POC for CVE-2018-20231 - Two Factor Authentication CSRF Vulnerability

In order to test the CSRF vulnerability you need to:

After clicking on the 'Disable 2FA' button, it will disable 2FA

Domain of your wordpress installation (for example: https://www.example.com)


Click on the button below to disable Two Factor Authentication:

Note: This only works if you are logged in to WordPress on the domain you're submitting.
After you have clicked on the Disable button, you can view the effects by loading / refreshing the Two Factor Authentication plugin page.

Note II: This only works for vulnerable versions of the plugin (all versions below 1.3.13)

Note III: Be sure to enable the plugin again!!