[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flo447LvvJE6d-wLtfEgUdq_zTJSTF7Mxj7YhNYca2uo":3,"$fyPgLxcopRxt-iUX8h9ujQodZNKjUyVLhQUeA-25S9Zw":243,"$frY1nORIPfTt9KMWwjpzbvUBkySWlc5PXMecGD4Rvcbo":248},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":65,"crawl_stats":36,"alternatives":70,"analysis":175,"fingerprints":218},"bdvs-password-reset","Password Reset with Code for WordPress REST API","0.0.17","dominic_ks","https:\u002F\u002Fprofiles.wordpress.org\u002Fdominic_ks\u002F","\u003Cp>A simple plugin that adds a password reset facility to the WordPress REST API using a code. The process is a two step process:\u003C\u002Fp>\n\u003Col>\n\u003Cli>User requests a password reset. A code is emailed to their registered email address\u003C\u002Fli>\n\u003Cli>The user enters the code when setting a new password, which is only set if the code is valid and has not expired\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>It is also possible to check the validity of a code without resetting the password which enables the possibility of setting the password by other means, or having a two stage process for checking the code and resetting the password if desired.\u003C\u002Fp>\n\u003Cp>Default settings are to use an 8 digit code consisting of numbers, upper and lower case letters and special characters, which has a life span of 15 minutes, afterwhich a new code would need to be requested. By default a user can attempt to use or validate a code up to 3 times before automatically invalidating it.\u003C\u002Fp>\n\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003Cp>The plugin adds two new endpoints to the REST API:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Endpoint: \u003Cem>\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Freset-password\u003C\u002Fem>\u003Cbr \u002F>\n— HTTP Verb: POST\u003Cbr \u002F>\n— Parameters (\u003Cstrong>all required\u003C\u002Fstrong>):\u003Cbr \u002F>\n— email\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Fset-password\u003C\u002Fem>\u003Cbr \u002F>\n— HTTP Verb: POST\u003Cbr \u002F>\n— Parameters (\u003Cstrong>all required\u003C\u002Fstrong>):\u003Cbr \u002F>\n— email\u003Cbr \u002F>\n— password\u003Cbr \u002F>\n— code\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Fvalidate-code\u003C\u002Fem>\u003Cbr \u002F>\n— HTTP Verb: POST\u003Cbr \u002F>\n— Parameters (\u003Cstrong>all required\u003C\u002Fstrong>):\u003Cbr \u002F>\n— email\u003Cbr \u002F>\n— code\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Example Requests (jQuery)\u003C\u002Fh3>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>$.ajax({\n  url: '\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Freset-password',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Set New Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>$.ajax({\n  url: '\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Fset-password',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n    code: '1234',\n    password: 'Pa$$word1',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Validate Code\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>$.ajax({\n  url: '\u002Fwp-json\u002Fbdpwr\u002Fv1\u002Fvalidate-code',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n    code: '1234',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Example Success Responses (JSON)\u003C\u002Fh3>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"A password reset email has been sent to your email address.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Set New Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"Password reset successfully.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Validate Code\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"The code supplied is valid.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Example Error Responses (JSON)\u003C\u002Fh3>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"bad_email\",\n    \"message\": \"No user found with this email address.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Set New Password\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"bad_request\",\n    \"message\": \"You must request a password reset code before you try to set a new password.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Validate Code\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"bad_request\",\n    \"message\": \"The reset code provided is not valid.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filters\u003C\u002Fh3>\n\u003Cp>A number of WordPress filters have been added to help customise the process, please feel free to request additional filters or submit a pull request with any that you required.\u003C\u002Fp>\n\u003Ch3>Filter the length of the code\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_code_length' , function( $length ) {\n  return 4;\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter Expiration Time\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_code_expiration_seconds' , function( $seconds ) {\n  return 900;\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter the date format used by the plugin to display expiration times\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwd_date_format' , function( $format ) {\n  return 'H:i';\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter the reset email subject\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_code_email_subject' , function( $subject ) {\n  return 'Password Reset';\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter the email content\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_code_email_text' , function( $text , $email , $code , $expiry ) {\n  return $text;\n}, 10 , 4 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter maximum attempts allowed to use a reset code, default is 3, -1 for unlimmited\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_max_attempts' , function( $attempts ) {\n  return 3;\n}, 10 , 4 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter whether to include upper and lowercase letters in the code as well as numbers, default is false\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_include_letters' , function( $include ) {\n  return false;\n}, 10 , 4 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter the characters to be used when generating a code, you can use any string you want, default is 0123456789\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_selection_string' , function( $string ) {\n  return '0123456789';\n}, 10 , 4 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter the WP roles allowed to reset their password with this plugin, default is any, example below shows removing administrators\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_allowed_roles' , function( $roles ) {\n\n  $key = array_search( 'administrator' , $roles );\n\n  if( $key !== false ) {\n    unset( $roles[ $key ] );\n  }\n\n  return $roles;\n\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Filter to add custom namespace for REST API\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>add_filter( 'bdpwr_route_namespace' , function( $route_namespace ) {\n  return 'xyz\u002Fv1';\n}, 10 , 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Plugin icon \u002F banner image by \u003Ca href=\"https:\u002F\u002Funsplash.com\u002Fphotos\u002FCWL6tTDN31w\" rel=\"nofollow ugc\">Sincerely Media\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple plugin that adds a password reset facility to the WordPress REST API using a code. The process is a two step process:",1000,18276,100,10,"2025-06-05T15:06:00.000Z","6.8.5","4.6","5.4",[20,21],"password-reset","wp-api","https:\u002F\u002Fwww.bedevious.co.uk\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.17.zip",93,2,0,"2025-08-28 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[31,48],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":6,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":45,"patch_diff_files":46,"patch_trac_url":36,"research_status":36,"research_verified":47,"research_rounds_completed":26,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":47,"poc_model_used":36,"poc_verification_depth":36},"CVE-2025-5305","password-reset-with-code-unauthenticated-privilege-escalation-via-weak-otp-codes","Password Reset with Code \u003C= 0.0.16 - Unauthenticated Privilege Escalation via Weak OTP Codes","The Password Reset with Code for WordPress REST API plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.0.16. This is due to the plugin not using cryptographically secure mechanisms for OTP generation This makes it possible for unauthenticated attackers to reset users, including administrators, passwords and leverage that to gain access to their accounts.",null,"\u003C=0.0.16","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Inadequate Encryption Strength","2025-09-25 19:50:19",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e84a1ca-fc82-46bc-a484-89f1235988e8?source=api-prod",29,[],false,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":36,"affected_versions":53,"patched_in_version":54,"severity":55,"cvss_score":56,"cvss_vector":57,"vuln_type":58,"published_date":59,"updated_date":60,"references":61,"days_to_patch":63,"patch_diff_files":64,"patch_trac_url":36,"research_status":36,"research_verified":47,"research_rounds_completed":26,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":47,"poc_model_used":36,"poc_verification_depth":36},"CVE-2023-35039","password-reset-with-code-for-wordpress-rest-api-weak-password-recovery-mechanism","Password Reset with Code for WordPress REST API \u003C= 0.0.15 - Weak Password Recovery Mechanism","The Password Reset with Code for WordPress REST API is vulnerable to a Weak Password Recovery Mechanism in versions up to, and including, 0.0.15. This allows unauthenticated attackers to set a 4-digit password recovery code for arbitrary users that, if guessed correctly, will allow them to reset the password for that user. Although each code is only allowed 3 tries by default, there is no restriction on the number of code generation attempts allowed, effectively reducing the entropy of the password reset mechanism to 4 digits. Additionally the code generation mechanism uses str_shuffle which does not use a cryptographically secure PNRG.","\u003C=0.0.15","0.0.16","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Weak Password Recovery Mechanism for Forgotten Password","2023-08-14 00:00:00","2024-01-22 19:56:02",[62],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff44b9e6d-2f84-45f6-9f74-3f23b03c5a49?source=api-prod",162,[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":66,"total_installs":11,"avg_security_score":24,"avg_patch_time_days":67,"trust_score":68,"computed_at":69},1,96,74,"2026-05-20T06:55:51.948Z",[71,94,114,137,156],{"slug":72,"name":73,"version":74,"author":75,"author_profile":76,"description":77,"short_description":78,"active_installs":79,"downloaded":80,"rating":81,"num_ratings":82,"last_updated":83,"tested_up_to":84,"requires_at_least":85,"requires_php":86,"tags":87,"homepage":92,"download_link":93,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":28},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,906385,88,53,"2026-02-18T00:58:00.000Z","6.9.4","4.2","7.4.0",[88,89,90,91,21],"json-web-authentication","jwt","oauth","rest-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":13,"num_ratings":25,"last_updated":104,"tested_up_to":105,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":111,"download_link":112,"security_score":113,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":28},"rest-api-meta-support","REST API Meta Support","1.0.0","Pericor","https:\u002F\u002Fprofiles.wordpress.org\u002Fpericror\u002F","\u003Cp>Automatically stores the meta data from the \u003Ccode>meta\u003C\u002Fcode> field of a wordpress REST API posts (\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Freference\u002Fposts\u002F#create-a-post\" rel=\"nofollow ugc\">\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u003C\u002Fa>) or pages (\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Freference\u002Fpages\u002F#create-a-page\" rel=\"nofollow ugc\">\u002Fwp-json\u002Fwp\u002Fv2\u002Fpages\u003C\u002Fa>) POST in the meta data associated with the created page or post using \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Freference\u002Ffunctions\u002Fupdate_post_meta\u002F\" rel=\"nofollow ugc\">update_post_meta\u003C\u002Fa>. The key \u002F value information sent in the REST POST ‘meta’ object field is stored as both ‘key’ and ‘_key’ to support different plugin formats.\u003Cbr \u002F>\nFor example, if trying to set the YOAST SEO Plugin values dynamically when creating a page from the REST API, you would simply add the fields to the meta field of the REST POST data when you POST the endpoint, and the plugin values will be added to the page:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n...\n  'meta': {\n    'yoast_wpseo_title': \"Title set from REST call\"\n    'yoast_wpseo_metadesc': \"Meta description set from REST call\"\n  }\n...\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Use this plugin when dynamically creating pages with the WordPress REST API to support modifying plugin settings for pages\u002Fposts created using the REST API!\u003C\u002Fp>\n\u003Cp>A guide on how to use this plugin to generate a page\u002Fpost with plugins configured from the REST API is \u003Ca href=\"https:\u002F\u002Fwww.pericror.com\u002Fsoftware\u002Fgenerating-pages-posts-plugins-using-wordpress-rest-api\u002F\" rel=\"nofollow ugc\">available at Pericror.\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Inspired as a broader alternative to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FChazUK\u002Fwp-api-yoast-meta\" rel=\"nofollow ugc\">wp-api-yoast-meta.\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Compatible with the \u003Ca href=\"http:\u002F\u002Fv2.wp-api.org\u002F\" rel=\"nofollow ugc\">wordpress rest api version 2.\u003C\u002Fa>\u003C\u002Fp>\n","Stores meta data (i.e plugin settings) from the meta field of a WP REST API posts or pages POST creation call in the created page or post meta data.",7000,7700,"2020-05-29T18:33:00.000Z","5.4.19","1.0","7.0",[109,110,21],"meta","rest","https:\u002F\u002Fgithub.com\u002Fpericror\u002FWPRESTAPIMetaSupport","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-meta-support.zip",85,{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":124,"num_ratings":125,"last_updated":126,"tested_up_to":127,"requires_at_least":128,"requires_php":129,"tags":130,"homepage":134,"download_link":135,"security_score":136,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":28},"wp-rest-api-log","REST API Log","1.7.0","Pete Nelson","https:\u002F\u002Fprofiles.wordpress.org\u002Fgungeekatx\u002F","\u003Cp>WordPress plugin to log \u003Ca href=\"http:\u002F\u002Fv2.wp-api.org\u002F\" rel=\"nofollow ugc\">REST API\u003C\u002Fa> requests and responses (for v2 of the API).\u003C\u002Fp>\n\u003Cp>Includes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress admin page to view and search log entries\u003C\u002Fli>\n\u003Cli>API endpoint to access log entries via JSON\u003C\u002Fli>\n\u003Cli>Filters to customize logging\u003C\u002Fli>\n\u003Cli>Custom endpoint logging\u003C\u002Fli>\n\u003Cli>ElasticPress logging\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Find us on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpetenelson\u002Fwp-rest-api-log\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>!\u003C\u002Fp>\n\u003Cp>Roadmap\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Better search capabilities for log entries via the REST API endpoint\u003C\u002Fli>\n\u003C\u002Ful>\n","WordPress plugin to log REST API requests and responses",5000,114125,72,24,"2025-01-02T16:29:00.000Z","6.7.5","4.7","",[131,132,91,21,133],"api","json","wp-rest-api","https:\u002F\u002Fgithub.com\u002Fpetenelson\u002Fwp-rest-api-log","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-log.1.7.0.zip",92,{"slug":138,"name":139,"version":140,"author":141,"author_profile":142,"description":143,"short_description":144,"active_installs":145,"downloaded":146,"rating":13,"num_ratings":147,"last_updated":148,"tested_up_to":149,"requires_at_least":150,"requires_php":129,"tags":151,"homepage":154,"download_link":155,"security_score":113,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":28},"wp-api-menus","WP API Menus","1.3.2","Fulvio Notarstefano","https:\u002F\u002Fprofiles.wordpress.org\u002Fnekojira\u002F","\u003Cp>This plugin extends the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjson-rest-api\u002F\" rel=\"ugc\">WordPress JSON REST API\u003C\u002Fa> with new routes for WordPress registered menus\u003C\u002Fp>\n\u003Cp>The new routes available will be:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>\u002Fmenus\u003C\u002Fcode> list of every registered menu.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fmenus\u002F\u003Cid>\u003C\u002Fcode> data for a specific menu.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fmenu-locations\u003C\u002Fcode> list of all registered theme locations.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fmenu-locations\u002F\u003Clocation>\u003C\u002Fcode> data for menu in specified menu in theme location.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Currently, the \u003Ccode>menu-locations\u002F\u003Clocation>\u003C\u002Fcode> route for individual menus will return a tree with full menu hierarchy, with correct menu item order and listing children for each menu item. The \u003Ccode>menus\u002F\u003Cid>\u003C\u002Fcode> route will output menu details and a flat array of menu items. Item order or if each item has a parent will be indicated in each item attributes, but this route won’t output items as a tree.\u003C\u002Fp>\n\u003Cp>You can alter the data arrangement of each individual menu items and children using the filter hook \u003Ccode>json_menus_format_menu_item\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>An important note on WP API V2:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In V1 the routes are located by default at \u003Ccode>wp-json\u002Fmenus\u002F\u003C\u002Fcode> etc.\u003C\u002Fp>\n\u003Cp>In V2 the routes by default are at \u003Ccode>wp-json\u002Fwp-api-menus\u002Fv2\u002F\u003C\u002Fcode> (e.g. \u003Ccode>wp-json\u002Fwp-api-menus\u002Fv2\u002Fmenus\u002F\u003C\u002Fcode>, etc.) since V2 encourages prefixing and version namespacing.\u003C\u002Fp>\n","Extends WordPress WP REST API with new routes pointing to WordPress menus.",2000,107964,8,"2020-08-18T07:21:00.000Z","5.5.0","3.6.0",[132,152,153,21,133],"json-rest-api","menus","https:\u002F\u002Fgithub.com\u002Fnekojira\u002Fwp-api-menus","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-api-menus.1.3.2.zip",{"slug":157,"name":158,"version":159,"author":160,"author_profile":161,"description":162,"short_description":163,"active_installs":164,"downloaded":165,"rating":166,"num_ratings":167,"last_updated":168,"tested_up_to":16,"requires_at_least":169,"requires_php":129,"tags":170,"homepage":171,"download_link":172,"security_score":173,"vuln_count":25,"unpatched_count":26,"last_vuln_date":174,"fetched_at":28},"emergency-password-reset","Emergency password reset","9.4","andy_moyle","https:\u002F\u002Fprofiles.wordpress.org\u002Fandy_moyle\u002F","\u003Cp>This plugin does 3 things\u003Cbr \u002F>\n1) It will check you don’t have a username called “admin” which is asking to be hacked\u003Cbr \u002F>\n2) It will allow you to reset all passwords, with an password reset link sent to all users to warn them.\u003Cbr \u002F>\nFollowing a couple of reviews from v7.0 the plugin will allow you to set the email from address, name, subject and message\u003Cbr \u002F>\n3) You can also change the SALTS which forces a logout of all users.\u003C\u002Fp>\n","This plugin allows the admin to reset all the passwords and automatically email out the link to reset",800,28208,68,12,"2025-11-24T12:02:00.000Z","2.7.0",[157],"http:\u002F\u002Fwww.themoyles.co.uk","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femergency-password-reset.zip",98,"2025-09-22 00:00:00",{"attackSurface":176,"codeSignals":191,"taintFlows":204,"riskAssessment":205,"analyzedAt":217},{"hooks":177,"ajaxHandlers":187,"restRoutes":188,"shortcodes":189,"cronEvents":190,"entryPointCount":26,"unprotectedCount":26},[178,183,185],{"type":179,"name":180,"callback":181,"file":182,"line":147},"action","rest_api_init","closure","inc\\api\\api.route.reset-password.php",{"type":179,"name":180,"callback":181,"file":184,"line":147},"inc\\api\\api.route.set-password.php",{"type":179,"name":180,"callback":181,"file":186,"line":147},"inc\\api\\api.route.validate-code.php",[],[],[],[],{"dangerousFunctions":192,"sqlUsage":193,"outputEscaping":195,"fileOperations":26,"externalRequests":26,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":203},[],{"prepared":26,"raw":26,"locations":194},[],{"escaped":26,"rawEcho":25,"locations":196},[197,201],{"file":198,"line":199,"context":200},"inc\\functions.php",169,"raw output",{"file":198,"line":202,"context":200},172,[],[],{"summary":206,"deductions":207},"The \"bdvs-password-reset\" plugin v0.0.17 presents a mixed security posture.  While static analysis indicates a remarkably small attack surface with no detected AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, no direct SQL queries or file operations observed, there are significant concerns regarding output escaping and the plugin's historical vulnerability record.  None of the detected outputs are properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is ever processed and displayed without sanitization.\n\nThe vulnerability history for this plugin is alarming, with two known CVEs, including one critical and one high severity.  The common vulnerability types, \"Inadequate Encryption Strength\" and \"Weak Password Recovery Mechanism for Forgotten Password,\" directly align with the plugin's core function and suggest fundamental security flaws in how it handles sensitive user authentication data.  The fact that the last vulnerability was recorded as recent (2025-08-28) indicates a recurring pattern of security weaknesses, even if currently all known CVEs are patched. This history suggests a lack of robust security development practices within the plugin's lifecycle.\n\nIn conclusion, despite the absence of easily exploitable entry points in the static analysis, the critical vulnerability history and the unescaped output present substantial risks. The plugin's core functionality appears prone to severe security flaws, and the lack of output escaping is a common gateway for XSS attacks. Users should exercise extreme caution and consider alternative solutions until these systemic security issues are definitively addressed and demonstrated over a sustained period.",[208,211,214],{"reason":209,"points":210},"Unescaped output detected",6,{"reason":212,"points":213},"Critical severity vulnerability in history",20,{"reason":215,"points":216},"High severity vulnerability in history",15,"2026-03-16T19:09:52.926Z",{"wat":219,"direct":224},{"assetPaths":220,"generatorPatterns":221,"scriptPaths":222,"versionParams":223},[],[],[],[],{"cssClasses":225,"htmlComments":226,"htmlAttributes":236,"restEndpoints":237,"jsGlobals":241,"shortcodeOutput":242},[],[227,228,229,230,231,232,233,234,235]," Add an endpoint to reset a password "," Add an endpoint to set a new password "," Add an endpoint to validate a code without resetting the password "," Class to handle user related actions "," The class constructor "," Generate a password reset code and send it to the user "," Set a new password "," Validate a code "," Filter the maximum attempts that can be made on a given code. Set to -1 for unlimmited. ",[],[238,239,240],"\u002Fbdpwr\u002Fv1\u002Freset-password","\u002Fbdpwr\u002Fv1\u002Fset-password","\u002Fbdpwr\u002Fv1\u002Fvalidate-code",[],[],{"error":244,"url":245,"statusCode":246,"statusMessage":247,"message":247},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fbdvs-password-reset\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":249,"versions":250},16,[251,256,263,272,281,290,299,308,317,326,335,344,353,362,371,380],{"version":6,"download_url":23,"svn_tag_url":252,"released_at":36,"has_diff":47,"diff_files_changed":253,"diff_lines":36,"trac_diff_url":254,"vulnerabilities":255,"is_current":244},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.17\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.16&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.17",[],{"version":54,"download_url":257,"svn_tag_url":258,"released_at":36,"has_diff":47,"diff_files_changed":259,"diff_lines":36,"trac_diff_url":260,"vulnerabilities":261,"is_current":47},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.16.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.16\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.15&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.16",[262],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"version":264,"download_url":265,"svn_tag_url":266,"released_at":36,"has_diff":47,"diff_files_changed":267,"diff_lines":36,"trac_diff_url":268,"vulnerabilities":269,"is_current":47},"0.0.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.15.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.15\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.14&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.15",[270,271],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":273,"download_url":274,"svn_tag_url":275,"released_at":36,"has_diff":47,"diff_files_changed":276,"diff_lines":36,"trac_diff_url":277,"vulnerabilities":278,"is_current":47},"0.0.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.14.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.14\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.13&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.14",[279,280],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":282,"download_url":283,"svn_tag_url":284,"released_at":36,"has_diff":47,"diff_files_changed":285,"diff_lines":36,"trac_diff_url":286,"vulnerabilities":287,"is_current":47},"0.0.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.13.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.13\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.12&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.13",[288,289],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":291,"download_url":292,"svn_tag_url":293,"released_at":36,"has_diff":47,"diff_files_changed":294,"diff_lines":36,"trac_diff_url":295,"vulnerabilities":296,"is_current":47},"0.0.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.12.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.12\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.11&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.12",[297,298],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":300,"download_url":301,"svn_tag_url":302,"released_at":36,"has_diff":47,"diff_files_changed":303,"diff_lines":36,"trac_diff_url":304,"vulnerabilities":305,"is_current":47},"0.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.11.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.11\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.10&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.11",[306,307],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":309,"download_url":310,"svn_tag_url":311,"released_at":36,"has_diff":47,"diff_files_changed":312,"diff_lines":36,"trac_diff_url":313,"vulnerabilities":314,"is_current":47},"0.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.10.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.10\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.9&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.10",[315,316],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":318,"download_url":319,"svn_tag_url":320,"released_at":36,"has_diff":47,"diff_files_changed":321,"diff_lines":36,"trac_diff_url":322,"vulnerabilities":323,"is_current":47},"0.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.8&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.9",[324,325],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":327,"download_url":328,"svn_tag_url":329,"released_at":36,"has_diff":47,"diff_files_changed":330,"diff_lines":36,"trac_diff_url":331,"vulnerabilities":332,"is_current":47},"0.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.7&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.8",[333,334],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":336,"download_url":337,"svn_tag_url":338,"released_at":36,"has_diff":47,"diff_files_changed":339,"diff_lines":36,"trac_diff_url":340,"vulnerabilities":341,"is_current":47},"0.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.6&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.7",[342,343],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":345,"download_url":346,"svn_tag_url":347,"released_at":36,"has_diff":47,"diff_files_changed":348,"diff_lines":36,"trac_diff_url":349,"vulnerabilities":350,"is_current":47},"0.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.5&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.6",[351,352],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":354,"download_url":355,"svn_tag_url":356,"released_at":36,"has_diff":47,"diff_files_changed":357,"diff_lines":36,"trac_diff_url":358,"vulnerabilities":359,"is_current":47},"0.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.4&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.5",[360,361],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":363,"download_url":364,"svn_tag_url":365,"released_at":36,"has_diff":47,"diff_files_changed":366,"diff_lines":36,"trac_diff_url":367,"vulnerabilities":368,"is_current":47},"0.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.3&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.4",[369,370],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":372,"download_url":373,"svn_tag_url":374,"released_at":36,"has_diff":47,"diff_files_changed":375,"diff_lines":36,"trac_diff_url":376,"vulnerabilities":377,"is_current":47},"0.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbdvs-password-reset%2Ftags%2F0.0.2&new_path=%2Fbdvs-password-reset%2Ftags%2F0.0.3",[378,379],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54},{"version":381,"download_url":382,"svn_tag_url":383,"released_at":36,"has_diff":47,"diff_files_changed":384,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":385,"is_current":47},"0.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdvs-password-reset.0.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbdvs-password-reset\u002Ftags\u002F0.0.2\u002F",[],[386,387],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":55,"cvss_score":56,"vuln_type":58,"patched_in_version":54}]