability

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. CWE-352 (Cross-Site Request Forgery) identified as primary weakness. No known exploitation in the wild as of disclosure date.

Official resources