WP-Safety

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Security & Risk Analysis

wordpress.org/plugins/miniorange-2-factor-authentication

miniOrange WP 2FA plugin adds an extra layer of security to your WordPress website by protecting user logins from unauthorized access, brute-force att …

10K active installs v6.2.3 PHP 5.3.0+ WP 3.0.1+ Updated Mar 10, 2026
2-factor-authentication2fagoogle-authenticatormfawp-2fa
90
A · Safe
CVEs total10
Unpatched0
Last CVEAug 23, 2025
Plugin page Download
Safety Verdict

Is miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Safe to Use in 2026?

Generally Safe

Score 90/100

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Aug 23, 2025Updated 23d ago
Risk Assessment

The plugin "miniorange-2-factor-authentication" v6.2.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices such as a high percentage of SQL queries using prepared statements and a strong emphasis on output escaping, with 96% of outputs properly escaped. The plugin also has a robust system of nonce and capability checks, indicating an effort to secure its functionalities. However, there are significant concerns highlighted by the static analysis and vulnerability history.

The static analysis reveals a notable concern with one REST API route lacking permission callbacks, presenting a direct entry point for unauthorized access. While no critical or high severity taint flows were identified, the presence of four flows with unsanitized paths is a red flag, potentially leading to vulnerabilities if not carefully handled. The code also utilizes the dangerous 'assert' function 46 times, which can be a security risk if not properly managed.

The plugin's historical vulnerability record is a major concern, with a total of 10 known CVEs, including 4 high-severity ones. Although none are currently unpatched, the prevalence of past vulnerabilities such as Exposure of Sensitive Information, CSRF, Missing Authorization, and XSS suggests recurring security weaknesses in the plugin's development or maintenance. The most recent vulnerability being in August 2025 is concerning for a current version. The overall picture is a plugin with some strong security implementations but burdened by a history of serious vulnerabilities and a few clear static analysis weaknesses.

Key Concerns

  • REST API route without permission callbacks
  • Flows with unsanitized paths
  • Total of 10 known CVEs
  • 4 High severity CVEs
  • 6 Medium severity CVEs
  • Use of dangerous function 'assert'
Vulnerabilities
10

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
7 CVEs in 2022
2022
1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
6

10 total CVEs

CVE-2025-54745medium · 4.3Missing Authorization

miniOrange's Google Authenticator <= 6.1.1 - Missing Authorization

Aug 23, 2025 Patched in 6.1.2 (119d)
CVE-2022-4943high · 7.5Missing Authorization

miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change

Apr 19, 2023 Patched in 5.6.6 (279d)
CVE-2022-44589high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

miniOrange's Google Authenticator <= 5.6.1 - Sensitive Data Exposure of Multifactor Backup Codes

Nov 23, 2022 Patched in 5.6.2 (426d)
WF-ed117fb8-c13a-4088-aa33-8d44fc5dcf37-miniorange-2-factor-authenticationhigh · 8.8Cross-Site Request Forgery (CSRF)

miniOrange's Google Authenticator <= 5.6.1 - Cross-Site Request Forgery to Malware Scan Termination

Nov 1, 2022 Patched in 5.6.2 (448d)
CVE-2022-42461medium · 5.4Missing Authorization

miniOrange's Google Authenticator <= 5.6.1 - Missing Authorization to Plugin Settings Change

Oct 31, 2022 Patched in 5.6.2 (449d)
WF-52a03c45-1d65-43aa-b30f-13698019e05f-miniorange-2-factor-authenticationmedium · 6.3Missing Authorization

miniOrange's Google Authenticator <= 5.5.82 - Missing Authorization

Sep 16, 2022 Patched in 5.6.0 (494d)
WF-bb929679-85bb-4d5b-9a99-e6081d55019f-miniorange-2-factor-authenticationmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

miniOrange's Google Authenticator <= 5.5.7 - Reflected Cross-Site Scripting

Jun 27, 2022 Patched in 5.5.75 (575d)
CVE-2022-1321medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

miniOrange's Google Authenticator <= 5.5.5 - Authenticated (Admin+) Cross-Site Scripting

Jun 6, 2022 Patched in 5.5.6 (596d)
CVE-2022-0229high · 8.1Missing Authorization

miniOrange's Google Authenticator <= 5.4.52 - Unauthenticated Arbitrary Options Deletion

Feb 28, 2022 Patched in 5.5 (694d)
WF-f810326f-f84a-4066-aa28-5caa915ba877-miniorange-2-factor-authenticationmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

miniOrange's Google Authenticator <= 5.4.39 - Cross-Site Scripting

Aug 10, 2021 Patched in 5.4.40 (896d)
Code Analysis
Analyzed Mar 16, 2026

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Code Analysis

Dangerous Functions
46
Raw SQL Queries
19
55 prepared
Unescaped Output
55
1249 escaped
Nonce Checks
74
Capability Checks
38
File Operations
3
External Requests
5
Bundled Libraries
2

Dangerous Functions Found

assertassert( is_string( $username ) || is_null( $username ) );handler\twofa\two-fa-duo-handler.php:92
assertassert( is_int( $valid_secs ) || is_null( $valid_secs ) );handler\twofa\two-fa-duo-handler.php:93
assertassert( is_string( $user_id ) );handler\twofa\two-fa-duo-handler.php:119
assertassert( is_string( $activation_code ) );handler\twofa\two-fa-duo-handler.php:120
assertassert( is_string( $ipaddr ) || is_null( $ipaddr ) );handler\twofa\two-fa-duo-handler.php:153
assertassert( is_string( $trusted_device_token ) || is_null( $trusted_device_token ) );handler\twofa\two-fa-duo-handler.php:154
assertassert( is_string( $user_identifier ) );handler\twofa\two-fa-duo-handler.php:201
assertassert(handler\twofa\two-fa-duo-handler.php:202
assertassert( is_array( $factor_params ) );handler\twofa\two-fa-duo-handler.php:206
assertassert( is_string( $ipaddr ) || is_null( $ipaddr ) );handler\twofa\two-fa-duo-handler.php:207
assertassert( is_bool( $async ) );handler\twofa\two-fa-duo-handler.php:208
assertassert( is_bool( $username ) );handler\twofa\two-fa-duo-handler.php:209
assertassert( array_key_exists( 'device', $factor_params ) && is_string( $factor_params['device'] ) );handler\twofa\two-fa-duo-handler.php:230
assertassert( array_key_exists( 'passcode', $factor_params ) && is_string( $factor_params['passcode'] ) );handler\twofa\two-fa-duo-handler.php:243
assertassert( array_key_exists( 'device', $factor_params ) && is_string( $factor_params['device'] ) );handler\twofa\two-fa-duo-handler.php:246
assertassert( array_key_exists( 'device', $factor_params ) && is_string( $factor_params['device'] ) );handler\twofa\two-fa-duo-handler.php:249
assertassert( array_key_exists( 'device', $factor_params ) && is_string( $factor_params['device'] ) );handler\twofa\two-fa-duo-handler.php:252
assertassert( is_string( $url ) );handler\twofa\two-fa-duo-handler.php:307
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:308
assertassert( is_array( $headers ) );handler\twofa\two-fa-duo-handler.php:309
assertassert( is_string( $body ) || is_null( $body ) );handler\twofa\two-fa-duo-handler.php:310
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:378
assertassert( is_string( $path ) );handler\twofa\two-fa-duo-handler.php:379
assertassert( is_array( $params ) );handler\twofa\two-fa-duo-handler.php:380
assertassert( is_array( $params ) );handler\twofa\two-fa-duo-handler.php:394
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:417
assertassert( is_string( $host ) );handler\twofa\two-fa-duo-handler.php:418
assertassert( is_string( $path ) );handler\twofa\two-fa-duo-handler.php:419
assertassert( is_array( $params ) );handler\twofa\two-fa-duo-handler.php:420
assertassert( is_string( $now ) );handler\twofa\two-fa-duo-handler.php:421
assertassert( is_string( $msg ) );handler\twofa\two-fa-duo-handler.php:438
assertassert( is_string( $key ) );handler\twofa\two-fa-duo-handler.php:439
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:456
assertassert( is_string( $host ) );handler\twofa\two-fa-duo-handler.php:457
assertassert( is_string( $path ) );handler\twofa\two-fa-duo-handler.php:458
assertassert( is_array( $params ) );handler\twofa\two-fa-duo-handler.php:459
assertassert( is_string( $skey ) );handler\twofa\two-fa-duo-handler.php:460
assertassert( is_string( $ikey ) );handler\twofa\two-fa-duo-handler.php:461
assertassert( is_string( $now ) );handler\twofa\two-fa-duo-handler.php:462
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:484
assertassert( is_string( $uri ) );handler\twofa\two-fa-duo-handler.php:485
assertassert( is_string( $body ) || is_null( $body ) );handler\twofa\two-fa-duo-handler.php:486
assertassert( is_array( $headers ) );handler\twofa\two-fa-duo-handler.php:487
assertassert( is_string( $method ) );handler\twofa\two-fa-duo-handler.php:514
assertassert( is_string( $path ) );handler\twofa\two-fa-duo-handler.php:515
assertassert( is_array( $params ) );handler\twofa\two-fa-duo-handler.php:516

Bundled Libraries

DataTablesSelect2

SQL Query Safety

74% prepared74 total queries

Output Escaping

96% escaped1304 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

12 flows4 with unsanitized paths
<two-factor-page> (controllers\two-factor-page.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Attack Surface

Entry Points19
Unprotected1

AJAX Handlers 17

authwp_ajax_wpns_login_securitycontrollers\class-wpns-ajax.php:38
authwp_ajax_mo2f_ajaxcontrollers\class-wpns-ajax.php:39
noprivwp_ajax_mo2f_ajaxcontrollers\class-wpns-ajax.php:40
authwp_ajax_mo_two_factor_ajaxcontrollers\twofa\class-mo-2f-ajax.php:54
noprivwp_ajax_mo_two_factor_ajaxcontrollers\twofa\class-mo-2f-ajax.php:55
authwp_ajax_mo2f_login_settings_ajaxhandler\class-mo2f-2fa-settings-handler.php:40
authwp_ajax_mo_two_factor_ajaxhandler\class-mo2f-admin-action-handler.php:37
noprivwp_ajax_mo_two_factor_ajaxhandler\class-mo2f-admin-action-handler.php:38
authwp_ajax_mo2f_advance_settings_ajaxhandler\class-mo2f-advance-settings-handler.php:38
authwp_ajax_mo2f_ip_black_list_ajaxhandler\class-mo2f-ip-blocking-handler.php:43
authwp_ajax_mo_two_factor_ajaxhandler\class-mo2f-main-handler.php:66
noprivwp_ajax_mo_two_factor_ajaxhandler\class-mo2f-main-handler.php:67
authwp_ajax_mo2f_white_labelling_ajaxhandler\class-mo2f-whitelabelling.php:34
authwp_ajax_mo_shortcodehandler\twofa\class-mo2fcustomregformshortcode.php:46
noprivwp_ajax_mo_shortcodehandler\twofa\class-mo2fcustomregformshortcode.php:47
authwp_ajax_mo_ajax_registerhandler\twofa\class-mo2fcustomregformshortcode.php:48
noprivwp_ajax_mo_ajax_registerhandler\twofa\class-mo2fcustomregformshortcode.php:49

REST API Routes 1

GET/wp-json/miniorange/mo_2fa_two_fa/resetuser2fa=(?P<resetuser2fa>[A-Za-z0-9=+/]+)/message=(?P<message>[A-Za-z]+)handler\class-mo2f-reconfigure-link.php:160

Shortcodes 1

[mo2f_enable_register] miniorange_2_factor_settings.php:93
WordPress Hooks 72
actionadmin_initcontrollers\class-wpns-ajax.php:27
actioninitcontrollers\class-wpns-ajax.php:28
actionadmin_initcontrollers\twofa\class-mo-2f-ajax.php:46
actionadmin_inithandler\class-ajaxhandler.php:35
actionadmin_inithandler\class-feedbackhandler.php:34
actionadmin_inithandler\class-handle-migration.php:28
actioninithandler\class-loginhandler.php:33
actionrest_api_inithandler\class-loginhandler.php:35
actionwp_loginhandler\class-loginhandler.php:38
actionwp_login_failedhandler\class-loginhandler.php:39
actionwoocommerce_register_posthandler\class-loginhandler.php:42
actionshow_user_profilehandler\class-loginhandler.php:64
actionedit_user_profilehandler\class-loginhandler.php:65
actionpersonal_options_updatehandler\class-loginhandler.php:66
actionedit_user_profile_updatehandler\class-loginhandler.php:67
actionadmin_inithandler\class-mo2f-2fa-settings-handler.php:41
actionadmin_inithandler\class-mo2f-advance-settings-handler.php:30
actionadmin_inithandler\class-mo2f-ip-blocking-handler.php:34
actionadmin_inithandler\class-mo2f-ip-blocking-handler.php:35
actionlog_403handler\class-mo2f-logger.php:30
actiontemplate_redirecthandler\class-mo2f-logger.php:31
actioninithandler\class-mo2f-main-handler.php:65
filterlogin_errorshandler\class-mo2f-main-handler.php:68
filterlogin_messagehandler\class-mo2f-main-handler.php:69
actionrest_api_inithandler\class-mo2f-reconfigure-link.php:35
filterlogin_messagehandler\class-mo2f-reconfigure-link.php:36
actionadmin_inithandler\class-mo2f-whitelabelling.php:33
filterregistration_errorshandler\class-registrationhandler.php:24
actionregister_formhandler\class-registrationhandler.php:26
actionadmin_inithandler\twofa\class-miniorange-authentication.php:70
actionplugins_loadedhandler\twofa\class-miniorange-authentication.php:71
actionlogin_formhandler\twofa\class-miniorange-authentication.php:76
filtermo2f_shortcode_rba_gauthhandler\twofa\class-miniorange-authentication.php:77
filtermo2f_shortcode_kbahandler\twofa\class-miniorange-authentication.php:78
filtermo2f_update_infohandler\twofa\class-miniorange-authentication.php:79
actionmo2f_shortcode_form_fieldshandler\twofa\class-miniorange-authentication.php:80
actiondelete_userhandler\twofa\class-miniorange-authentication.php:90
filtermo2f_gauth_servicehandler\twofa\class-miniorange-authentication.php:92
filterauthenticatehandler\twofa\class-miniorange-authentication.php:97
actionlogin_formhandler\twofa\class-miniorange-authentication.php:98
actionlogin_enqueue_scriptshandler\twofa\class-miniorange-authentication.php:107
actionwoocommerce_login_formhandler\twofa\class-miniorange-authentication.php:116
actionwp_enqueue_scriptshandler\twofa\class-miniorange-authentication.php:124
actionminiorange_pre_authenticate_user_loginhandler\twofa\class-miniorange-authentication.php:133
actionminiorange_post_authenticate_user_loginhandler\twofa\class-miniorange-authentication.php:142
actionminiorange_collect_attributes_for_authenticated_userhandler\twofa\class-miniorange-authentication.php:151
actionwoocommerce_created_customerhandler\twofa\class-mo2fcustomregformshortcode.php:36
actionadmin_inithandler\twofa\class-mo2fcustomregformshortcode.php:38
actionadmin_noticeshelper\class-mo2f-common-helper.php:45
actionadmin_noticeshelper\class-mowpnsmessages.php:27
filtergettexthelper\class-mowpnsmessages.php:29
actionadmin_menuminiorange_2_factor_settings.php:71
actionadmin_enqueue_scriptsminiorange_2_factor_settings.php:72
actionadmin_enqueue_scriptsminiorange_2_factor_settings.php:73
actionadmin_initminiorange_2_factor_settings.php:74
actionadmin_initminiorange_2_factor_settings.php:75
filtermanage_users_columnsminiorange_2_factor_settings.php:76
actionmanage_users_custom_columnminiorange_2_factor_settings.php:77
actionadmin_noticesminiorange_2_factor_settings.php:78
filteruser_row_actionsminiorange_2_factor_settings.php:79
actionadmin_footerminiorange_2_factor_settings.php:80
actioninitminiorange_2_factor_settings.php:81
actionwp_dashboard_setupminiorange_2_factor_settings.php:86
actionplugins_loadedminiorange_2_factor_settings.php:88
actionadmin_initminiorange_2_factor_settings.php:91
actionelementor/initminiorange_2_factor_settings.php:92
actionuser_profile_update_errorsminiorange_2_factor_settings.php:94
actionadmin_initminiorange_2_factor_settings.php:95
actionadmin_initminiorange_2_factor_settings.php:96
actionadmin_initminiorange_2_factor_settings.php:97
actionadmin_initminiorange_2_factor_settings.php:98
actionadmin_initminiorange_2_factor_settings.php:208
Maintenance & Trust

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version5.3.0
Downloads2.4M

Community Trust

Rating90/100
Number of ratings381
Active installs10K
Alternatives

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Alternatives

WP 2FA – Two-factor authentication for WordPress

WP 2FA – Two-factor authentication for WordPress

wp-2fa

A
95

Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.

100K 9 CVEs
Two Factor

Two Factor

two-factor

A
100

Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.

100K No CVEs
Two Factor Authentication

Two Factor Authentication

two-factor-authentication

A
99

Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms, HOTP, TOTP (Google Authenticator, Authy, etc.)

20K 2 CVEs
Rublon Multi-Factor Authentication (MFA)

Rublon Multi-Factor Authentication (MFA)

rublon

A
100

Instant account security with effortless multi-factor authentication via Mobile Push, Mobile Passcode (TOTP), WebAuthn/U2F Security Keys, and more.

500 No CVEs
Absolute 2fa For Woocommerce

Absolute 2fa For Woocommerce

absolute-2fa-for-woocommerce

A
85

A Two Factor Authentication addon that will add 2fa settings page under WooCommerce's My Account Page.

10 No CVEs
Developer Profile

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator) Developer Profile

miniOrange

38 plugins · 83K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
324 days
View full developer profile
Detection Fingerprints

How We Detect miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/miniorange-2-factor-authentication/css/font-awesome.min.css/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-admin-style.css/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-frontend-style.css/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-responsive.css/wp-content/plugins/miniorange-2-factor-authentication/css/social-login-buttons.css/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2fa_elementor.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-admin-script.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-frontend.min.js+3 more
Script Paths
/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2fa_elementor.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-admin-script.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-frontend.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-setup-wizard.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-social-login.min.js/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-update-script.min.js
Version Parameters
/wp-content/plugins/miniorange-2-factor-authentication/css/font-awesome.min.css?ver=/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-admin-style.css?ver=/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-frontend-style.css?ver=/wp-content/plugins/miniorange-2-factor-authentication/css/mo2f-responsive.css?ver=/wp-content/plugins/miniorange-2-factor-authentication/css/social-login-buttons.css?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2fa_elementor.min.js?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-admin-script.min.js?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-frontend.min.js?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-setup-wizard.min.js?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-social-login.min.js?ver=/wp-content/plugins/miniorange-2-factor-authentication/includes/js/mo2f-update-script.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
mo2f-login-formmo2f-setup-wizard-pagemo2f_account_detailsmo2f_user_profile_sectionmo2f_hide_admin_barmo2f_otp_verification_formmo2f_admin_noticemo2f_plugin_action_link
HTML Comments
<!-- Miniorange 2FA Settings --><!-- Added by miniOrange 2FA plugin --><!-- IMPORTANT: Remove this file and its contents if you are upgrading to a version of WordPress that has this file as part of core. -->
Data Attributes
data-noncedata-plugin-pathdata-site-url
JS Globals
my_ajax_objectMo2fAdminScriptMo2fSetupWizardMo2fSocialLoginMo2fFrontend
REST Endpoints
/wp-json/miniorange-2fa/v1/login/wp-json/miniorange-2fa/v1/validate_otp
Shortcode Output
[mo2f_enable_register]
FAQ

Frequently Asked Questions about miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator)