WP-Safety

OTP Authenticator Security & Risk Analysis

wordpress.org/plugins/otp-authenticator

One-Time Password Authentication for WordPress

60 active installs v1.1 PHP 7.0+ WP 4.9.5+ Updated Apr 3, 2022
2faotppasswordless-login
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is OTP Authenticator Safe to Use in 2026?

Generally Safe

Score 85/100

OTP Authenticator has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The 'otp-authenticator' v1.1 plugin exhibits a mixed security posture. On the positive side, it has a clean vulnerability history with no recorded CVEs and demonstrates good practices in SQL query preparation and output escaping. The plugin also correctly implements nonce and capability checks for most of its entry points. However, there are notable concerns stemming from the static analysis. The presence of two unprotected AJAX handlers represents a significant attack surface that could be exploited by unauthenticated users, potentially leading to unauthorized actions or data manipulation. Additionally, the use of the `unserialize` function, even if not directly tied to an exploit in the current analysis, is a well-known source of vulnerabilities when dealing with untrusted input. The absence of taint analysis data might indicate thoroughness or simply a lack of reported flows, but it's a gap in understanding potential risks.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function (unserialize)
Vulnerabilities
None known

OTP Authenticator Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

OTP Authenticator Code Analysis

Dangerous Functions
1
Raw SQL Queries
3
12 prepared
Unescaped Output
31
146 escaped
Nonce Checks
4
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$fields = isset( $args['custom_fields'] ) ? unserialize( $args['custom_fields'] ) : false; // @codinc\integration\ultimate-member\class-otpa-um-integration.php:107

Bundled Libraries

Guzzle

SQL Query Safety

80% prepared15 total queries

Output Escaping

82% escaped177 total outputs
Attack Surface
2 unprotected

OTP Authenticator Attack Surface

Entry Points5
Unprotected2

AJAX Handlers 4

authwp_ajax_otpa_refresh_logsinc\class-otpa-logger.php:28
authwp_ajax_otpa_clear_logsinc\class-otpa-logger.php:29
authwp_ajax_otpa_toggle_user_validationinc\class-otpa-user-info.php:36
authwp_ajax_otpa_toggle_user_2fa_activeinc\class-otpa-user-info.php:37

Shortcodes 1

[otpa_2fa_switch] inc\class-otpa-2fa.php:23
WordPress Hooks 128
actioninitinc\class-otpa-2fa.php:24
actionadmin_initinc\class-otpa-2fa.php:27
actioninitinc\class-otpa-2fa.php:28
actionwp_logininc\class-otpa-2fa.php:29
actionotpa_otp_code_verifiedinc\class-otpa-2fa.php:30
actionwp_enqueue_scriptsinc\class-otpa-2fa.php:31
actionotpa_api_2fainc\class-otpa-2fa.php:32
filterlogin_redirectinc\class-otpa-2fa.php:34
filtershow_admin_barinc\class-otpa-2fa.php:35
filterotpa_api_endpointsinc\class-otpa-2fa.php:36
actiontemplate_redirectinc\class-otpa-2fa.php:140
filterrest_post_dispatchinc\class-otpa-2fa.php:142
filterotpa_otp_form_varsinc\class-otpa-2fa.php:143
filterotpa_otp_api_valid_callbackinc\class-otpa-2fa.php:144
filterotpa_otp_api_callbackinc\class-otpa-2fa.php:145
actionadmin_initinc\class-otpa-account-validation.php:19
actioninitinc\class-otpa-account-validation.php:20
actionwp_logininc\class-otpa-account-validation.php:21
actionotpa_otp_code_verifiedinc\class-otpa-account-validation.php:22
actionotpa_identifier_updatedinc\class-otpa-account-validation.php:23
actionclear_auth_cookieinc\class-otpa-account-validation.php:26
filterlogin_redirectinc\class-otpa-account-validation.php:29
filtershow_admin_barinc\class-otpa-account-validation.php:30
actiontemplate_redirectinc\class-otpa-account-validation.php:73
filterrest_post_dispatchinc\class-otpa-account-validation.php:75
filterotpa_otp_form_varsinc\class-otpa-account-validation.php:76
filterotpa_otp_api_valid_callbackinc\class-otpa-account-validation.php:77
filterotpa_otp_api_callbackinc\class-otpa-account-validation.php:78
actionwpinc\class-otpa-logger.php:26
actionotpa_logs_cleanupinc\class-otpa-logger.php:27
actionadmin_menuinc\class-otpa-logger.php:30
actionadmin_enqueue_scriptsinc\class-otpa-logger.php:31
actionotpa_after_main_settingsinc\class-otpa-logger.php:32
actionotpa_after_main_tab_settingsinc\class-otpa-logger.php:33
actionotpa_wp_errorinc\class-otpa-logger.php:34
actioninitinc\class-otpa-passwordless.php:14
actionotpa_page_passwordless_logininc\class-otpa-passwordless.php:15
actionlogin_footerinc\class-otpa-passwordless.php:16
actionlogin_enqueue_scriptsinc\class-otpa-passwordless.php:17
filterotpa_page_endpointsinc\class-otpa-passwordless.php:19
filternonce_user_logged_outinc\class-otpa-passwordless.php:20
filterotpa_otp_api_valid_callbackinc\class-otpa-passwordless.php:37
filterotpa_otp_api_callbackinc\class-otpa-passwordless.php:38
actiontemplate_redirectinc\class-otpa-passwordless.php:45
filterotpa_otp_form_varsinc\class-otpa-passwordless.php:46
actionadmin_enqueue_scriptsinc\class-otpa-settings-renderer.php:105
actioninitinc\class-otpa-settings.php:23
actioninitinc\class-otpa-settings.php:24
actionadmin_menuinc\class-otpa-settings.php:25
actionwp_loadedinc\class-otpa-settings.php:26
filterplugin_action_links_otp-authenticator/otp-authenticator.phpinc\class-otpa-settings.php:27
filterpre_update_option_otpa_settingsinc\class-otpa-settings.php:29
filterdefault_option_otpa_settingsinc\class-otpa-settings.php:30
actionadmin_noticesinc\class-otpa-settings.php:103
actionadmin_enqueue_scriptsinc\class-otpa-settings.php:138
filterdefault_option_otpa_settingsinc\class-otpa-settings.php:203
actionwp_loadedinc\class-otpa-style-settings.php:20
actionadmin_menuinc\class-otpa-style-settings.php:21
actionotpa_after_main_settingsinc\class-otpa-style-settings.php:22
actionotpa_after_main_tab_settingsinc\class-otpa-style-settings.php:23
filterotpa_page_endpointsinc\class-otpa-style-settings.php:24
actionotpa_page_form_previewinc\class-otpa-style-settings.php:25
filterpre_update_option_otpa_style_settingsinc\class-otpa-style-settings.php:27
filterdefault_option_otpa_style_settingsinc\class-otpa-style-settings.php:28
actiontemplate_redirectinc\class-otpa-style-settings.php:90
actionwp_footerinc\class-otpa-style-settings.php:96
filtertemplate_includeinc\class-otpa-style-settings.php:111
filterdefault_option_otpa_style_settingsinc\class-otpa-style-settings.php:172
actionuser_new_forminc\class-otpa-user-info.php:18
actionuser_profile_update_errorsinc\class-otpa-user-info.php:19
filterregistration_errorsinc\class-otpa-user-info.php:21
actionpre_user_queryinc\class-otpa-user-info.php:25
filtermanage_users_columnsinc\class-otpa-user-info.php:27
filtermanage_users_custom_columninc\class-otpa-user-info.php:28
filtermanage_users_sortable_columnsinc\class-otpa-user-info.php:29
actionshow_user_profileinc\class-otpa-user-info.php:32
actionedit_user_profileinc\class-otpa-user-info.php:33
actionprofile_updateinc\class-otpa-user-info.php:34
actionadmin_enqueue_scriptsinc\class-otpa-user-info.php:35
actioninitinc\class-otpa.php:29
actionparse_requestinc\class-otpa.php:30
actionotpa_api_otpinc\class-otpa.php:31
filterquery_varsinc\class-otpa.php:33
filterotpa_api_error_datainc\class-otpa.php:34
actionadmin_initinc\class-otpa.php:40
filterlogin_redirectinc\class-otpa.php:41
actioninitinc\class-otpa.php:42
filtertemplate_includeinc\class-otpa.php:303
filtertemplate_includeinc\class-otpa.php:346
actiontemplate_redirectinc\class-otpa.php:454
actionwp_loadedinc\gateways\class-otpa-abstract-gateway.php:68
actionadmin_menuinc\gateways\class-otpa-abstract-gateway.php:69
actionotpa_after_main_settingsinc\gateways\class-otpa-abstract-gateway.php:70
actionotpa_after_main_tab_settingsinc\gateways\class-otpa-abstract-gateway.php:71
filterotpa_settings_validinc\gateways\class-otpa-abstract-gateway.php:73
filterupdate_user_metadatainc\gateways\class-otpa-abstract-gateway.php:78
filterupdate_user_metadatainc\gateways\class-otpa-abstract-gateway.php:484
actionotpa_before_otp_forminc\gateways\class-otpa-alibaba-cloud-sms-gateway.php:22
actionadmin_enqueue_scriptsinc\gateways\class-otpa-alibaba-cloud-sms-gateway.php:23
filterotpa_otp_widget_identifier_placeholderinc\gateways\class-otpa-alibaba-cloud-sms-gateway.php:25
filterotpa_otp_identifier_field_labelinc\gateways\class-otpa-alibaba-cloud-sms-gateway.php:26
filterotpa_wp_error_messageinc\gateways\class-otpa-alibaba-cloud-sms-gateway.php:27
actionotpa_before_otp_forminc\gateways\class-otpa-twilio-gateway.php:21
filterotpa_otp_widget_identifier_placeholderinc\gateways\class-otpa-twilio-gateway.php:23
filterotpa_otp_identifier_field_labelinc\gateways\class-otpa-twilio-gateway.php:24
filterotpa_wp_error_messageinc\gateways\class-otpa-twilio-gateway.php:25
actionotpa_before_otp_forminc\gateways\class-otpa-wp-email-gateway.php:19
actionprofile_updateinc\gateways\class-otpa-wp-email-gateway.php:20
filterotpa_otp_widget_identifier_placeholderinc\gateways\class-otpa-wp-email-gateway.php:22
actionwp_mail_failedinc\gateways\class-otpa-wp-email-gateway.php:234
actionotpa_readyinc\integration\class-otpa-integration.php:29
actionum_after_forminc\integration\ultimate-member\class-otpa-um-integration.php:15
filterum_get_option_filter__accessibleinc\integration\ultimate-member\class-otpa-um-integration.php:16
actionum_submit_form_errors_hookinc\integration\ultimate-member\class-otpa-um-integration.php:21
actionum_submit_account_errors_hookinc\integration\ultimate-member\class-otpa-um-integration.php:25
actionum_after_user_account_updatedinc\integration\ultimate-member\class-otpa-um-integration.php:26
actionum_custom_error_message_handlerinc\integration\ultimate-member\class-otpa-um-integration.php:27
actionum_after_account_generalinc\integration\ultimate-member\class-otpa-um-integration.php:30
actionwoocommerce_login_form_endinc\integration\woocommerce\class-otpa-woocommerce-integration.php:15
filterwoocommerce_form_fieldinc\integration\woocommerce\class-otpa-woocommerce-integration.php:20
filterwoocommerce_customer_meta_fieldsinc\integration\woocommerce\class-otpa-woocommerce-integration.php:21
filterotpa_woocommerce_account_validation_otp_identifier_descriptioninc\integration\woocommerce\class-otpa-woocommerce-integration.php:22
filterwoocommerce_registration_errorsinc\integration\woocommerce\class-otpa-woocommerce-integration.php:23
actionwoocommerce_after_save_address_validationinc\integration\woocommerce\class-otpa-woocommerce-integration.php:24
filterwoocommerce_save_account_details_errorsinc\integration\woocommerce\class-otpa-woocommerce-integration.php:27
actionwoocommerce_edit_account_forminc\integration\woocommerce\class-otpa-woocommerce-integration.php:28
filterotpa_authentication_gatewaysotp-authenticator.php:59
actionplugins_loadedotp-authenticator.php:122

Scheduled Events 1

otpa_logs_cleanup
Maintenance & Trust

OTP Authenticator Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedApr 3, 2022
PHP min version7.0
Downloads4K

Community Trust

Rating94/100
Number of ratings3
Active installs60
Alternatives

OTP Authenticator Alternatives

Two Factor

Two Factor

two-factor

A
100

Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.

100K No CVEs
WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

wp-sms

A
95

Send SMS/MMS notifications, OTP & 2FA messages, and WooCommerce updates with support for multiple gateways and plugin integrations.

9K 15 CVEs
User Verification by PickPlugins

User Verification by PickPlugins

user-verification

A
87

Email verification for user registration to protect spam.

5K 3 CVEs
OTP Login & Register Woocommerce

OTP Login & Register Woocommerce

mobile-login-woocommerce

A
96

Allow users to log in/sign up with a one-time password (OTP) sent to their mobile device.

2K 3 CVEs
Email OTP Authenticator – for Login, Registration or 2FA, RWL, RWA Services

Email OTP Authenticator – for Login, Registration or 2FA, RWL, RWA Services

email-otp-authenticator

A
100

Use an OTP to Login, Register, 2FA OR allow interim premium access WITHOUT Login, even WITHOUT Account. It is FAST, FRIENDLY, SMART, SMOOTH & SECURED.

100 No CVEs
Developer Profile

OTP Authenticator Developer Profile

Alexandre Froger

11 plugins · 8K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
110 days
View full developer profile
Detection Fingerprints

How We Detect OTP Authenticator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/otp-authenticator/inc/assets/js/otp-authenticator-2fa-user.js/wp-content/plugins/otp-authenticator/inc/assets/js/otp-authenticator-2fa-user.min.js/wp-content/plugins/otp-authenticator/inc/assets/css/otp-authenticator-2fa.css/wp-content/plugins/otp-authenticator/inc/assets/css/otp-authenticator-2fa.min.css
Version Parameters
otp-authenticator/inc/assets/js/otp-authenticator-2fa-user.js?ver=otp-authenticator/inc/assets/css/otp-authenticator-2fa.css?ver=

HTML / DOM Fingerprints

CSS Classes
otpa-2fa-switch-button
Data Attributes
data-otpa-2fa-nonce
JS Globals
otpa_2fa_data
REST Endpoints
/wp-json/otpa/v1/2fa
Shortcode Output
[otpa_2fa_switch]
FAQ

Frequently Asked Questions about OTP Authenticator