WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability
A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.
Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection.
What we found is that no WordPress security plugins tested blocked disclosure of the one-time password. Interestingly, since it has been a month since this was exploited there was plenty of time for plugins that include rules written for individual vulnerabilities to have added protection against this specific issue as well, but that didn’t happen either, despite, say, the Wordfence Premium service claiming to offer real-time protection through that kind of rule (the lack of that protection is in line with what have seen from that service for some time ).
Testing Procedure
For each of the tested plugins, we set up an install of WordPress 6.1.1, installed version 1.0.93 of User Verification, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the disclosure of the one-time password. We didn’t set up any additional service connected with the plugins.
The 32 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
Results
None of the tested plugins blocked the disclosure of the one-time password.
The full results are below:
All-In-One Security (AIOS)
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 5.1.5
Result: Failed to prevent disclosure.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.21.91
Result: Failed to prevent disclosure.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 4.27
Result: Failed to prevent disclosure.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20221002
Result: Failed to prevent disclosure.
Bitfire
- WordPress.org Plugin Directory page
- Active Installs: Fewer than 10
- Version Tested: 3.7.4
Result: Failed to prevent disclosure.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 40,000+
- Version Tested: 6.7
Result: Failed to prevent disclosure.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 90,000+
- Version Tested: 2.1.4
Result: Failed to prevent disclosure.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 3.8.1
Result: Failed to prevent disclosure.
Hide My WP
- Code Canyon page
- Active Installs: N/A
- Version Tested: 6.2.9
Result: Failed to prevent disclosure.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 5.0.17
Result: Failed to prevent disclosure.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.1.4
Result: Failed to prevent disclosure.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 11.8
Result: Failed to prevent disclosure.
Jetpack Protect
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 1.2.0
Result: Failed to prevent disclosure.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 300,000+
- Version Tested: 4.87
Result: Failed to prevent disclosure.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 90,000+
- Version Tested: 4.5.5
Result: Failed to prevent disclosure.
Pareto Security
- WordPress.org Plugin Directory page
- Active Installs: 500+
- Version Tested: 3.2.4
Result: Failed to prevent disclosure.
Patchstack
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 2.1.23
Result: Failed to prevent disclosure.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: 1.0.13
Result: Failed to prevent disclosure.
RSFirewall!
- WordPress.org Plugin Directory page
- Active Installs: 2,000+
- Version Tested: 1.1.26
Result: Failed to prevent disclosure.
SecuPress Free
- WordPress.org Plugin Directory page
- Active Installs: 30,000+
- Version Tested: 2.2.3
Result: Failed to prevent disclosure.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 20,000+
- Version Tested: 2.102
Result: Failed to prevent disclosure.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.153
Result: Failed to prevent disclosure.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 16.1.14
Result: Failed to prevent disclosure.
SiteGround Security
- WordPress.org Plugin Directory page
- Active Installs: 700,000+
- Version Tested: 1.4.0
Result: Failed to prevent disclosure.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 500,000+
- Version Tested: 1.7.3
Result: Failed to prevent disclosure.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.36
Result: Failed to prevent disclosure.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.3.4
Result: Failed to prevent disclosure.
Web Application Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200+
- Version Tested: 2.1.1
Result: Failed to prevent disclosure.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.8.2
Result: Failed to prevent disclosure.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 9.2.2
Result: Failed to prevent disclosure.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 1.2.6
Result: Failed to prevent disclosure.
WP Hide & Security Enhancer
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 1.9.5
Result: Failed to prevent disclosure.
Plugin Security Scorecard Grade for All-In-One Security (AIOS)
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BBQ Firewall
Checked on June 17, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on January 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on June 14, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on June 20, 2025See issues causing the plugin to get less than A+ grade