Does API Bearer Auth have any unpatched vulnerabilities?

No. All known vulnerabilities in API Bearer Auth have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is API Bearer Auth compatible with WordPress 6.9.4?

According to WordPress.org data, API Bearer Auth 20200916 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is API Bearer Auth compatible with PHP 5.4.0+?

API Bearer Auth requires PHP 5.4.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is API Bearer Auth updated?

API Bearer Auth was last updated on Dec 8, 2025. Frequent updates are generally a positive security signal.

What is API Bearer Auth's security score?

API Bearer Auth has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

API Bearer Auth Security & Risk Analysis

wordpress.org/plugins/api-bearer-auth

Access and refresh tokens based authentication plugin for the REST API.

300 active installs v20200916 PHP 5.4.0+ WP 4.6+ Updated Dec 8, 2025

apiauthenticationjwtjwt-tokensrest-api

A · Safe

CVEs total1

Unpatched0

Last CVESep 5, 2019

Download

Safety Verdict

Is API Bearer Auth Safe to Use in 2026?

Generally Safe

Score 100/100

API Bearer Auth has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 5, 2019Updated 3mo ago

Risk Assessment

The "api-bearer-auth" v20200916 plugin exhibits a concerning security posture despite some positive indicators. While it avoids dangerous functions, file operations, and external HTTP requests, and demonstrates good practices with prepared SQL statements and output escaping, the critical findings in the static analysis are significant. The presence of two unprotected REST API routes creates a substantial attack surface, and the taint analysis revealing two flows with unsanitized paths in REST API routes, classified as high severity, directly points to potential vulnerabilities such as Cross-Site Scripting (XSS) or other injection attacks if not properly handled by the application consuming the API.

The vulnerability history shows one known medium severity CVE related to XSS, which aligns with the taint analysis findings. The fact that this vulnerability is currently patched is a positive sign, but the pattern of past XSS issues highlights a recurring weakness. The complete lack of nonce and capability checks on the identified entry points is a major oversight. In conclusion, while the plugin demonstrates good practices in certain areas, the unprotected REST API routes, unsanitized taint flows, and past XSS vulnerabilities present a significant risk that requires immediate attention and remediation.

Key Concerns

REST API routes without permission callbacks
Taint flows with unsanitized paths (high severity)
No nonce checks on entry points
No capability checks on entry points
Known medium severity CVE (historical)

Vulnerabilities

API Bearer Auth Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2019-16332medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

API Bearer Auth < 20190907 - Cross-Site Scripting

Sep 5, 2019 Patched in 20190907 (1601d)

Code Analysis

Analyzed Mar 16, 2026

API Bearer Auth Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

92% prepared12 total queries

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

determine_current_user_filter (api-bearer-auth.php:134)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

API Bearer Auth Attack Surface

Entry Points2

Unprotected2

REST API Routes 2

POST/wp-json/api-bearer-auth/v1/loginapi-bearer-auth.php:239

POST/wp-json/api-bearer-auth/v1/tokens/refreshapi-bearer-auth.php:253

WordPress Hooks 9

filterdetermine_current_userapi-bearer-auth.php:46

filterrest_authentication_errorsapi-bearer-auth.php:47

actionrest_api_initapi-bearer-auth.php:48

actiondeleted_userapi-bearer-auth.php:49

actionplugins_loadedapi-bearer-auth.php:52

filtermanage_users_columnsapi-bearer-auth.php:54

filtermanage_users_custom_columnapi-bearer-auth.php:55

filterbulk_actions-usersapi-bearer-auth.php:56

filterhandle_bulk_actions-usersapi-bearer-auth.php:57

Maintenance & Trust

API Bearer Auth Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 8, 2025

PHP min version5.4.0

Downloads24K

Community Trust

Rating100/100

Number of ratings6

Active installs300

Alternatives

API Bearer Auth Alternatives

JWT Authentication for WP REST API

jwt-authentication-for-wp-rest-api

100

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

60K No CVEs

JWT Authentication for WP REST APIs

wp-rest-api-authentication

Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.

20K 2 CVEs

HeadlessKey – JWT Auth

headlesskey-jwt-auth

100

A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.

0 No CVEs

JuanMa JWT Auth Pro

juanma-jwt-auth-pro

100

Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.

0 No CVEs

Simple JWT Auth

simple-jwt-auth

Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.

0 No CVEs

Developer Profile

API Bearer Auth Developer Profile

michielve

4 plugins · 1K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

644 days

View full developer profile

Detection Fingerprints

How We Detect API Bearer Auth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/api-bearer-auth/css/style.css/wp-content/plugins/api-bearer-auth/js/script.js

Script Paths

/wp-content/plugins/api-bearer-auth/js/script.js

Version Parameters

api-bearer-auth/css/style.css?ver=api-bearer-auth/js/script.js?ver=

HTML / DOM Fingerprints

HTML Comments

<!-- Make sure to add the lines below to .htaccess
       otherwise Apache may strip out the auth header.
       RewriteCond %{HTTP:Authorization} ^(.*)
       RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1] -->

<!-- Filter: api_bearer_auth_unauthenticated_urls
     Add URLs that should be avialble to unauthenticated users.
     Specify only the part after the site url, e.g. /wp-json/wp/v2/users
     Each URL will be prepended by the value of get_site_url()
     And each resulting URL will be put in between ^ and $ regular expression signs. -->

REST Endpoints

/wp-json/api-bearer-auth/v1/login/?/wp-json/api-bearer-auth/v1/tokens/refresh/?

FAQ

API Bearer Auth Security & Risk Analysis

Is API Bearer Auth Safe to Use in 2026?

Generally Safe

Key Concerns

API Bearer Auth Security Vulnerabilities

CVEs by Year

Severity Breakdown

API Bearer Auth Code Analysis

SQL Query Safety

Data Flow Analysis

API Bearer Auth Attack Surface

REST API Routes 2

API Bearer Auth Maintenance & Trust

Maintenance Signals

Community Trust

API Bearer Auth Alternatives

JWT Authentication for WP REST API

JWT Authentication for WP REST APIs

HeadlessKey – JWT Auth

JuanMa JWT Auth Pro

Simple JWT Auth

API Bearer Auth Developer Profile

How We Detect API Bearer Auth

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about API Bearer Auth