WordPress plugins are supposed to clear out their data when uninstalled. As part of a security review of the plugin, we found that it doesn't currently do that.

It looks like there are 14 metadata keys that can be added to users' metadata that should be removed during uninstallation:

• _two_factor_nonce
• _two_factor_last_login_failure
• _two_factor_failed_login_attempts
• _two_factor_password_was_reset
• _two_factor_enabled_providers
• _two_factor_provider
• _two_factor_backup_codes
• _two_factor_email_token_timestamp
• _two_factor_email_token
• _two_factor_fido_u2f_register_request
• _two_factor_fido_u2f_login_request
• _two_factor_fido_u2f_registered_key
• _two_factor_totp_key
• _two_factor_totp_last_successful_login

There are several methods that can be used to delete those.

This could be classified as a security issue because of what is stored. You suggest reporting security issues to a bounty program, but that only accepts reports on a limited range of vulnerabilities. We raised that problem (and others) with WordPress' handling of reporting security issues through a bug bounty program with another plugin from WordPress in July, without a response or a change in your handling of the situation so far.