Wordfence 2FA Accepts Any Code — Critical Security Issue

  • Resolved dlogicdave

    (@dlogicdave)


    6 months ago

    Hi there,

    We’re experiencing a critical security issue with Wordfence Login Security on one of our WooCommerce sites. Two-factor authentication has always worked correctly, but since today we discovered that users can log in by entering any 2FA code — even completely random numbers.

    This obviously should not be possible, and it indicates that the 2FA validation is being skipped or bypassed somehow.

    Here’s what we’ve checked so far:

    The site is running the latest version of Wordfence and Wordfence Login Security
    No errors or warnings are shown in Wordfence logs
    2FA is enabled and required for the affected user roles
    The issue happens both on the WooCommerce “My Account” login page and the wp-login.php page
    The issue started suddenly without known configuration changes
    Has anyone experienced this before or is there a known vulnerability or bug related to 2FA validation being bypassed?

    Any guidance or suggestions on where to look next would be greatly appreciated — this is quite urgent due to the security impact.

    Thanks in advance!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter dlogicdave

    (@dlogicdave)

    6 months ago

    its fixed! Its in combination when Advanced Google reCAPTCHA plugin is active!

    Thread Starter dlogicdave

    (@dlogicdave)

    6 months ago

    its fixed! Its in combination when Advanced Google reCAPTCHA plugin is active! So fixed!

    Plugin Support wfpeter

    (@wfpeter)

    6 months ago

    Hi @dlogicdave, thanks for your report.

    We’ve seen this occur rarely, but are aware of an issue that we’ve documented and should be checked first. There are some other plugins mentioned on that page related to 2FA:

    Plugin: Advanced Google reCAPTCHA

    Description: Causes our two-factor authentication feature to malfunction so that any six digit two-factor authentication code entered allows access, even if the code is incorrect.

    https://www.wordfence.com/help/advanced/plugin-theme-conflicts/

    We think the underlying issue is related to Advanced Google reCAPTCHA replacing code usually run during the default WordPress login flow, causing our 2FA field’s value to be ignored. We have already proactively reached out to the plugin authors to offer compatibility assistance as this conflict has a security implication for anybody encountering it.

    Many thanks,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Wordfence 2FA Accepts Any Code — Critical Security Issue’ is closed to new replies.

  • 3 replies
  • 2 participants
  • Last reply from: wfpeter
  • Last activity: 6 months ago
  • Status: resolved