Compromise of 2FA secrets codes possible through read-only SQLi – (Google Authenticator-Factor <= 0.54)

Affected pluginGoogle Authenticator
Active installs30,000+
Vulnerable version<= 0.54
Audited version0.54
Fully patched version
Recommended remediationRemoval of the plugin


The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

Proof of concept

The plugin stores users’ TOTP secrets as plaintext in the “wp_usermeta” table.

// EDITOR: $GA_secret is just a random string.

update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );

An attacker can abuse a read-only SQLi to compromise all two-factor checks for all users by getting the following SQL query to execute:

SELECT user_id, meta_value, meta_key FROM wp_usermeta WHERE meta_key = 'googleauthenticator_secret'


Vendor contactedSeptember 12, 2022
First ResponseSeptember 12, 2022
Fully patched at
Publicly disclosedApril 24, 2023


  • The developer did not consider this a security issue.

Leave a Reply

Your email address will not be published. Required fields are marked *