VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 19 known issues Latest disclosed Jun 20, 2024

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Vulnerabilities

Review known vulnerability records for the WordPress plugin Solid Security – Password, Two Factor Authentication, and Brute Force Protection (`better-wp-security`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2022-44593 and CVE-2023-28786, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
19
High or Critical
7
Patch Coverage
100%
Last Updated
Jun 26, 2024
Priority CVE Quick Links

Fast paths into Solid Security – Password, Two Factor Authentication, and Brute Force Protection CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
7
CVE-2020-36176 High 7.7.0
CVE-2020-36176 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Vulnerability

iThemes Security <= 7.6.1 - Broken Password Mechanism

CVE-2018-7433 High 6.9.1
CVE-2018-7433 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Cross-Site Scripting

iThemes Security <= 6.9.0 - Cross-Site Scripting

CVE-2018-12636 High 7.0.3
CVE-2018-12636 Solid Security – Password, Two Factor Authentication, and Brute Force Protection SQL Injection

iThemes Security <= 7.0.2 - Authenticated SQL Injection

CVE-2012-4263 High 3.2.5
CVE-2012-4263 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Cross-Site Scripting

iThemes Security < 3.2.5 - Cross-Site Scripting

CVE-2012-4264 Medium 3.2.5
CVE-2012-4264 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Cross-Site Scripting

Better WP Security <= 3.2.4 - Multiple Cross-Site Scripting

CVE-2022-44593 Medium 9.3.2
CVE-2022-44593 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Vulnerability

Solid Security <= 9.3.1 - IP Address Spoofing to Denial of Service

CVE-2023-28786 Medium 8.1.5
CVE-2023-28786 Solid Security – Password, Two Factor Authentication, and Brute Force Protection Vulnerability

iThemes Security <= 8.1.4 - Open Redirection via redirect_to_https

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Solid Security – Password, Two Factor Authentication, and Brute Force Protection so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
19 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 7 high severity findings.
Recent CVEs
CVE-2022-44593 and CVE-2023-28786
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2022-44593
CVE-2022-44593: Solid Security <= 9.3.1 - IP Address Spoofing to Denial of Service

The Solid Security – Password, Two Factor Authentication, and Brute Force Protection plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 9.3.1 due to insufficient IP address validation. This makes it possible for unauthenticated attacke...

Published
Jun 20, 2024
Patched Release
9.3.2
Affected Versions
Versions up to 9.3.1
Next Step
Update to 9.3.2 or newer if supported.
Open CVE-2022-44593 Report Open CVE Reference
Plugin Medium Patched: Yes
Solid Security Basic <= 9.0.0 - Unauthenticated Login Page Disclosure

The Solid Security – Password, Two Factor Authentication, and Brute Force Protection plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 9.0.0. This is due to the plugin disclosing the login path when comments are enabled and re...

Published
Oct 31, 2023
Patched Release
9.0.1
Affected Versions
Versions up to 9.0.0
Next Step
Update to 9.0.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2023-28786
CVE-2023-28786: iThemes Security <= 8.1.4 - Open Redirection via redirect_to_https

The iThemes Security plugin for WordPress is vulnerable to open redirection in versions up to, and including, 8.1.4. This is due to the use of wp_redirect instead of wp_safe_redirect in the redirect_to_https function. This makes it possible for unauthenticated attackers to arbitr...

Published
Mar 27, 2023
Patched Release
8.1.5
Affected Versions
Versions up to 8.1.4
Next Step
Update to 8.1.5 or newer if supported.
Open CVE-2023-28786 Report Open CVE Reference
Plugin Medium Patched: Yes
iThemes Security < 7.9.1 and iThemes Security Pro < 6.8.4 - Hidden Login Bypass

It is possible to bypass the hidden login page functionality in iThemes Security < 7.9.1 and iThemes Security Pro < 6.8.4

Published
Apr 22, 2021
Patched Release
7.9.1
Affected Versions
Versions before 7.9.1
Next Step
Update to 7.9.1 or newer if supported.
Open Full Report
Plugin High Patched: Yes CVE-2020-36176
CVE-2020-36176: iThemes Security <= 7.6.1 - Broken Password Mechanism

The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs.

Published
Jan 06, 2021
Patched Release
7.7.0
Affected Versions
Versions up to 7.6.1
Next Step
Update to 7.7.0 or newer if supported.
Open CVE-2020-36176 Report Open CVE Reference
Plugin High Patched: Yes CVE-2018-12636
CVE-2018-12636: iThemes Security <= 7.0.2 - Authenticated SQL Injection

The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.

Published
Jun 25, 2018
Patched Release
7.0.3
Affected Versions
Versions before 7.0.3
Next Step
Update to 7.0.3 or newer if supported.
Open CVE-2018-12636 Report Open CVE Reference
Plugin High Patched: Yes CVE-2018-7433
CVE-2018-7433: iThemes Security <= 6.9.0 - Cross-Site Scripting

The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page.

Published
Mar 05, 2018
Patched Release
6.9.1
Affected Versions
Versions up to 6.9.0
Next Step
Update to 6.9.1 or newer if supported.
Open CVE-2018-7433 Report Open CVE Reference
Plugin Medium Patched: Yes
iThemes Security <= 5.6.1 - Stored Cross-Site Scripting

The iThemes Security for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web s...

Published
Oct 06, 2016
Patched Release
5.6.2
Affected Versions
Versions before 5.6.2
Next Step
Update to 5.6.2 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
iThemes Security <= 5.6.1 - Sensitive Information Exposure via Diff Response

The iThemes Security plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including 5.6.1, due to invalid username/password combinations returning different HTTP headers on response. This makes it possible for attackers to observe differen...

Published
Sep 27, 2016
Patched Release
5.6.2
Affected Versions
Versions up to 5.6.1
Next Step
Update to 5.6.2 or newer if supported.
Open Full Report
Plugin High Patched: Yes
iThemes Security <= 5.3.5 - Missing Capabilities Check

The iThemes Security plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_itsec_file_change_warning_ajax function in versions up to, and including, 5.3.5. This makes it possible for authenticated attackers to perform administ...

Published
Apr 25, 2016
Patched Release
5.3.6
Affected Versions
Versions before 5.3.6
Next Step
Update to 5.3.6 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
iThemes Security < 5.3.1 - Insecure Backup/Logfile Generation

The iThemes Security plugin for WordPress is vulnerable to insecure backup and logfile generation in versions up to, and including, 5.3.0. This is due to backup and logfiles being created in a world-readable directory. This makes it possible for unauthenticated attackers to view...

Published
Apr 21, 2016
Patched Release
5.3.1
Affected Versions
Versions before 5.3.1
Next Step
Update to 5.3.1 or newer if supported.
Open Full Report
Plugin Low Patched: Yes
iThemes Security < 5.3.5 - Authenticated Cross-Site Scripting

The iThemes Security plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that wil...

Published
Apr 05, 2016
Patched Release
5.3.5
Affected Versions
Versions before 5.3.5
Next Step
Update to 5.3.5 or newer if supported.
Open Full Report