[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKTIjsT2t58piAAit2E1Kyl60AlAahVi7m-8ILer_9Y8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":40,"analysis":127,"fingerprints":194},"biometric-authentication","Biometric Authentication","0.3.8","Ivan Kristianto","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankristianto\u002F","\u003Cp>This innovative plugin introduces passkey login to your WordPress experience. No more struggling to remember complex passwords.\u003Cbr \u002F>\nSimply use your fingerprint, face ID, or a secure PIN to log in with ease. You can still use your username and password to login to your site as fallback.\u003C\u002Fp>\n\u003Ch3>Enhanced Security, Frictionless Access:\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Effortless Login: Unlock the power of passkeys for a smooth and secure login experience.\u003C\u002Fli>\n\u003Cli>Superior Security: Passkeys offer enhanced protection against breaches compared to traditional passwords.\u003C\u002Fli>\n\u003Cli>Convenience at Your Fingertips: Enjoy the freedom of logging in with your biometrics or a secure PIN.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>GitHub Repository\u003C\u002Fh3>\n\u003Cp>You can find the source code of this plugin on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fivankristianto\u002Fwp-passkey\u002F\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>\u003C\u002Fp>\n","Passkeys are a safer and easier alternative to passwords. Simply use your fingerprint or face ID to log in with ease.",100,2889,94,3,"2024-05-01T04:23:00.000Z","6.5.8","6.1","8.1",[20,21,22,23,24],"authentication","biometric","passkey","passwordless","security","https:\u002F\u002Fgithub.com\u002Fivankristianto\u002Fwp-passkey\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbiometric-authentication.0.3.8.zip",92,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":35,"avg_security_score":36,"avg_patch_time_days":37,"trust_score":38,"computed_at":39},"ivankristianto",4,2510,87,30,85,"2026-04-04T00:54:47.814Z",[41,59,79,96,109],{"slug":42,"name":43,"version":44,"author":45,"author_profile":46,"description":47,"short_description":48,"active_installs":28,"downloaded":49,"rating":28,"num_ratings":28,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":53,"tags":54,"homepage":57,"download_link":58,"security_score":11,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"bye-bye-passwords","Bye Bye Passwords","1.2.7","Clayton LZ","https:\u002F\u002Fprofiles.wordpress.org\u002Fclaytonlz\u002F","\u003Cp>\u003Cstrong>Bye Bye Passwords\u003C\u002Fstrong> brings modern passwordless authentication to WordPress using WebAuthn\u002FPasskeys technology. Say goodbye to weak passwords and hello to secure, convenient login with biometrics, security keys, or platform authenticators.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Passwordless Login\u003C\u002Fstrong> – Sign in using Touch ID, Face ID, Windows Hello, or security keys\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Passkeys\u003C\u002Fstrong> – Register multiple devices for convenient access anywhere\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recovery Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Security\u003C\u002Fstrong> – Eliminate password-based attacks completely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User-Friendly\u003C\u002Fstrong> – Simple setup with no technical knowledge required\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy-Focused\u003C\u002Fstrong> – Your authentication data stays on your server\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress Integration\u003C\u002Fstrong> – Seamlessly integrated into WordPress admin and login\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How It Works\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Register a passkey from your WordPress admin profile\u003C\u002Fli>\n\u003Cli>Use your device’s built-in authentication (fingerprint, face, PIN)\u003C\u002Fli>\n\u003Cli>Sign in instantly without typing passwords\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>SSL\u002FHTTPS enabled website (required for WebAuthn)\u003C\u002Fli>\n\u003Cli>Modern browser with WebAuthn support\u003C\u002Fli>\n\u003Cli>PHP 7.2 or higher\u003C\u002Fli>\n\u003Cli>WordPress 5.0 or higher\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin may connect to the FIDO Alliance Metadata Service (MDS) to download root certificates for authenticator validation.\u003C\u002Fp>\n\u003Ch4>FIDO Alliance Metadata Service\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>URL:\u003C\u002Fstrong> https:\u002F\u002Fmds.fidoalliance.org\u002F\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose:\u003C\u002Fstrong> Downloads attestation root certificates to verify the authenticity of security keys and passkey devices\u003C\u002Fli>\n\u003Cli>\u003Cstrong>When:\u003C\u002Fstrong> Only when attestation verification is enabled and the plugin needs to update its certificate store (not during normal authentication)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data sent:\u003C\u002Fstrong> No personal or user data is transmitted – only a standard HTTP GET request\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Service provider:\u003C\u002Fstrong> FIDO Alliance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Terms of Use:\u003C\u002Fstrong> https:\u002F\u002Ffidoalliance.org\u002Fmetadata\u002F\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Policy:\u003C\u002Fstrong> https:\u002F\u002Ffidoalliance.org\u002Fprivacy-policy\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No user data, credentials, or personal information is ever sent to external services. All authentication happens locally on your server.\u003C\u002Fp>\n","Enable passwordless authentication for WordPress using WebAuthn\u002FPasskeys. More secure, more convenient.",166,"2026-02-26T18:34:00.000Z","6.9.4","5.0","7.2",[20,55,23,24,56],"passkeys","webauthn","https:\u002F\u002Fgithub.com\u002Fclayton\u002Fbyebyepw","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbye-bye-passwords.1.2.7.zip",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":11,"num_ratings":69,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":73,"tags":74,"homepage":77,"download_link":78,"security_score":38,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"magiclabs","Login by Magic","1.0.4","Magic","https:\u002F\u002Fprofiles.wordpress.org\u002Fmagiclabs\u002F","\u003Cp>This plugin replaces the standard WordPress login form with one powered by \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">Magic\u003C\u002Fa> that enables passwordless email magic link login.\u003C\u002Fp>\n\u003Cp>Magic offers passwordless authentication and cryptographically secured user identity to your applications. With just a few lines of code, your application’s security is instantaneously upgraded, and your end users can enjoy a future-proof and blockchain-enabled login solution.\u003C\u002Fp>\n\u003Cp>Visit \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">https:\u002F\u002Fmagic.link\u003C\u002Fa> to learn more.\u003C\u002Fp>\n","Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.",20,2392,1,"2022-08-29T22:06:00.000Z","5.8.13","5.5.1","7.3",[20,75,76,23,24],"login","magiclink","https:\u002F\u002Fgithub.com\u002Fmagiclabs\u002Fwp-magic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagiclabs.zip",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":28,"downloaded":87,"rating":28,"num_ratings":28,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":91,"tags":92,"homepage":94,"download_link":95,"security_score":11,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"dolutech-passwordless-login","Dolutech Passwordless Login","1.1.0","Lucas Catão Moraes","https:\u002F\u002Fprofiles.wordpress.org\u002Fdolutech\u002F","\u003Cp>Este plugin substitui o formulário de login padrão do WordPress por um sistema de autenticação sem senha mais seguro.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Recursos principais:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Login sem senha via link seguro enviado por e-mail\u003Cbr \u002F>\n* Autenticação de dois fatores (2FA) via TOTP (Google Authenticator, Authy, etc.)\u003Cbr \u002F>\n* Códigos de backup para recuperação de acesso\u003Cbr \u002F>\n* Verificação de IP para segurança adicional\u003Cbr \u002F>\n* Rate limiting para prevenir ataques de força bruta\u003Cbr \u002F>\n* Painel de configurações completo no wp-admin\u003Cbr \u002F>\n* Opção de tornar 2FA obrigatório para perfis específicos\u003C\u002Fp>\n\u003Cp>O link de login expira imediatamente após o primeiro uso ou após o tempo configurado (padrão 15 minutos). A autenticação só é permitida pelo mesmo IP que solicitou o login.\u003C\u002Fp>\n","Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.",390,"2025-09-02T19:34:00.000Z","6.8.5","6.5","8.2",[93,20,75,23,24],"2fa","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdolutech-passwordless-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdolutech-passwordless-login.1.1.0.zip",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":28,"downloaded":11,"rating":28,"num_ratings":28,"last_updated":104,"tested_up_to":51,"requires_at_least":52,"requires_php":105,"tags":106,"homepage":105,"download_link":108,"security_score":11,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"elevation-magic-link","Elevation Magic Link Login","1.2.2","Elevation Team","https:\u002F\u002Fprofiles.wordpress.org\u002Felevation1support\u002F","\u003Cp>Elevation Magic Link Login allows your users to sign in without remembering a password. By simply entering their username or email address, they receive a secure, time-sensitive link via email that logs them in instantly.\u003C\u002Fp>\n\u003Cp>This plugin is built with security as a priority, utilizing WordPress best practices such as nonces, input sanitization, output escaping, hashed tokens, and HMAC signatures to ensure your site and users remain protected.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Adds a “Send Me a Magic Link” button to the default WP login form.\u003C\u002Fp>\n\u003Cp>New: Toggle-based UI that hides the password field when requesting a link for a cleaner experience.\u003C\u002Fp>\n\u003Cp>Secure, high-entropy token generation.\u003C\u002Fp>\n\u003Cp>Tokens are hashed before storage for maximum security.\u003C\u002Fp>\n\u003Cp>Cross-device support: Uses stateless HMAC signatures to validate links even if opened on a different device than requested.\u003C\u002Fp>\n\u003Cp>One-time use links that expire after 15 minutes (filterable).\u003C\u002Fp>\n\u003Cp>No-password fallback for users who forget their credentials.\u003C\u002Fp>\n\u003Cp>Lightweight and developer-friendly.\u003C\u002Fp>\n\u003Cp>Filterable redirect URL after successful login.\u003C\u002Fp>\n","Add a secure, passwordless login option to the default WordPress login form.","2026-01-23T18:34:00.000Z","",[20,75,107,23,24],"magic-link","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felevation-magic-link.1.2.2.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":28,"downloaded":117,"rating":28,"num_ratings":28,"last_updated":118,"tested_up_to":119,"requires_at_least":120,"requires_php":121,"tags":122,"homepage":125,"download_link":126,"security_score":38,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"eliot-pro","ElIoT Pro Passwordless Login","1.0","piotrwolski1","https:\u002F\u002Fprofiles.wordpress.org\u002Fpiotrwolski1\u002F","\u003Cp>OVERVIEW\u003C\u002Fp>\n\u003Cp>\u003Cem>ElIoT Pro\u003C\u002Fem> solves one of the biggest problems of any online-based human activity responsible for 80% of data breaches – \u003Cem>the risk of stolen credentials\u003C\u002Fem>.\u003Cbr \u002F>\nWe offer a one-touch, 2-factor authentication system for user identification and transaction confirmation. ElIoT Pro’s multi-layer, smartphone-based authentication platform offers password-free login that enables businesses and online users to conduct streamlined yet highly secure web-based transactions.\u003C\u002Fp>\n\u003Cp>ElIoT Pro’s unique approach results in a frictionless user experience, streamlined customer acquisition, higher levels of security, the end of passwords.\u003C\u002Fp>\n\u003Cp>HOW DOES IT WORK?\u003C\u002Fp>\n\u003Ch3>User perspective\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.eliotpro\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fpl\u002Fapp\u002Feliot-pro\u002Fid1458095747\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> application and register.\u003C\u002Fli>\n\u003Cli>Remember to use the same email address as you do on your wordpress website.\u003C\u002Fli>\n\u003Cli>On your wordpress site login page (\u002Fwp-login.php), instead of the traditional login\u002Fpassword, click the “Login with ElIoT Pro” widget.\u003C\u002Fli>\n\u003Cli>The One-Time token is transmitted to mobile app via sound, no need to type anything!\u003C\u002Fli>\n\u003Cli>You are authenticated on the website and logged in.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>SYSTEM OWNER PERSPECTIVE – INTEGRATION STEPS\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.eliotpro\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fpl\u002Fapp\u002Feliot-pro\u002Fid1458095747\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> mobile application and register.\u003C\u002Fli>\n\u003Cli>Follow steps presented on our integration form [here][https:\u002F\u002Floginwithoutpasswords.com\u002Fintegration\u002F]\u003C\u002Fli>\n\u003Cli>On the Integration tab on our website create a redirection: YOUR_SITE_URL +’\u002Fwp-json\u002Fapi\u002Flogin’ e.g. https:\u002F\u002Fexample.com\u002Fwp-json\u002Fapi\u002Flogin\u003C\u002Fli>\n\u003Cli>Copy Client Id and Client Secret for later usage\u003C\u002Fli>\n\u003Cli>Once you download and activate this plugin, go to settings and paste Client Id and Secret into appropriate fields. \u003C\u002Fli>\n\u003Cli>Done. You can change to Users perspective to see how it works. \u003C\u002Fli>\n\u003Cli>For additional information about the logins performed on your website visit cyberuskey.com\u003C\u002Fli>\n\u003C\u002Fol>\n","ElIoT Pro eliminates passwords using one-time tokens delivered via ultrasounds.",2151,"2023-03-30T17:40:00.000Z","6.1.10","5.4.1","7.0",[93,20,123,23,124],"cybersecurity","sonic-authentication","https:\u002F\u002Floginwithoutpasswords.com\u002Fcyberus\u002F2-wordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feliot-pro.1.0.zip",{"attackSurface":128,"codeSignals":175,"taintFlows":183,"riskAssessment":184,"analyzedAt":193},{"hooks":129,"ajaxHandlers":146,"restRoutes":147,"shortcodes":171,"cronEvents":172,"entryPointCount":173,"unprotectedCount":174},[130,136,140,144],{"type":131,"name":132,"callback":133,"file":134,"line":135},"action","login_enqueue_scripts","anonymous","inc\\login.php",19,{"type":131,"name":137,"callback":133,"file":138,"line":139},"rest_api_init","inc\\rest-api.php",25,{"type":131,"name":141,"callback":133,"file":142,"line":143},"admin_enqueue_scripts","inc\\user-profile.php",24,{"type":131,"name":145,"callback":133,"file":142,"line":139},"show_user_profile",[],[148,155,159,164,168],{"namespace":149,"route":150,"methods":151,"callback":133,"permissionCallback":153,"file":138,"line":154},"wp-passkey\u002Fv1","\u002Fregister-request",[152],"GET","closure",35,{"namespace":149,"route":156,"methods":157,"callback":133,"permissionCallback":153,"file":138,"line":158},"\u002Fregister-response",[152],49,{"namespace":149,"route":160,"methods":161,"callback":133,"permissionCallback":162,"file":138,"line":163},"\u002Fsignin-request",[152],"__return_true",63,{"namespace":149,"route":165,"methods":166,"callback":133,"permissionCallback":162,"file":138,"line":167},"\u002Fsignin-response",[152],74,{"namespace":149,"route":169,"methods":170,"callback":133,"permissionCallback":153,"file":138,"line":38},"\u002Frevoke",[152],[],[],5,2,{"dangerousFunctions":176,"sqlUsage":177,"outputEscaping":179,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":14,"bundledLibraries":182},[],{"prepared":34,"raw":28,"locations":178},[],{"escaped":180,"rawEcho":28,"locations":181},9,[],[],[],{"summary":185,"deductions":186},"The \"biometric-authentication\" plugin version 0.3.8 demonstrates a generally good security posture, adhering to several best practices.  All identified SQL queries are properly prepared, and output escaping is consistently applied, reducing the risk of common web vulnerabilities. The absence of file operations and external HTTP requests further limits the potential attack surface.  The plugin also has a clean vulnerability history, with no recorded CVEs, which is a positive indicator of its security development over time.\n\nHowever, there are notable concerns. The presence of 5 REST API routes, with 2 lacking proper permission callbacks, represents a significant attack surface that is not adequately protected. This means that unauthenticated or less privileged users might be able to access or manipulate these endpoints. The lack of nonce checks is also a weakness, particularly in conjunction with the unprotected REST API routes, as it could allow for cross-site request forgery (CSRF) attacks. While taint analysis showed no issues, this is likely due to the limited scope of analysis (0 flows), and the unprotected entry points still pose a risk.\n\nIn conclusion, while the plugin excels in areas like SQL and output handling, the unprotected REST API endpoints and absence of nonce checks introduce critical vulnerabilities. These weaknesses, despite the otherwise strong foundation, warrant careful attention to mitigate potential security risks.",[187,190],{"reason":188,"points":189},"REST API routes without permission callbacks",10,{"reason":191,"points":192},"0 Nonce checks on entry points",7,"2026-03-16T20:57:52.417Z",{"wat":195,"direct":204},{"assetPaths":196,"generatorPatterns":199,"scriptPaths":200,"versionParams":201},[197,198],"\u002Fwp-content\u002Fplugins\u002Fbiometric-authentication\u002Fcss\u002Ffrontend.css","\u002Fwp-content\u002Fplugins\u002Fbiometric-authentication\u002Fjs\u002Ffrontend.js",[],[198],[202,203],"biometric-authentication\u002Fcss\u002Ffrontend.css?ver=","biometric-authentication\u002Fjs\u002Ffrontend.js?ver=",{"cssClasses":205,"htmlComments":206,"htmlAttributes":207,"restEndpoints":208,"jsGlobals":214,"shortcodeOutput":215},[],[],[],[209,210,211,212,213],"\u002Fwp-json\u002Fwp-passkey\u002Fv1\u002Fregister-request","\u002Fwp-json\u002Fwp-passkey\u002Fv1\u002Fregister-response","\u002Fwp-json\u002Fwp-passkey\u002Fv1\u002Fsignin-request","\u002Fwp-json\u002Fwp-passkey\u002Fv1\u002Fsignin-response","\u002Fwp-json\u002Fwp-passkey\u002Fv1\u002Frevoke",[],[]]