Total site takeover in combination with read-only SQLi – (WordFence Login Security <= 1.0.10)

Affected pluginWordFence Login Security
Active installs50,000+
Vulnerable version<= 1.0.10
Audited version1.0.10
Fully patched version1.0.11
Recommended remediationImmediately update to version 1.0.11


An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured.

The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities.

Neither the target user’s primary credentials are required nor any form of authentication.


Vendor contactedSeptember 08, 2022
First ResponseSeptember 08, 2022
Fully patched atSeptember 16, 2022
Publicly disclosedApril 24, 2023


  • The vendor did not disclose that patch 1.0.11 fixed a critical security vulnerability. Instead, the vendor used the following changelog message, which, in our opinion, does not adequately reflect the severity of the issue.
    The changelog message is:
    “Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database”
  • The vendor was the only one out of 26 that implemented proper security best practices, like offering a public GPG key to secure the POC.

Leave a Reply

Your email address will not be published. Required fields are marked *