Security vulnerabilities in WP 2FA (4)
The plugin will, under certain conditions, log all users’ 2FA secrets to a world-readable .txt file in the “wp-uploads” directory.
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests can abuse this to reverse secrets using time-based-side-channel attacks.
Broken authentication leads to total site takeover in combination with read-only SQLi – (WP 2FA <= 2.2.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing his primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
The entire two-factor authentication can be bypassed by deleting a hidden input field in the 2FA form.