The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.
An attacker can send multiple 2FA code verification requests without any limit on the number of attempts (no rate limiting mechanism). The 2FA code consists of 6 digits, giving a space of 1,000,000 possible combinations. Without a lockout after a certain number of failed attempts, an attacker can systematically try all possible codes until obtaining the correct one. The vulnerability is classified as CWE-307, which is improper limitation of excessive authentication attempts.
An attacker can bypass the two-factor authentication mechanism and gain full access to a WordPress user account, taking control of it. Depending on the account permissions, this can lead to complete site takeover.
The Theme My Login 2FA plugin should be updated to version 1.2 or later, which introduces a mechanism to limit the number of 2FA code verification attempts.
Theme My Login 2FA plugin for WordPress in versions prior to 1.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThememylogin 2fa
APPThememylogin< 1.2