Does Bye Bye Passwords have any unpatched vulnerabilities?

No. All known vulnerabilities in Bye Bye Passwords have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Bye Bye Passwords compatible with WordPress 6.9.4?

According to WordPress.org data, Bye Bye Passwords 1.2.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Bye Bye Passwords compatible with PHP 7.2+?

Bye Bye Passwords requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Bye Bye Passwords updated?

Bye Bye Passwords was last updated on Feb 26, 2026. Frequent updates are generally a positive security signal.

What is Bye Bye Passwords's security score?

Bye Bye Passwords has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bye Bye Passwords Security & Risk Analysis

wordpress.org/plugins/bye-bye-passwords

Enable passwordless authentication for WordPress using WebAuthn/Passkeys. More secure, more convenient.

0 active installs v1.2.7 PHP 7.2+ WP 5.0+ Updated Feb 26, 2026

authenticationpasskeyspasswordlesssecuritywebauthn

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Bye Bye Passwords Safe to Use in 2026?

Generally Safe

Score 100/100

Bye Bye Passwords has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The 'bye-bye-passwords' plugin v1.2.7 exhibits a generally strong security posture based on the provided static analysis. The complete absence of unauthenticated AJAX handlers, REST API routes without permission callbacks, shortcodes, and cron events is a significant strength, indicating a well-defined and protected attack surface. Furthermore, the plugin demonstrates good coding practices with a very high percentage of properly escaped outputs and a substantial use of prepared statements for SQL queries. The presence of nonce checks on most AJAX handlers and capability checks also contributes positively to its security.

However, there are two concerning taint analysis flows with unsanitized paths identified. While categorized as 'High severity' and not 'Critical', these flows represent potential vulnerabilities where user-supplied input might not be adequately sanitized before being used in a way that could lead to security issues, such as directory traversal or other path manipulation attacks. The plugin's history of zero known vulnerabilities is a strong positive indicator, suggesting a consistent focus on security by the developers.

In conclusion, 'bye-bye-passwords' v1.2.7 is largely secure, with commendable attention to attack surface management and output sanitization. The primary area of concern lies within the two identified taint flows. Addressing these unsanitized paths would further solidify its security and eliminate potential risks.

Key Concerns

Taint flow with unsanitized path (High)
Taint flow with unsanitized path (High)

Vulnerabilities

None known

Bye Bye Passwords Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Bye Bye Passwords Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

64 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

74% prepared19 total queries

Output Escaping

98% escaped65 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

handle_authenticate_recovery_code (includes\class-byebyepw-ajax.php:409)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Bye Bye Passwords Attack Surface

Entry Points9

Unprotected0

AJAX Handlers 9

authwp_ajax_byebyepw_get_registration_challengeincludes\class-byebyepw-ajax.php:182

authwp_ajax_byebyepw_register_passkeyincludes\class-byebyepw-ajax.php:183

authwp_ajax_byebyepw_delete_passkeyincludes\class-byebyepw-ajax.php:184

authwp_ajax_byebyepw_generate_recovery_codesincludes\class-byebyepw-ajax.php:185

noprivwp_ajax_byebyepw_get_authentication_challengeincludes\class-byebyepw-ajax.php:188

noprivwp_ajax_byebyepw_authenticate_passkeyincludes\class-byebyepw-ajax.php:189

noprivwp_ajax_byebyepw_authenticate_recovery_codeincludes\class-byebyepw-ajax.php:190

authwp_ajax_byebyepw_get_authentication_challengeincludes\class-byebyepw-ajax.php:193

authwp_ajax_byebyepw_authenticate_passkeyincludes\class-byebyepw-ajax.php:194

WordPress Hooks 13

actionplugins_loadedincludes\class-byebyepw.php:163

actionadmin_enqueue_scriptsincludes\class-byebyepw.php:178

actionadmin_enqueue_scriptsincludes\class-byebyepw.php:179

actionadmin_menuincludes\class-byebyepw.php:180

actionadmin_initincludes\class-byebyepw.php:181

actionshow_user_profileincludes\class-byebyepw.php:182

actionedit_user_profileincludes\class-byebyepw.php:183

actionadmin_noticesincludes\class-byebyepw.php:186

actionwp_enqueue_scriptsincludes\class-byebyepw.php:237

actionwp_enqueue_scriptsincludes\class-byebyepw.php:238

actionlogin_formincludes\class-byebyepw.php:239

actionlogin_enqueue_scriptsincludes\class-byebyepw.php:240

filterlogin_body_classincludes\class-byebyepw.php:241

Maintenance & Trust

Bye Bye Passwords Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 26, 2026

PHP min version7.2

Downloads166

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Bye Bye Passwords Alternatives

Secure Passkeys

secure-passkeys

Secure Passkeys is a powerful WordPress plugin that enables passwordless authentication using WebAuthn technology.

1K 1 CVE

Biometric Authentication

biometric-authentication

Passkeys are a safer and easier alternative to passwords. Simply use your fingerprint or face ID to log in with ease.

100 No CVEs

Login by Magic

magiclabs

Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.

20 No CVEs

Dolutech Passwordless Login

dolutech-passwordless-login

100

Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.

0 No CVEs

Elevation Magic Link Login

elevation-magic-link

100

Add a secure, passwordless login option to the default WordPress login form.

0 No CVEs

Developer Profile

Bye Bye Passwords Developer Profile

Clayton LZ

1 plugin · 0 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Bye Bye Passwords

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bye-bye-passwords/admin/css/byebyepw-admin.css/wp-content/plugins/bye-bye-passwords/admin/js/byebyepw-admin.js/wp-content/plugins/bye-bye-passwords/public/css/bye-bye-passwords.css/wp-content/plugins/bye-bye-passwords/public/js/bye-bye-passwords.js

Version Parameters

bye-bye-passwords/admin/css/byebyepw-admin.css?ver=bye-bye-passwords/admin/js/byebyepw-admin.js?ver=bye-bye-passwords/public/css/bye-bye-passwords.css?ver=bye-bye-passwords/public/js/bye-bye-passwords.js?ver=

HTML / DOM Fingerprints

CSS Classes

byebyepw-admin-wrapbyebyepw-admin-settingsbyebyepw-wrapbyebyepw-login-wrapbyebyepw-passkey-loginbyebyepw-register-passkeybyebyepw-recovery-codes

HTML Comments

Data Attributes

data-byebyepw-actiondata-byebyepw-user-iddata-byebyepw-nonce

JS Globals

byebyepw_ajaxbyebyepw_i18n

FAQ