Does AH JWT Auth have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is AH JWT Auth compatible with WordPress 6.7.5?

According to WordPress.org data, AH JWT Auth 1.5.4 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is AH JWT Auth compatible with PHP 7.0+?

AH JWT Auth requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is AH JWT Auth updated?

AH JWT Auth was last updated on Mar 5, 2025. Frequent updates are generally a positive security signal.

What is AH JWT Auth's security score?

AH JWT Auth has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AH JWT Auth Security & Risk Analysis

wordpress.org/plugins/ah-jwt-auth

This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header.

10 active installs v1.5.4 PHP 7.0+ WP 4.7+ Updated Mar 5, 2025

authauthenticationjwtloginsso

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is AH JWT Auth Safe to Use in 2026?

Generally Safe

Score 92/100

AH JWT Auth has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The ah-jwt-auth plugin v1.5.4 exhibits a generally strong security posture based on the provided static analysis. The absence of any known CVEs and the plugin's track record of no recorded vulnerabilities further bolster this assessment. The code demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping all outputs. There are no identified dangerous functions, file operations, or taint flows, which are significant indicators of a secure codebase. The attack surface is also minimal, with no unprotected entry points.

However, a few areas warrant attention. The presence of a single cron event, while not explicitly flagged as unprotected, represents a potential entry point that could be further scrutinized. The plugin also makes one external HTTP request, which, depending on its purpose and destination, could introduce external dependencies or risks if not handled with proper validation and security considerations. The lack of any nonce checks is a concern, especially if the cron event or external HTTP request could be triggered or manipulated by unauthenticated users. While capability checks are present, their effectiveness in securing all potential actions associated with the cron event or HTTP request cannot be definitively determined without further context.

Key Concerns

External HTTP requests made
Cron events present
No nonce checks

Vulnerabilities

None known

AH JWT Auth Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

AH JWT Auth Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

AH JWT Auth Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped14 total outputs

Attack Surface

AH JWT Auth Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actionadmin_initincludes\class-ahjwtauthadmin.php:28

actionadmin_menuincludes\class-ahjwtauthadmin.php:29

actionadmin_noticesincludes\class-ahjwtauthsignin.php:37

actionlogin_headincludes\class-ahjwtauthsignin.php:38

actionlogin_headincludes\class-ahjwtauthsignin.php:39

actionahjwtauth_refresh_jwksincludes\class-ahjwtauthsignin.php:40

Scheduled Events 1

ahjwtauth_refresh_jwks

Maintenance & Trust

AH JWT Auth Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 5, 2025

PHP min version7.0

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

AH JWT Auth Alternatives

JWT Authenticator

jwt-authenticator

This plugin integrates JWT authentication and automates user creation.

10 No CVEs

Twelve Legs Marketing SSO

twelve-legs-marketing-sso

100

Single sign-on plugin for WordPress that accepts RS256 JWTs from the TWL SSO application for secure authentication.

0 No CVEs

Login for Google Apps

google-apps-login

Simple secure login and user management through your Google Workspace for WordPress (using oAuth2 and MFA if enabled).

10K 1 CVE

Log in with Google

100

Minimal plugin that allows WordPress users to log in using Google.

6K No CVEs

Firebase Authentication

firebase-authentication

100

This plugin allows login into WordPress using Firebase user credentials and maps Firebase user data to WordPress user profile.

500 No CVEs

Developer Profile

AH JWT Auth Developer Profile

andrewheberle

1 plugin · 10 total installs

trust score

Avg Security Score

92/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect AH JWT Auth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ah-jwt-auth/assets/css/ahjwt-auth-admin.css/wp-content/plugins/ah-jwt-auth/assets/js/ahjwt-auth-admin.js/wp-content/plugins/ah-jwt-auth/assets/js/ahjwt-auth-frontend.js

Script Paths

/wp-content/plugins/ah-jwt-auth/assets/js/ahjwt-auth-admin.js/wp-content/plugins/ah-jwt-auth/assets/js/ahjwt-auth-frontend.js

Version Parameters

ah-jwt-auth/assets/css/ahjwt-auth-admin.css?ver=ah-jwt-auth/assets/js/ahjwt-auth-admin.js?ver=ah-jwt-auth/assets/js/ahjwt-auth-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

ahjwt-auth-admin-pageahjwt-auth-settings-fields

Data Attributes

data-ahjwt-auth-action

JS Globals

ahJwtAuthFrontend

FAQ