Does Google Authenticator have any unpatched vulnerabilities?

No. All known vulnerabilities in Google Authenticator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Google Authenticator compatible with WordPress 6.0.11?

According to WordPress.org data, Google Authenticator 0.54 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

How often is Google Authenticator updated?

Google Authenticator was last updated on Jul 4, 2022. Frequent updates are generally a positive security signal.

What is Google Authenticator's security score?

Google Authenticator has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Google Authenticator Security & Risk Analysis

wordpress.org/plugins/google-authenticator

Google Authenticator for your WordPress blog.

20K active installs v0.54 PHP + WP 4.5+ Updated Jul 4, 2022

authenticationloginotppasswordsecurity

A · Safe

CVEs total1

Unpatched0

Last CVEApr 28, 2016

Plugin page Download

Safety Verdict

Is Google Authenticator Safe to Use in 2026?

Generally Safe

Score 85/100

Google Authenticator has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 28, 2016Updated 3yr ago

Risk Assessment

The 'google-authenticator' plugin version 0.54 presents a generally good security posture with several positive indicators. The complete absence of unprotected entry points, including AJAX handlers and REST API routes, is a significant strength. Furthermore, the plugin exclusively uses prepared statements for SQL queries, mitigating the risk of SQL injection. It also demonstrates good practice by implementing nonce and capability checks on a majority of its code paths.

However, the static analysis reveals a concerning area: only 38% of output escaping is properly handled. This indicates a potential vulnerability to cross-site scripting (XSS) attacks, where unsanitized data could be injected into the browser. The presence of one flow with unsanitized paths, even if not classified as critical or high severity in the taint analysis, warrants attention. The plugin's vulnerability history, although currently clear of unpatched issues, shows a past medium severity vulnerability related to improper authentication in 2016. This suggests that while the plugin has addressed past issues, the nature of the past vulnerability implies a need for ongoing vigilance in authentication mechanisms.

Key Concerns

Insufficient output escaping (38%)
Flow with unsanitized paths found
Past medium severity vulnerability (Improper Auth)

Vulnerabilities

Google Authenticator Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

WF-f3bbc23b-94af-4f4f-8b5f-6af41108fd93-google-authenticatormedium · 6.5Improper Authentication

Google Authenticator <= 0.47 - Improper Authentication

Apr 28, 2016 Patched in 0.48 (2826d)

Code Analysis

Analyzed Mar 16, 2026

Google Authenticator Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

23 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

38% escaped60 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

profile_personal_options (google-authenticator.php:670)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Google Authenticator Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_GoogleAuthenticator_actiongoogle-authenticator.php:86

WordPress Hooks 14

actioninitgoogle-authenticator.php:67

actionlogin_formgoogle-authenticator.php:79

actionlogin_footergoogle-authenticator.php:80

filterauthenticategoogle-authenticator.php:83

actionpersonal_options_updategoogle-authenticator.php:89

actionprofile_personal_optionsgoogle-authenticator.php:90

actionedit_user_profilegoogle-authenticator.php:91

actionedit_user_profile_updategoogle-authenticator.php:92

actionadmin_enqueue_scriptsgoogle-authenticator.php:94

actionadmin_menugoogle-authenticator.php:95

actionnetwork_admin_menugoogle-authenticator.php:96

actioncurrent_screengoogle-authenticator.php:97

actionadmin_noticesgoogle-authenticator.php:98

actionload-admin_page_google_authenticator_user_pagegoogle-authenticator.php:99

Maintenance & Trust

Google Authenticator Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedJul 4, 2022

PHP min version

Downloads688K

Community Trust

Rating86/100

Number of ratings134

Active installs20K

Alternatives

Google Authenticator Alternatives

Token2 Hardware Tokens

token2-hardware-tokens

Token2 Hardware Tokens for your WordPress blog.

20 No CVEs

yubikey-plugin

woo-yubikey

Enhanced Login Security for Your Wordpress blog.

400 No CVEs

Email OTP Login

email-otp-login

100

Adds OTP (One-Time Password) verification after login for enhanced security in WordPress. OTP is sent to the user's email.

30 No CVEs

Login by Magic

magiclabs

Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.

20 No CVEs

PassClip Auth for WordPress

passclip-auth-for-wordpress

"PassClip Auth" provides strong and easy authentication. "PassClip Auth for WordPress" is the plugin to launch PassClip Auth to Wo …

10 No CVEs

Developer Profile

Google Authenticator Developer Profile

Ivan

2 plugins · 21K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

2826 days

View full developer profile

Detection Fingerprints

How We Detect Google Authenticator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/google-authenticator/jquery.qrcode.min.js

Script Paths