[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWfKXzmL5nFxp0NwxZHi5eg0XwnhdOJyy4SdvzRGKiqs":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":35,"analysis":127,"fingerprints":299},"bye-bye-passwords","Bye Bye Passwords","1.2.7","Clayton LZ","https:\u002F\u002Fprofiles.wordpress.org\u002Fclaytonlz\u002F","\u003Cp>\u003Cstrong>Bye Bye Passwords\u003C\u002Fstrong> brings modern passwordless authentication to WordPress using WebAuthn\u002FPasskeys technology. Say goodbye to weak passwords and hello to secure, convenient login with biometrics, security keys, or platform authenticators.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Passwordless Login\u003C\u002Fstrong> – Sign in using Touch ID, Face ID, Windows Hello, or security keys\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Passkeys\u003C\u002Fstrong> – Register multiple devices for convenient access anywhere\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recovery Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Security\u003C\u002Fstrong> – Eliminate password-based attacks completely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User-Friendly\u003C\u002Fstrong> – Simple setup with no technical knowledge required\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy-Focused\u003C\u002Fstrong> – Your authentication data stays on your server\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress Integration\u003C\u002Fstrong> – Seamlessly integrated into WordPress admin and login\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How It Works\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Register a passkey from your WordPress admin profile\u003C\u002Fli>\n\u003Cli>Use your device’s built-in authentication (fingerprint, face, PIN)\u003C\u002Fli>\n\u003Cli>Sign in instantly without typing passwords\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>SSL\u002FHTTPS enabled website (required for WebAuthn)\u003C\u002Fli>\n\u003Cli>Modern browser with WebAuthn support\u003C\u002Fli>\n\u003Cli>PHP 7.2 or higher\u003C\u002Fli>\n\u003Cli>WordPress 5.0 or higher\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin may connect to the FIDO Alliance Metadata Service (MDS) to download root certificates for authenticator validation.\u003C\u002Fp>\n\u003Ch4>FIDO Alliance Metadata Service\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>URL:\u003C\u002Fstrong> https:\u002F\u002Fmds.fidoalliance.org\u002F\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose:\u003C\u002Fstrong> Downloads attestation root certificates to verify the authenticity of security keys and passkey devices\u003C\u002Fli>\n\u003Cli>\u003Cstrong>When:\u003C\u002Fstrong> Only when attestation verification is enabled and the plugin needs to update its certificate store (not during normal authentication)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data sent:\u003C\u002Fstrong> No personal or user data is transmitted – only a standard HTTP GET request\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Service provider:\u003C\u002Fstrong> FIDO Alliance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Terms of Use:\u003C\u002Fstrong> https:\u002F\u002Ffidoalliance.org\u002Fmetadata\u002F\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Policy:\u003C\u002Fstrong> https:\u002F\u002Ffidoalliance.org\u002Fprivacy-policy\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No user data, credentials, or personal information is ever sent to external services. All authentication happens locally on your server.\u003C\u002Fp>\n","Enable passwordless authentication for WordPress using WebAuthn\u002FPasskeys. More secure, more convenient.",0,166,"2026-02-26T18:34:00.000Z","6.9.4","5.0","7.2",[18,19,20,21,22],"authentication","passkeys","passwordless","security","webauthn","https:\u002F\u002Fgithub.com\u002Fclayton\u002Fbyebyepw","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbye-bye-passwords.1.2.7.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"claytonlz",1,30,94,"2026-04-04T02:29:06.294Z",[36,58,78,97,114],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":46,"num_ratings":47,"last_updated":48,"tested_up_to":14,"requires_at_least":49,"requires_php":50,"tags":51,"homepage":54,"download_link":55,"security_score":56,"vuln_count":31,"unpatched_count":11,"last_vuln_date":57,"fetched_at":27},"secure-passkeys","Secure Passkeys","1.2.4","Mohamed Endisha","https:\u002F\u002Fprofiles.wordpress.org\u002Fendisha\u002F","\u003Cp>Secure Passkeys is a powerful WordPress plugin that enables seamless passwordless authentication using WebAuthn technology. By eliminating the need for traditional passwords, it enhances security and improves the user login experience. With support for biometric authentication, security keys, and device-bound credentials, Secure Passkey provides a robust and user-friendly solution for modern authentication.\u003C\u002Fp>\n\u003Cp>Unlike traditional password-based authentication, Secure Passkey leverages cryptographic key pairs to ensure secure logins. The private key remains securely stored on the user’s device, while the public key is registered with the WordPress site. This method protects against phishing attacks and password breaches, ensuring that only authorized users can gain access.\u003C\u002Fp>\n\u003Cp>Secure Passkeys integrates effortlessly into WordPress, allowing users to register and manage their passkeys from their profile settings. Once registered, users can log in using their fingerprint, face recognition, or a hardware security key without the need to remember or enter a password.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Passwordless Login:\u003C\u002Fstrong> Secure authentication via WebAuthn with biometric devices, security keys, Touch ID, Face ID, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced User Experience:\u003C\u002Fstrong>  Password-free login for a smoother user journey.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Integration Support:\u003C\u002Fstrong>\n\u003Cul>\n\u003Cli>WordPress default login form\u003C\u002Fli>\n\u003Cli>WooCommerce login page\u003C\u002Fli>\n\u003Cli>MemberPress login form\u003C\u002Fli>\n\u003Cli>Easy Digital Downloads login form\u003C\u002Fli>\n\u003Cli>Ultimate Member login form\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Management:\u003C\u002Fstrong>  Administrators can delete, activate, or deactivate users directly from plugin settings or user profiles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passkeys Reminder Notice:\u003C\u002Fstrong>  New option to enable or disable the passkeys reminder notice in the WordPress admin area for users who have not yet enabled passkeys.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logging:\u003C\u002Fstrong>  Monitor activity logs and track last login\u002Fregistration of passkeys.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Passkeys:\u003C\u002Fstrong> Supports multiple passkey registrations per user, with the option to set a registration limit or allow unlimited registrations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role Restrictions:\u003C\u002Fstrong> Restrict and exclude specific user roles from using passkey authentication.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Settings:\u003C\u002Fstrong>  Adjust timeout settings for passkey registration and login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Verification:\u003C\u002Fstrong> Enforce user verification for enhanced security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend Customization:\u003C\u002Fstrong> Easily customize frontend themes or add your own with basic frontend skills.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Theme Support:\u003C\u002Fstrong> Supports pre-built themes like YOOtheme (UIkit) for frontend shortcodes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcodes:\u003C\u002Fstrong> Embed passkey login and registration forms on custom frontend pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passkey Display:\u003C\u002Fstrong> Show passkey details in admin user lists and profiles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multisite:\u003C\u002Fstrong> Supports WordPress Multisite and single-site installations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Database Optimization:\u003C\u002Fstrong>  Option to allow or disallow automatic deletion of old challenge records and activity logs (configurable schedule).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 6.0 or newer.\u003C\u002Fli>\n\u003Cli>PHP version 7.4 or newer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>Secure Passkeys is licensed under the GNU General Public License v2 or later.\u003C\u002Fp>\n","Secure Passkeys is a powerful WordPress plugin that enables passwordless authentication using WebAuthn technology.",1000,5136,96,18,"2026-01-30T19:50:00.000Z","6.0","7.4",[52,19,20,53,22],"login","secure","https:\u002F\u002Fendisha.ly\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-passkeys.1.2.4.zip",99,"2025-09-19 00:00:00",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":25,"downloaded":66,"rating":33,"num_ratings":67,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":75,"download_link":76,"security_score":77,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"biometric-authentication","Biometric Authentication","0.3.8","Ivan Kristianto","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankristianto\u002F","\u003Cp>This innovative plugin introduces passkey login to your WordPress experience. No more struggling to remember complex passwords.\u003Cbr \u002F>\nSimply use your fingerprint, face ID, or a secure PIN to log in with ease. You can still use your username and password to login to your site as fallback.\u003C\u002Fp>\n\u003Ch3>Enhanced Security, Frictionless Access:\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Effortless Login: Unlock the power of passkeys for a smooth and secure login experience.\u003C\u002Fli>\n\u003Cli>Superior Security: Passkeys offer enhanced protection against breaches compared to traditional passwords.\u003C\u002Fli>\n\u003Cli>Convenience at Your Fingertips: Enjoy the freedom of logging in with your biometrics or a secure PIN.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>GitHub Repository\u003C\u002Fh3>\n\u003Cp>You can find the source code of this plugin on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fivankristianto\u002Fwp-passkey\u002F\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>\u003C\u002Fp>\n","Passkeys are a safer and easier alternative to passwords. Simply use your fingerprint or face ID to log in with ease.",2889,3,"2024-05-01T04:23:00.000Z","6.5.8","6.1","8.1",[18,73,74,20,21],"biometric","passkey","https:\u002F\u002Fgithub.com\u002Fivankristianto\u002Fwp-passkey\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbiometric-authentication.0.3.8.zip",92,{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":25,"num_ratings":31,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":91,"tags":92,"homepage":94,"download_link":95,"security_score":96,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"magiclabs","Login by Magic","1.0.4","Magic","https:\u002F\u002Fprofiles.wordpress.org\u002Fmagiclabs\u002F","\u003Cp>This plugin replaces the standard WordPress login form with one powered by \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">Magic\u003C\u002Fa> that enables passwordless email magic link login.\u003C\u002Fp>\n\u003Cp>Magic offers passwordless authentication and cryptographically secured user identity to your applications. With just a few lines of code, your application’s security is instantaneously upgraded, and your end users can enjoy a future-proof and blockchain-enabled login solution.\u003C\u002Fp>\n\u003Cp>Visit \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">https:\u002F\u002Fmagic.link\u003C\u002Fa> to learn more.\u003C\u002Fp>\n","Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.",20,2392,"2022-08-29T22:06:00.000Z","5.8.13","5.5.1","7.3",[18,52,93,20,21],"magiclink","https:\u002F\u002Fgithub.com\u002Fmagiclabs\u002Fwp-magic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagiclabs.zip",85,{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":11,"downloaded":105,"rating":11,"num_ratings":11,"last_updated":106,"tested_up_to":107,"requires_at_least":108,"requires_php":109,"tags":110,"homepage":112,"download_link":113,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"dolutech-passwordless-login","Dolutech Passwordless Login","1.1.0","Lucas Catão Moraes","https:\u002F\u002Fprofiles.wordpress.org\u002Fdolutech\u002F","\u003Cp>Este plugin substitui o formulário de login padrão do WordPress por um sistema de autenticação sem senha mais seguro.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Recursos principais:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Login sem senha via link seguro enviado por e-mail\u003Cbr \u002F>\n* Autenticação de dois fatores (2FA) via TOTP (Google Authenticator, Authy, etc.)\u003Cbr \u002F>\n* Códigos de backup para recuperação de acesso\u003Cbr \u002F>\n* Verificação de IP para segurança adicional\u003Cbr \u002F>\n* Rate limiting para prevenir ataques de força bruta\u003Cbr \u002F>\n* Painel de configurações completo no wp-admin\u003Cbr \u002F>\n* Opção de tornar 2FA obrigatório para perfis específicos\u003C\u002Fp>\n\u003Cp>O link de login expira imediatamente após o primeiro uso ou após o tempo configurado (padrão 15 minutos). A autenticação só é permitida pelo mesmo IP que solicitou o login.\u003C\u002Fp>\n","Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.",390,"2025-09-02T19:34:00.000Z","6.8.5","6.5","8.2",[111,18,52,20,21],"2fa","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdolutech-passwordless-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdolutech-passwordless-login.1.1.0.zip",{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":11,"downloaded":25,"rating":11,"num_ratings":11,"last_updated":122,"tested_up_to":14,"requires_at_least":15,"requires_php":123,"tags":124,"homepage":123,"download_link":126,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"elevation-magic-link","Elevation Magic Link Login","1.2.2","Elevation Team","https:\u002F\u002Fprofiles.wordpress.org\u002Felevation1support\u002F","\u003Cp>Elevation Magic Link Login allows your users to sign in without remembering a password. By simply entering their username or email address, they receive a secure, time-sensitive link via email that logs them in instantly.\u003C\u002Fp>\n\u003Cp>This plugin is built with security as a priority, utilizing WordPress best practices such as nonces, input sanitization, output escaping, hashed tokens, and HMAC signatures to ensure your site and users remain protected.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Adds a “Send Me a Magic Link” button to the default WP login form.\u003C\u002Fp>\n\u003Cp>New: Toggle-based UI that hides the password field when requesting a link for a cleaner experience.\u003C\u002Fp>\n\u003Cp>Secure, high-entropy token generation.\u003C\u002Fp>\n\u003Cp>Tokens are hashed before storage for maximum security.\u003C\u002Fp>\n\u003Cp>Cross-device support: Uses stateless HMAC signatures to validate links even if opened on a different device than requested.\u003C\u002Fp>\n\u003Cp>One-time use links that expire after 15 minutes (filterable).\u003C\u002Fp>\n\u003Cp>No-password fallback for users who forget their credentials.\u003C\u002Fp>\n\u003Cp>Lightweight and developer-friendly.\u003C\u002Fp>\n\u003Cp>Filterable redirect URL after successful login.\u003C\u002Fp>\n","Add a secure, passwordless login option to the default WordPress login form.","2026-01-23T18:34:00.000Z","",[18,52,125,20,21],"magic-link","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felevation-magic-link.1.2.2.zip",{"attackSurface":128,"codeSignals":209,"taintFlows":238,"riskAssessment":291,"analyzedAt":298},{"hooks":129,"ajaxHandlers":171,"restRoutes":205,"shortcodes":206,"cronEvents":207,"entryPointCount":208,"unprotectedCount":11},[130,136,139,141,144,147,150,153,156,159,161,164,167],{"type":131,"name":132,"callback":133,"file":134,"line":135},"action","plugins_loaded","anonymous","includes\\class-byebyepw.php",163,{"type":131,"name":137,"callback":133,"file":134,"line":138},"admin_enqueue_scripts",178,{"type":131,"name":137,"callback":133,"file":134,"line":140},179,{"type":131,"name":142,"callback":133,"file":134,"line":143},"admin_menu",180,{"type":131,"name":145,"callback":133,"file":134,"line":146},"admin_init",181,{"type":131,"name":148,"callback":133,"file":134,"line":149},"show_user_profile",182,{"type":131,"name":151,"callback":133,"file":134,"line":152},"edit_user_profile",183,{"type":131,"name":154,"callback":133,"file":134,"line":155},"admin_notices",186,{"type":131,"name":157,"callback":133,"file":134,"line":158},"wp_enqueue_scripts",237,{"type":131,"name":157,"callback":133,"file":134,"line":160},238,{"type":131,"name":162,"callback":133,"file":134,"line":163},"login_form",239,{"type":131,"name":165,"callback":133,"file":134,"line":166},"login_enqueue_scripts",240,{"type":168,"name":169,"callback":133,"file":134,"line":170},"filter","login_body_class",241,[172,178,181,185,189,193,197,201,203],{"action":173,"nopriv":174,"callback":175,"hasNonce":176,"hasCapCheck":174,"file":177,"line":149},"byebyepw_get_registration_challenge",false,"handle_get_registration_challenge",true,"includes\\class-byebyepw-ajax.php",{"action":179,"nopriv":174,"callback":180,"hasNonce":176,"hasCapCheck":174,"file":177,"line":152},"byebyepw_register_passkey","handle_register_passkey",{"action":182,"nopriv":174,"callback":183,"hasNonce":176,"hasCapCheck":174,"file":177,"line":184},"byebyepw_delete_passkey","handle_delete_passkey",184,{"action":186,"nopriv":174,"callback":187,"hasNonce":176,"hasCapCheck":174,"file":177,"line":188},"byebyepw_generate_recovery_codes","handle_generate_recovery_codes",185,{"action":190,"nopriv":176,"callback":191,"hasNonce":176,"hasCapCheck":174,"file":177,"line":192},"byebyepw_get_authentication_challenge","handle_get_authentication_challenge",188,{"action":194,"nopriv":176,"callback":195,"hasNonce":176,"hasCapCheck":174,"file":177,"line":196},"byebyepw_authenticate_passkey","handle_authenticate_passkey",189,{"action":198,"nopriv":176,"callback":199,"hasNonce":176,"hasCapCheck":174,"file":177,"line":200},"byebyepw_authenticate_recovery_code","handle_authenticate_recovery_code",190,{"action":190,"nopriv":174,"callback":191,"hasNonce":176,"hasCapCheck":174,"file":177,"line":202},193,{"action":194,"nopriv":174,"callback":195,"hasNonce":176,"hasCapCheck":174,"file":177,"line":204},194,[],[],[],9,{"dangerousFunctions":210,"sqlUsage":211,"outputEscaping":228,"fileOperations":11,"externalRequests":11,"nonceChecks":235,"capabilityChecks":236,"bundledLibraries":237},[],{"prepared":212,"raw":213,"locations":214},14,5,[215,219,222,224,226],{"file":216,"line":217,"context":218},"includes\\class-byebyepw-deactivator.php",38,"$wpdb->query() with variable interpolation",{"file":220,"line":221,"context":218},"uninstall.php",37,{"file":220,"line":223,"context":218},39,{"file":220,"line":225,"context":218},47,{"file":220,"line":227,"context":218},53,{"escaped":229,"rawEcho":31,"locations":230},64,[231],{"file":232,"line":233,"context":234},"admin\\partials\\byebyepw-admin-display.php",114,"raw output",8,2,[],[239,276],{"entryPoint":240,"graph":241,"unsanitizedCount":236,"severity":275},"handle_authenticate_recovery_code (includes\\class-byebyepw-ajax.php:409)",{"nodes":242,"edges":270},[243,248,252,259,262,265],{"id":244,"type":245,"label":246,"file":177,"line":247},"n0","source","$_POST",440,{"id":249,"type":250,"label":251,"file":177,"line":247},"n1","transform","→ verify_recovery_code()",{"id":253,"type":254,"label":255,"file":256,"line":257,"wp_function":258},"n2","sink","get_results() [SQLi]","includes\\class-byebyepw-recovery-codes.php",89,"get_results",{"id":260,"type":245,"label":246,"file":177,"line":261},"n3",457,{"id":263,"type":250,"label":264,"file":177,"line":261},"n4","→ get_remaining_codes_count()",{"id":266,"type":254,"label":267,"file":256,"line":268,"wp_function":269},"n5","get_var() [SQLi]",144,"get_var",[271,272,273,274],{"from":244,"to":249,"sanitized":174},{"from":249,"to":253,"sanitized":174},{"from":260,"to":263,"sanitized":174},{"from":263,"to":266,"sanitized":174},"high",{"entryPoint":277,"graph":278,"unsanitizedCount":236,"severity":275},"\u003Cclass-byebyepw-ajax> (includes\\class-byebyepw-ajax.php:0)",{"nodes":279,"edges":286},[280,281,282,283,284,285],{"id":244,"type":245,"label":246,"file":177,"line":247},{"id":249,"type":250,"label":251,"file":177,"line":247},{"id":253,"type":254,"label":255,"file":256,"line":257,"wp_function":258},{"id":260,"type":245,"label":246,"file":177,"line":261},{"id":263,"type":250,"label":264,"file":177,"line":261},{"id":266,"type":254,"label":267,"file":256,"line":268,"wp_function":269},[287,288,289,290],{"from":244,"to":249,"sanitized":174},{"from":249,"to":253,"sanitized":174},{"from":260,"to":263,"sanitized":174},{"from":263,"to":266,"sanitized":174},{"summary":292,"deductions":293},"The 'bye-bye-passwords' plugin v1.2.7 exhibits a generally strong security posture based on the provided static analysis. The complete absence of unauthenticated AJAX handlers, REST API routes without permission callbacks, shortcodes, and cron events is a significant strength, indicating a well-defined and protected attack surface. Furthermore, the plugin demonstrates good coding practices with a very high percentage of properly escaped outputs and a substantial use of prepared statements for SQL queries. The presence of nonce checks on most AJAX handlers and capability checks also contributes positively to its security.  \n\nHowever, there are two concerning taint analysis flows with unsanitized paths identified. While categorized as 'High severity' and not 'Critical', these flows represent potential vulnerabilities where user-supplied input might not be adequately sanitized before being used in a way that could lead to security issues, such as directory traversal or other path manipulation attacks. The plugin's history of zero known vulnerabilities is a strong positive indicator, suggesting a consistent focus on security by the developers.  \n\nIn conclusion, 'bye-bye-passwords' v1.2.7 is largely secure, with commendable attention to attack surface management and output sanitization. The primary area of concern lies within the two identified taint flows. Addressing these unsanitized paths would further solidify its security and eliminate potential risks.",[294,297],{"reason":295,"points":296},"Taint flow with unsanitized path (High)",12,{"reason":295,"points":296},"2026-03-17T07:30:48.379Z",{"wat":300,"direct":313},{"assetPaths":301,"generatorPatterns":306,"scriptPaths":307,"versionParams":308},[302,303,304,305],"\u002Fwp-content\u002Fplugins\u002Fbye-bye-passwords\u002Fadmin\u002Fcss\u002Fbyebyepw-admin.css","\u002Fwp-content\u002Fplugins\u002Fbye-bye-passwords\u002Fadmin\u002Fjs\u002Fbyebyepw-admin.js","\u002Fwp-content\u002Fplugins\u002Fbye-bye-passwords\u002Fpublic\u002Fcss\u002Fbye-bye-passwords.css","\u002Fwp-content\u002Fplugins\u002Fbye-bye-passwords\u002Fpublic\u002Fjs\u002Fbye-bye-passwords.js",[],[],[309,310,311,312],"bye-bye-passwords\u002Fadmin\u002Fcss\u002Fbyebyepw-admin.css?ver=","bye-bye-passwords\u002Fadmin\u002Fjs\u002Fbyebyepw-admin.js?ver=","bye-bye-passwords\u002Fpublic\u002Fcss\u002Fbye-bye-passwords.css?ver=","bye-bye-passwords\u002Fpublic\u002Fjs\u002Fbye-bye-passwords.js?ver=",{"cssClasses":314,"htmlComments":322,"htmlAttributes":327,"restEndpoints":331,"jsGlobals":332,"shortcodeOutput":335},[315,316,317,318,319,320,321],"byebyepw-admin-wrap","byebyepw-admin-settings","byebyepw-wrap","byebyepw-login-wrap","byebyepw-passkey-login","byebyepw-register-passkey","byebyepw-recovery-codes",[323,324,325,326],"\u003C!--Bye Bye Passwords Admin Settings-->","\u003C!--Bye Bye Passwords Passkey Login Form-->","\u003C!--Bye Bye Passwords Register Passkey Form-->","\u003C!--Bye Bye Passwords Recovery Codes Section-->",[328,329,330],"data-byebyepw-action","data-byebyepw-user-id","data-byebyepw-nonce",[],[333,334],"byebyepw_ajax","byebyepw_i18n",[]]