CVE Alert: CVE-2025-10293 - nexist - Keyy Two Factor Authentication (like Clef)

CVE-2025-10293

HIGHNo exploitation known

The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user’s identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.

CVSS v3.1 (8.8)

Vendor

nexist

Product

Keyy Two Factor Authentication (like Clef)

Versions

* lte 1.2.3

CWE

CWE-287, CWE-287 Improper Authentication

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-10-15T08:25:50.156Z

Updated

2025-10-15T15:28:36.069Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/1850e6bd-04bc-4510-aba9-e51431363231?source=cve

https://wordpress.org/plugins/keyy/

AI Summary Analysis

Risk verdict

High risk: privileged escalation via account takeover is possible for authenticated subscribers, so urgent patching is advised even though active exploitation isn’t confirmed.

Why this matters

If an attacker with subscriber-level access can hijack tokens to log in as administrators, they can read, modify or delete data, tamper with configurations, or move laterally across sites hosted on the same WordPress instance. The impact scales with the number of admin accounts and the value of data managed by the site.

Most likely attack path

An attacker already holding a subscriber+ account abuses token-generation flow due to improper authentication, enabling auto-login as other users (including admins) as long as admin 2FA is configured. No user interface prompt is required for the escalation, and the attack relies on existing credentials rather than external access vectors. Pre-conditions are modest (subscriber+ access; admin 2FA enabled); preconditions for broader exploitation are feasible in typical WP deployments.

Who is most exposed

WordPress sites with the Keyy plugin installed, especially those using shared hosting or public-facing admin portals with multiple user roles, are at greatest risk. Organisations relying on 2FA-enabled admin accounts without tight monitoring are particularly vulnerable.

Detection ideas

Unusual admin logins from subscriber accounts or from new/IP changes.
Token-generation requests or session creations that occur without password prompts.
Multiple administrators logged in from the same subscriber session or rapid succession logins.
Anomalous admin activity immediately following a subscriber login.

Mitigation and prioritisation

Patch to a version beyond 1.2.3 or remove/disable the vulnerable Keyy plugin.
In the interim: restrict subscriber capabilities, rotate admin tokens, and enforce stricter 2FA enforcement and session invalidation after token-related events.
Disable or review token-generation endpoints; implement application-layer controls to limit token issuance.
Change-management: test patch in a staging environment, then deploy organisation-wide with rollback plans.
If KEV or EPSS signals become positive, treat as priority 1. Currently, escalate patching due to high CVSS impact and weak authentication.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-10293, keyy-two-factor-authentication-like-clef, nexist, OSINT, threatintel