WordPress plugin vulnerabilities


This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

There are three reasons a vulnerability might be listed here:

  • The vendor has already fixed the vulnerability.
  • The vendor did not indicate any progress toward a resolution
  • The vendor stated that they did not consider our findings to be a
    security issue.

Search by vendor
Search by classification
Search everything

For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.

  • TOTP Secrets stored as plaintext in a world-readable file – (WPMU Defender 3.3.1)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.1 Audited version 3.3.1 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server…

  • Total site takeover in combination with read-only SQLi – (WordFence <= 7.6.1)

    An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.

  • Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence <= 7.6.2)

    The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

  • DOS through IP spoofing – (WordFence <= 7.6.2)

    The plugin is vulnerable to IP spoofing if the target site is behind a reverse proxy and WordFence is configured to fetch the IP address from any source besides REMOTE_ADDR (the default). An attacker can exploit this to ban legitimate users, search-engine crawlers, or the site’s reverse proxy.

  • Total site takeover in combination with read-only SQLi – (Shield Security <= 16.1.3)

    Affected plugin Shield Security Active installs 60,000+ Vulnerable version <= 16.1.3 Audited version 16.1..1 Fully patched version 16.1.4 Recommended remediation Immediately upgrade to version 16.1.4 or higher Description An attacker can log in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or…

  • Compromise of 2FA secrets through read-only SQLi – (Shield Security <= 16.1.6)

    The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

  • DOS through IP spoofing – (Shield Security <= 16.1.6)

    The plugin is vulnerable to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.

  • Broken encryption allows 2FA bypass – (All in One WP Security <= 5.0.7)

    The plugin employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks under the condition that the target website was vulnerable at any point in time to one of the never-ending read-only SQL-Injections in any plugin, theme, or WordPress core.

  • DOS through IP spoofing – (All in One WP Security <= 5.0.7)

    The plugin is wide open to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Alternatively, an attacker can bring down the entire MySQL server by flooding the database with the entire IPv4 range.