Is revealing just the AUTH_KEY a security issue?

Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie.

While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for attacks.

Furthermore I don´t see why you would use the AUTH_KEY to prepare a folder/download link. I think it would be much better to use something like time() to generate folder names if you want randomness or uniqueness or whatever without compromising the security of the system.

Update: I opened a thread in the plugins support area. Let´s see if the author responds to it.

Related Posts:

  1. Unwanted Links and Spam WordPress Pages and Posts
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. Are WordPress Plugins essential?
  5. I found this in a plugin. What does it do? is it dangerous?
  6. What are the common security flaws I need to look for? [closed]
  7. Disabled plugins are they security holes – rumor or reality?
  8. What could a hacker do with my wp-config.php
  9. How Can I Securely Implement a Password-less Login Feature?
  10. Security and .htaccess
  11. Why “Contact Form 7” doesn’t update PHPmailer library?
  12. Are there procedures to prevent malicious plugin updates?
  13. Preserve custom URL parameter on more pages
  14. Secure WordPress paid plugin
  15. How to make media upload private? [duplicate]
  16. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  17. What does a security risk in a plugin look like?
  18. Which method is best to enqueue scripts
  19. WordPress Capabilities: edit_user vs edit_users
  20. How to make WordPress use protocol indepentent upload files?
  21. Should we use plugins that aren’t available from the official WordPress site?
  22. How to check plugins for malicious code?
  23. How to properly secure my WordPress installation?
  24. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  25. Where should my plugin POST to?
  26. Security error WP 4.0 + WP phpBB Bridge [closed]
  27. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  28. Disabled plugins are security holes – rumor or reality?
  29. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  30. Woocommerce different URL for every table placed in the restaurant
  31. Should I use RIPS tool to test my themes and plugins?
  32. Author Specific URL’s in WordPress
  33. While Using Static Pages, How Can I Get /blog into the URL of Each Post?
  34. Prevent Brute Force Attack
  35. Why users disable the WordPress update?
  36. Add query string to plugin URL
  37. How many security plugins are too many? [closed]
  38. Will WordPress username displayed somewhere in the site?
  39. Upgrading WordPress 4.0 asks for FTP password
  40. I need to generate the CSS for my plugin from a function, how do i map a request to a function in the front-end?
  41. How Restrict access to admin dashboard by specific static ip?
  42. When is it useful to use wp_verify_nonce
  43. Protecting against malicious code in WordPress plugin updates
  44. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  45. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  46. How can I pass a variable to a page with a SEF url?
  47. How to expire all wordpress user passwords instantly?
  48. locate_template with multiple categories?
  49. custom taxonomy and custom post type url conflict
  50. How to limit WordPress pages during updates?
  51. rms_unique_wp_mu_pl_fl_nm.php
  52. Weird problems after recovery from security breach
  53. How can we deal with unmaintained plugins with vulnerabilities?
  54. Security issues with WP sites
  55. Security checking in meta_box save is reluctant?
  56. Images not showing on homepage after migration [duplicate]
  57. How can i see/log all requests coming from a registration form (not from the UI)?
  58. Write mysql credentials in plugin
  59. Creating custom URL for async content
  60. Site is continuously accessing by several IPs
  61. URL RewriteRule doesn’t work when using WP Database Participants in my WordPress website
  62. Validating values using Settings API?
  63. How To Rewrite WordPress Pages URL Only?
  64. using .htaccess only for wordpress security no plugins
  65. SWF in wordpress post
  66. How can I process all requests for a given directory in a URL with my plugin?
  67. Display Plugin information on specific url
  68. Why links are not linked if edited comment?
  69. Problem with permissions in wp-content/plugins
  70. How to get the real address from a url (permalink)
  71. File permissions for wp-minify plugin
  72. Remove base from the custom post type URL [duplicate]
  73. WP Job Manger change jobs url (NOT slug)
  74. What is the recommended way to be notified of security updates to my plugins? [closed]
  75. My WP site and password was hacked, what to do? [closed]
  76. map urls to plugins
  77. HTML link within my plugin settings page
  78. How to resolve these findings from security audit
  79. Why plugin’s icon for the menu not found?
  80. Fetching Video From YouTube Automatically [closed]
  81. How I can hide my wp folders from Inspect Element (Developer Tools)
  82. How to Find WordPress site has backdoor login Codes
  83. How to delete Password Protected posts cookies when a user logged out from the site
  84. How to create a custom wordpress plugin for a specific functionality?
  85. How to rename files during upload to a random string?
  86. How to change all the urls of the WordPress site?
  87. Stop the user if login from the cookies
  88. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  89. Block Root REST API Route using custom &/or iThemes
  90. Is it a good idea to restrict the REST API
  91. WordPress.Security.NonceVerification.Recommended
  92. How to Handle? vp_page Parameter in WordPress and Resolve Google Search Console Validation Issues?
  93. Trying to Find the PHP File/Function that Handles a Specific Form Action URL
  94. Help with coding a link for a button in WordPress with The Events Calendar Plugin
  95. Secure way to add JS Script to WordPress filesystem
  96. How to Change Default RSS Feed URL in WordPress Website?
  97. Capture query param and insert into to form field
  98. Bullet proofing a server with 150 WP insallations
  99. Code Snippets security when selecting “only run on front end”
  100. How to verify/test that a custom built wordpress theme is as secure as possible?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)