Encryption key is stored in version control – (WPMU Defender – 3.3.2)

Affected pluginWPMU Defender
Active installs70,000+
Vulnerable version3.3.2
Audited version3.3.2
Fully patched version3.3.3
Recommended remediationImmediately update to version 3.3.3 or higher and reset all TOTP secrets.


The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and is used on every active install of the plugin.

Proof of concept

The plugin uses the Crypt::get_decrypted_string method to encrypt/decrypt TOTP secrets for all users.

public static function get_decrypted_string( $data ): string {
  $key = file_get_contents(  __DIR__ . '/def.key' );
  return false !== $key ? self::decrypt_data( $data, $key ) : '';

The encryption key “def.key” is stored in version control and is the same for all active installations of the plugin.

This renders the encryption useless since an attacker that can obtain the secrets will always be able to decrypt them.


Vendor contactedSeptember 29, 2022
First ResponseOctober 04, 2022
Fully patched atOctober 20, 2022
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *