Broken encryption allows 2FA bypass – (All in One WP Security <= 5.0.7)

Affected pluginAll In One WP Security & Firewall
Active installs1+ million
Vulnerable version<= 5.0.7
Audited version5.0.7
Fully patched version5.1.9
Recommended remediationUpgrade to version 5.1.9 or higher and explicitly enable 2FA secret encryption in the plugin settings.


This vulnerability is the exact same one as in the Two-Factor-Authentication plugin by Updraft. All in One WP Security & Firewall contains a copy of the plugin.

Proof of concept

See here.

Proposed patch

See here.


See here.


See here.

2 responses

  1. indigetal

    I have discussed this issue with David Andersen at length in the All-In-One Security plugin support page at He very much disputes the framing of the issue as it is presented here but nevertheless agrees that two-layers of protection are better than one. The feature, “Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)” was added in AIOS 5.1.9.

    1. Thanks for the update, we have updated the information as 2FA secrets are now encrypted with the key stored in the filesystem (albeit opt-in, rather than opt-out, but this will probably change in the future).

Leave a Reply

Your email address will not be published. Required fields are marked *