Does EMLG TFA have any unpatched vulnerabilities?

No. All known vulnerabilities in EMLG TFA have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is EMLG TFA compatible with WordPress 6.1.10?

According to WordPress.org data, EMLG TFA 1.1 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

Is EMLG TFA compatible with PHP 7.4+?

EMLG TFA requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is EMLG TFA updated?

EMLG TFA was last updated on Feb 24, 2023. Frequent updates are generally a positive security signal.

What is EMLG TFA's security score?

EMLG TFA has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

EMLG TFA Security & Risk Analysis

wordpress.org/plugins/emlg-tfa

Two-factor authentication via out of band email

0 active installs v1.1 PHP 7.4+ WP 6.0+ Updated Feb 24, 2023

2-factor-authentication2faemail-loginemail-two-factor-authenticationlogin

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is EMLG TFA Safe to Use in 2026?

Generally Safe

Score 85/100

EMLG TFA has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The emlg-tfa plugin, version 1.1, exhibits a mixed security posture. On the positive side, the code demonstrates good practices regarding SQL queries, exclusively using prepared statements, and all identified output operations are properly escaped. There is also a single nonce check and a single capability check present, indicating some awareness of security mechanisms. The absence of any recorded historical vulnerabilities or critical taint flows is also a positive sign.

However, a significant concern arises from the attack surface. The plugin exposes three AJAX handlers, all of which lack authentication checks. This means that any unauthenticated user could potentially trigger these handlers, leading to a considerable risk if the handlers perform sensitive operations or can be manipulated to cause harm. While no dangerous functions, file operations, or external HTTP requests were detected, and no shortcodes or cron events contribute to the attack surface, the unprotected AJAX endpoints represent a clear vulnerability. The vulnerability history being clean could be due to the plugin's limited exposure or simply a lack of past security issues, but the current static analysis reveals a critical weakness that needs immediate attention.

Key Concerns

AJAX handlers without auth checks
Large attack surface without auth checks

Vulnerabilities

None known

EMLG TFA Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

EMLG TFA Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

22 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped22 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<submit-code> (views\submit-code.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

EMLG TFA Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_emlg_check_email_capincludes\class-emlg-ajax.php:12

authwp_ajax_emlg_preview_login_emailincludes\class-emlg-ajax.php:13

authwp_ajax_emlg_formsincludes\class-emlg-ajax.php:14

WordPress Hooks 7

actionplugins_loadedemlg-tfa.php:57

actionadmin_menuincludes\class-emlg-dashboard.php:18

actionadmin_enqueue_scriptsincludes\class-emlg-dashboard.php:19

actionwp_mail_failedincludes\class-emlg-email.php:87

filterwp_mail_content_typeincludes\class-emlg-email.php:88

actionwp_authenticateincludes\class-emlg-login.php:33

filtertemplate_includeincludes\class-emlg-login.php:34

Maintenance & Trust

EMLG TFA Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedFeb 24, 2023

PHP min version7.4

Downloads882

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

EMLG TFA Alternatives

Secured WP

secured-wp

100

Add two-factor authentication (2FA) for all your users with this easy to use plugin. Harden your website login page. Add whole new layer of security.

0 No CVEs

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs

WP 2FA – Two-factor authentication for WordPress

wp-2fa

Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.

100K 9 CVEs

Wordfence Login Security

wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs

WP Hide & Security Enhancer

wp-hide-security-enhancer

Protect your website by concealing vulnerable WordPress traces, plugins, themes, login/admin url. 2FA, Captcha, Firewall, Security Headers etc.

60K 3 CVEs

Developer Profile

EMLG TFA Developer Profile

wprj

2 plugins · 20 total installs

trust score

Avg Security Score

93/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect EMLG TFA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/emlg-tfa/css/dashboard.css/wp-content/plugins/emlg-tfa/js/dashboard.js/wp-content/plugins/emlg-tfa/css/emlg-login.css

Script Paths

/wp-content/plugins/emlg-tfa/js/dashboard.js

Version Parameters

emlg-tfa/css/dashboard.css?ver=emlg-tfa/js/dashboard.js?ver=emlg-tfa/css/emlg-login.css?ver=

HTML / DOM Fingerprints

CSS Classes

emlg-tfa

Data Attributes

data-emlg_optionsdata-emlg_codemirror_settings

JS Globals

window.emlg_optionswindow.emlg_codemirror_settings

FAQ