Compromise of 2FA secrets codes possible in combination with SQLi – (Two-Factor <= 0.7.2)

Affected pluginTwo-Factor (Plugin contributors)
Active installs40.000+
Vulnerable version<= 0.7.2
Audited version0.7.1
Fully patched versionPENDING
Recommended remediationPENDING


The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

Proof of concept

The plugin stores users’ TOTP secrets as plaintext in the “wp_usermeta” table.

public function set_user_totp_key( $user_id, $key ) {
	return update_user_meta( $user_id, self::SECRET_META_KEY, $key );

An attacker can abuse a read-only SQLi to compromise all two-factor checks for all users by getting the following SQL query to execute:

SELECT meta_value, meta_key FROM wp_usermeta WHERE meta_key = '_two_factor_totp_key'


Vendor contactedSeptember 07, 2022
First ResponseSeptember 07, 2022
Fully patched atPENDING
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *