Does WP 2 Step Authentication have any unpatched vulnerabilities?

No. All known vulnerabilities in WP 2 Step Authentication have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP 2 Step Authentication compatible with WordPress 3.9.40?

According to WordPress.org data, WP 2 Step Authentication 1.5 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is WP 2 Step Authentication updated?

WP 2 Step Authentication was last updated on Unknown. Frequent updates are generally a positive security signal.

What is WP 2 Step Authentication's security score?

WP 2 Step Authentication has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP 2 Step Authentication Security & Risk Analysis

wordpress.org/plugins/wp-2-step

Simple 2 step authentication for the masses!

10 active installs v1.5 PHP + WP 3.0.1+ Updated Unknown

2-step-authentication2-step-loginlogin-securitylogin-with-pintwo-step-authentication

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP 2 Step Authentication Safe to Use in 2026?

Generally Safe

Score 100/100

WP 2 Step Authentication has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The wp-2-step plugin, version 1.5, presents a mixed security posture. On the positive side, it has a limited attack surface with only one shortcode and no identified AJAX handlers or REST API routes without authentication. The absence of any recorded vulnerabilities or CVEs in its history is a strong indicator of a relatively stable and well-maintained plugin.

However, the static analysis reveals significant areas of concern. The presence of the `unserialize` function is a critical risk, especially when input is not rigorously sanitized. The taint analysis showing two flows with unsanitized paths further exacerbates this risk, as it indicates that potentially malicious data could be passed to `unserialize`. Additionally, the low percentage of properly escaped output (13%) means that a significant portion of the plugin's output could be vulnerable to cross-site scripting (XSS) attacks. The complete lack of nonce checks on the single shortcode is another notable weakness, leaving it open to CSRF attacks.

While the plugin has no recorded vulnerabilities, the identified code signals and taint analysis findings are substantial risks that could lead to future vulnerabilities if not addressed. The strengths lie in its limited attack surface and clean vulnerability history, but the weaknesses in output sanitization, lack of nonce checks, and the use of `unserialize` with unsanitized inputs necessitate careful attention to mitigate potential security threats.

Key Concerns

Dangerous function 'unserialize' used
Flows with unsanitized paths found
Low output escaping percentage (13%)
No nonce checks on shortcode
External HTTP requests (potential risk)

Vulnerabilities

None known

WP 2 Step Authentication Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP 2 Step Authentication Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize<div class="inside">includes\functions.php:65

unserialize<table width="100%">includes\functions.php:67

unserialize<tr><th width="50%" align="center">Need The Free Android App?</th><th width="50%" align="center" >Cuincludes\functions.php:69

unserialize<?php if($canemail){ ?><option <?php if($r=='email' ) {echo ' selected ';} ?> value="email" />Emaiincludes\functions.php:543

unserialize</select>includes\functions.php:545

unserialize<span class="description">What type of 2 step authentication would you like to use on login</span>includes\functions.php:547

unserializeadd_action( 'edit_user_profile_update', 'save_the_phone_field' );includes\functions.php:803

unserializeincludes\functions.php:959

unserializeincludes\functions.php:961

unserializeincludes\functions.php:963

Output Escaping

13% escaped15 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

wp2step_ispinrequest (includes\functions.php:1725)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP 2 Step Authentication Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[wp2step_badge] wp2step.php:57

WordPress Hooks 11

actionshow_user_profileincludes\functions.php:927

actionedit_user_profileincludes\functions.php:929

actionpersonal_options_updateincludes\functions.php:1603

actionedit_user_profile_updateincludes\functions.php:1605

actionadmin_menuwp2step.php:31

actionlogin_formwp2step.php:45

actionauthenticatewp2step.php:47

actionwp_footerwp2step.php:49

actionadmin_footerwp2step.php:51

actionlogin_enqueue_scriptswp2step.php:53

actioninitwp2step.php:55

Maintenance & Trust

WP 2 Step Authentication Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedUnknown

PHP min version

Downloads2K

Community Trust

Rating20/100

Number of ratings1

Active installs10

Alternatives

WP 2 Step Authentication Alternatives

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs

Wordfence Login Security

wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs

BulletProof Security

bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs

Developer Profile

WP 2 Step Authentication Developer Profile

Scriptonite

3 plugins · 20 total installs

trust score

Avg Security Score

95/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP 2 Step Authentication

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-2-step/css/wp2step-login.css/wp-content/plugins/wp-2-step/js/wp2step.js

Script Paths

/wp-content/plugins/wp-2-step/js/wp2step.js

Version Parameters

wp-2-step/css/wp2step-login.css?ver=wp-2-step/js/wp2step.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp2step-badge

HTML Comments

Data Attributes

data-wp2step-textdata-wp2step-btn-text

JS Globals

wp2step_ajax_object

Shortcode Output

<span class="wp2step-badge">

FAQ