Is revealing just the AUTH_KEY a security issue?

Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie.

While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for attacks.

Furthermore I don´t see why you would use the AUTH_KEY to prepare a folder/download link. I think it would be much better to use something like time() to generate folder names if you want randomness or uniqueness or whatever without compromising the security of the system.

Update: I opened a thread in the plugins support area. Let´s see if the author responds to it.

Related Posts:

  1. Unwanted Links and Spam WordPress Pages and Posts
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. Are WordPress Plugins essential?
  5. What are the common security flaws I need to look for? [closed]
  6. Why “Contact Form 7” doesn’t update PHPmailer library?
  7. Preserve custom URL parameter on more pages
  8. Secure WordPress paid plugin
  9. How to make media upload private? [duplicate]
  10. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  11. What does a security risk in a plugin look like?
  12. Which method is best to enqueue scripts
  13. WordPress Capabilities: edit_user vs edit_users
  14. How to make WordPress use protocol indepentent upload files?
  15. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  16. Woocommerce different URL for every table placed in the restaurant
  17. Should I use RIPS tool to test my themes and plugins?
  18. Why users disable the WordPress update?
  19. Add query string to plugin URL
  20. How many security plugins are too many? [closed]
  21. Will WordPress username displayed somewhere in the site?
  22. Upgrading WordPress 4.0 asks for FTP password
  23. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  24. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  25. How to limit WordPress pages during updates?
  26. rms_unique_wp_mu_pl_fl_nm.php
  27. Security checking in meta_box save is reluctant?
  28. Find the URL of the current plugin directory
  29. Custom page slug without creating a WP page
  30. What is an arbitrary URL?
  31. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  32. wp_create_nonce function doesn’t work inside a plugin?
  33. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  34. Headers Content-Security-Policy CSP Major Issue
  35. How to make a proper custom post type link
  36. Nonce failing on form submission
  37. Why WordPress plugin url ajax doesn’t work?
  38. Added slug after URL permalink last slash returns different content
  39. Is there a hook to Intercept al urls from a webpage and redirect to a page
  40. WordPress shows error related to allow_url_fopen
  41. Subdomains with almost the same content
  42. Malware installation during plugin update?
  43. change content based on url per plugin
  44. I should enable automatic updates?
  45. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  46. Prevent direct access to WordPress plugin assets?
  47. How to protect WordPress from security scanner [closed]
  48. Too many login attempts
  49. Website show Google Ads when we have no Google Ads linked to our website
  50. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  51. Custom API plugin to execute 3rd party API to retrieve data
  52. correctness of URL
  53. how do I secure my WP website from hackers? [closed]
  54. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  55. How do I convert my WordPress website to be domain agnostic?
  56. How to pass a query string to another page on the same site?
  57. Webservice credential storage [duplicate]
  58. Scrape a webpage for image and add it to post
  59. Change url of posts with keywords
  60. Regarding plugin security
  61. How do I determine if the user who registered is not spam?
  62. Is this plugin safe to run?
  63. Is the Block Bad Queries Plugin Still Relevant?
  64. Hide plugins and theme from public
  65. Offer Download Links for Product Images
  66. Security of a WordPress Plugin
  67. Redirect unloggedin users
  68. Change language on website and change currency with url query
  69. How can I disable new plugin and theme install, but allow updates?
  70. Validating ajax search
  71. WordPress disable direct access of files in WordPress installation path
  72. How to create a folder in wordpress that will contain pages?
  73. Asking help regarding potential malware
  74. prevent anonymous access to WordPress site (non-admin site)
  75. How to allow URL with filename & extension in wordpress?
  76. Bing/msn bots is heavily requesting random of my website
  77. Securing a plugin pop-up window
  78. Automatic set a featured image from the first image’s url (or tag) in the article
  79. WordPress website giving 404
  80. Keeping original URL
  81. How to link file or image from wordpress plugin dir to theme by using themes function.php, is it possible?
  82. Being hacked. Is there a list of WordPress security holes I can check against?
  83. Images not showing on homepage after migration [duplicate]
  84. How can i see/log all requests coming from a registration form (not from the UI)?
  85. Write mysql credentials in plugin
  86. Creating custom URL for async content
  87. Site is continuously accessing by several IPs
  88. URL RewriteRule doesn’t work when using WP Database Participants in my WordPress website
  89. SWF in wordpress post
  90. Display Plugin information on specific url
  91. How to get the real address from a url (permalink)
  92. File permissions for wp-minify plugin
  93. Remove base from the custom post type URL [duplicate]
  94. WP Job Manger change jobs url (NOT slug)
  95. What is the recommended way to be notified of security updates to my plugins? [closed]
  96. HTML link within my plugin settings page
  97. How to resolve these findings from security audit
  98. Why plugin’s icon for the menu not found?
  99. How to change all the urls of the WordPress site?
  100. Stop the user if login from the cookies