Does Magic Emails & Autologin URLs have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Magic Emails & Autologin URLs compatible with WordPress 6.4.8?

According to WordPress.org data, Magic Emails & Autologin URLs 2.4.2 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

Is Magic Emails & Autologin URLs compatible with PHP 7.4+?

Magic Emails & Autologin URLs requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Magic Emails & Autologin URLs updated?

Magic Emails & Autologin URLs was last updated on May 26, 2024. Frequent updates are generally a positive security signal.

What is Magic Emails & Autologin URLs's security score?

Magic Emails & Autologin URLs has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Magic Emails & Autologin URLs Security & Risk Analysis

wordpress.org/plugins/bh-wp-autologin-urls

Adds magic email link to login screen. Adds single-use passwords to WordPress emails' URLs for frictionless login.

80 active installs v2.4.2 PHP 7.4+ WP 4.5.0+ Updated May 26, 2024

emaillinksloginnewsletterusers

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Magic Emails & Autologin URLs Safe to Use in 2026?

Generally Safe

Score 92/100

Magic Emails & Autologin URLs has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The plugin "bh-wp-autologin-urls" v2.4.2 exhibits a mixed security posture. On the positive side, the code demonstrates good practices in its use of prepared statements for SQL queries (89%) and proper output escaping (96%). The absence of recorded vulnerabilities, including critical and high severity ones, in its history is a strong indicator of a stable and well-maintained codebase. The plugin also appears to avoid dangerous functions and has limited external HTTP requests. However, a significant concern arises from its attack surface. With a total of 5 entry points, 4 of which are AJAX handlers that lack authentication checks, the plugin presents a substantial risk of unauthorized access or manipulation. While the taint analysis did not reveal critical or high severity issues, the presence of flows with unsanitized paths warrants attention, as these could be exploited in conjunction with the unprotected AJAX endpoints.

In conclusion, while the plugin's historical vulnerability record and general code quality are commendable, the unprotected AJAX handlers create a clear security weakness. The limited taint analysis does not entirely alleviate concerns, especially considering the potential for issues with unsanitized paths. Future development should prioritize implementing proper authentication and capability checks on all AJAX handlers to significantly improve the plugin's security posture.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths found

Vulnerabilities

None known

Magic Emails & Autologin URLs Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Magic Emails & Autologin URLs Release Timeline

v2.4.2Current

v2.4.1

v2.4.0

v2.3.0

v2.2.0

v2.1.1

v2.1.0

v2.0.0

v1.10.0

v1.9.0

v1.1.2.1

v1.1.1

Code Analysis

Analyzed Mar 16, 2026

Magic Emails & Autologin URLs Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

113 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

89% prepared9 total queries

Output Escaping

96% escaped118 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

display_page (vendor-prefixed\brianhenryie\bh-wp-logger\src\admin\class-logs-page.php:103)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Magic Emails & Autologin URLs Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 5

noprivwp_ajax_bh_wp_autologin_urls_send_magic_linksrc\class-bh-wp-autologin-urls.php:187

authwp_ajax_bh_wp_logger_logs_deletevendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:158

authwp_ajax_bh_wp_logger_logs_delete_allvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:159

authwp_ajax_query-attachmentsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:184

authwp_ajax_wptrt_dismiss_noticevendor-prefixed\wptrt\admin-notices\src\Dismiss.php:67

WordPress Hooks 90

actionadmin_noticessrc\admin\class-users-list-table.php:97

actionplugins_loadedsrc\api\data-stores\class-db-data-store.php:39

actioninitsrc\class-bh-wp-autologin-urls.php:125

filteradd_autologin_to_messagesrc\class-bh-wp-autologin-urls.php:135

filteradd_autologin_to_urlsrc\class-bh-wp-autologin-urls.php:136

actionplugins_loadedsrc\class-bh-wp-autologin-urls.php:138

actionadmin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:157

actionadmin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:158

actionadmin_menusrc\class-bh-wp-autologin-urls.php:162

actionadmin_initsrc\class-bh-wp-autologin-urls.php:163

actionadmin_initsrc\class-bh-wp-autologin-urls.php:164

actionedit_user_profilesrc\class-bh-wp-autologin-urls.php:167

actionshow_user_profilesrc\class-bh-wp-autologin-urls.php:168

filteruser_row_actionssrc\class-bh-wp-autologin-urls.php:171

actionadmin_initsrc\class-bh-wp-autologin-urls.php:172

actionlogin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:182

actionlogin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:183

filterplugin_row_metasrc\class-bh-wp-autologin-urls.php:200

filterinstall_plugin_complete_actionssrc\class-bh-wp-autologin-urls.php:210

filterwp_mailsrc\class-bh-wp-autologin-urls.php:222

filterdetermine_current_usersrc\class-bh-wp-autologin-urls.php:235

actionplugins_loadedsrc\class-bh-wp-autologin-urls.php:245

filterwoocommerce_get_checkout_payment_urlsrc\class-bh-wp-autologin-urls.php:256

filtergettext_woocommercesrc\class-bh-wp-autologin-urls.php:258

actionadmin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:260

actionadmin_enqueue_scriptssrc\class-bh-wp-autologin-urls.php:261

actionwoocommerce_before_customer_login_formsrc\class-bh-wp-autologin-urls.php:271

actionwoocommerce_before_checkout_formsrc\class-bh-wp-autologin-urls.php:272

filterbh-wp-autologin-urls_bh_wp_logger_columnsrc\class-bh-wp-autologin-urls.php:284

actionrest_api_initsrc\class-bh-wp-autologin-urls.php:310

actionwoocommerce_after_register_post_typesrc\woocommerce\class-checkout.php:69

actionwoocommerce_initsrc\wp-includes\class-login.php:127

actionset_auth_cookiesrc\wp-includes\class-login.php:160

actionset_logged_in_cookiesrc\wp-includes\class-login.php:169

actioninitsrc\wp-includes\class-login.php:180

actionwoocommerce_loadedvendor-prefixed\brianhenryie\bh-wc-logger\src\class-wc-psr-logger.php:52

actionwoocommerce_loadedvendor-prefixed\brianhenryie\bh-wc-logger\src\class-wc-psr-logger.php:81

filterwoocommerce_format_log_entryvendor-prefixed\brianhenryie\bh-wp-logger\src\class-logger.php:99

filterdeprecated_function_trigger_errorvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-functions.php:125

filterdeprecated_argument_trigger_errorvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-functions.php:184

filterdoing_it_wrong_trigger_errorvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-functions.php:246

filterdeprecated_hook_trigger_errorvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-functions.php:315

actionplugins_loadedvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:101

actionplugins_loadedvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:104

actiondeprecated_function_runvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:121

actiondeprecated_argument_runvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:122

actiondoing_it_wrong_runvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:123

actiondeprecated_hook_runvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:124

actionadmin_initvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:134

actionadmin_noticesvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:136

actionadmin_menuvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:146

actionadmin_enqueue_scriptsvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:147

actionadmin_enqueue_scriptsvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:148

filterinstall_plugin_complete_actionsvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:182

actioninitvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:192

actioninitvendor-prefixed\brianhenryie\bh-wp-logger\src\wp-includes\class-plugin-logger-actions.php:215

actionadmin_enqueue_scriptsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\admin\class-admin-meta-boxes.php:83

filterupload_dirvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\api\class-api.php:157

actioninitvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:87

actioninitvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:99

actionadmin_initvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:112

actionadmin_noticesvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:114

actioninitvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:126

actioninitvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:136

actioninitvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:174

actionadmin_initvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:185

actionadmin_initvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:189

actionadd_meta_boxesvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:195

actionadmin_menuvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:202

filtersubmenu_filevendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:203

filteradmin_menuvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\class-bh-wp-private-uploads-hooks.php:204

filterajax_query_attachments_argsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:57

filterthe_postsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:59

filterwp_prepare_attachment_for_jsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:62

filterupload_dirvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:98

filterwp_insert_attachment_datavendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:100

actionadd_attachmentvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-media.php:102

filterupload_dirvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-rest-private-uploads-controller.php:120

filterwp_insert_attachment_datavendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-rest-private-uploads-controller.php:134

filterwp_insert_post_parentvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-rest-private-uploads-controller.php:153

actioncurrent_screenvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:50

filterqueryvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:51

actionwpvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:52

actionpre_get_postsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:53

filterthe_postsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:54

filterclean_urlvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:55

actionadmin_initvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:56

filtermanage_upload_columnsvendor-prefixed\brianhenryie\bh-wp-private-uploads\src\wp-includes\class-upload.php:57

actionadmin_enqueue_scriptsvendor-prefixed\wptrt\admin-notices\src\Dismiss.php:70

actionadmin_noticesvendor-prefixed\wptrt\admin-notices\src\Notices.php:46

Maintenance & Trust

Magic Emails & Autologin URLs Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedMay 26, 2024

PHP min version7.4

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs80

Alternatives

Magic Emails & Autologin URLs Alternatives

Magic Login Mail or QR Code

magic-login-mail

Enter your email address, and send you an email with a magic link or QR Code to login without a password.

100 1 CVE

Multibyte CAPTCHA login and Mail only register

user-mail-only-register

100

Multibyte CAPTCHA login form and register users with mail only.

30 No CVEs

Magento User Compatibility

magento-user-compatibility

This plugin will automatically rehash the passwords of users you have beforehand imported from a Magento database to your WP database.

10 No CVEs

My Newsletter

my-newsletter

100

Send newsletters to WordPress users and commenters with background queue processing, test email sending, and secure unsubscribe links.

10 No CVEs

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M 1 CVE

Developer Profile

Magic Emails & Autologin URLs Developer Profile

Brian Henry

2 plugins · 80 total installs

trust score

Avg Security Score

89/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Magic Emails & Autologin URLs

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-admin.css/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-admin.js/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-login.css/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-login.js

Script Paths

/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-admin.js/wp-content/plugins/bh-wp-autologin-urls/assets/bh-wp-autologin-urls-login.js

Version Parameters

bh-wp-autologin-urls-admin.css?ver=bh-wp-autologin-urls-admin.js?ver=bh-wp-autologin-urls-login.css?ver=bh-wp-autologin-urls-login.js?ver=

HTML / DOM Fingerprints

JS Globals

bh_wp_autologin_urls

FAQ