Introduction
Privilege escalation from a basic subscriber account to full administrator access on a WordPress site is a worst-case scenario for site owners. The Keyy Two Factor Authentication plugin, once trusted for secure logins, now poses this exact risk due to a critical flaw that allows authenticated users to take over administrator accounts if 2FA is enabled. The plugin has been discontinued, leaving no patch or support for affected sites.
Keyy Two Factor Authentication was developed by Nexist, an Australian business consulting firm. Keyy aimed to simplify and strengthen WordPress authentication using RSA public-key cryptography and mobile-based 2FA. The plugin had a multi-year presence in the WordPress ecosystem, with both free and premium offerings. As of October 2025, the vendor has exited the plugin market, leaving users to migrate to other solutions.
Technical Information
CVE-2025-10293 is rooted in improper validation of user identity during the authentication token workflow. When a user with subscriber-level access or higher interacts with the Keyy plugin, they can generate authentication tokens. The plugin fails to ensure that these tokens are strictly tied to the initiating user's identity. As a result, an attacker can create a token that is accepted for another account, including administrator accounts, as long as the target account has Keyy 2FA enabled.
The vulnerability is classified as CWE-287 (Improper Authentication). The exploit requires two conditions:
- The attacker must have an authenticated account (subscriber or above) on the target WordPress site.
- The target administrator account must have Keyy 2FA enabled.
By leveraging the token generation and validation logic, the attacker can auto-login as the administrator, gaining full control over the site. There are no public code snippets or PoC details available, but the flaw is confirmed by multiple security advisories.
Affected Systems and Versions
- Product: Keyy Two Factor Authentication (like Clef) plugin for WordPress
- Affected Versions: All versions up to and including 1.2.3
- Vulnerable Configuration: Any WordPress site with Keyy 2FA enabled for administrator accounts
Vendor Security History
Keyy was maintained by Nexist, which primarily operates as a business consulting firm. No prior high-profile vulnerabilities have been reported for Keyy. The vendor announced discontinuation of the plugin concurrent with the vulnerability disclosure. There is no patch or ongoing support for Keyy users.