Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)

Affected pluginWordFence Login Security
Active installs50,000+
Vulnerable version<= 1.0.11
Audited version1.0.10
Fully patched version
Recommended remediationPENDING


The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.
An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.


Vendor contactedSeptember 08, 2022
First ResponseSeptember 08, 2022
Fully patched at
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *