|Affected plugin||WordFence Login Security|
|Vulnerable version||<= 1.0.11|
|Fully patched version||–|
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.
An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Proof of concept
|Vendor contacted||September 08, 2022|
|First Response||September 08, 2022|
|Fully patched at||–|
|Publicly disclosed||April 24, 2023|