Due to encrypted cookies it is possible to hijack the user session. Vulnerability is caused because Wordpress servers does not protect a key browser cookie transferring it in plain text. Even though two-factor authentication is enabled when attacker and user are on the same wi-fi connection session can be hijacked. Using the stolen cookies it is possible to change the e-mail address, but it is not possible to change the password. In the next release of Wordpress authentication cookie will be invalidated after a session ends.