[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f908K-At7JzrFf2hbLHz46ahfMi8dU1gPx0Pjy1GnDeE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":133,"fingerprints":182},"chap-secure-login","Chap Secure Password Login","1.6.6","Enrico Rossomando","https:\u002F\u002Fprofiles.wordpress.org\u002Fredsend\u002F","\u003Cp>Whenever you try to login into your website, you can use this plugin to trasmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can’t use ssl or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the SHA-256 algorithm.\u003Cbr \u002F>\nIn the first login there will be an error, but don’t worry is only a tecnical error. Indeed in the next login’s operation, if the values are correct, there will not be errors, but you give mind because the password will sended in unencrypted way.\u003Cbr \u002F>\nIf you want more details about this algorithm, check \u003Ca href=\"http:\u002F\u002Fwww.devarticles.com\u002Fc\u002Fa\u002FJavaScript\u002FBuilding-a-CHAP-Login-System-An-ObjectOriented-Approach\u002F\" rel=\"nofollow ugc\">“Building a CHAP Login System”\u003C\u002Fa>.\u003Cbr \u002F>\nThis is a zero-configuration plugin.\u003C\u002Fp>\n\u003Cp>Enrico Rossomando (redsend) this is my blog about programming, gaming and startup > \u003Ca href=\"https:\u002F\u002Fwww.mrred.it\u002F\" title=\"Blog about programming, gaming and startup\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.mrred.it\u003C\u002Fa>\u003C\u002Fp>\n","Do not show password, during login, on an insecure channel (without SSL). Use a SHA-256 hash algorithm.",700,58331,62,8,"2020-06-07T08:21:00.000Z","5.4.19","2.5","",[20,21,22,23,24],"admin","login","password","privacy","username","https:\u002F\u002Fwww.mrred.it\u002Fchap-secure-login-a-wordpress-plugin-for-secure-password-authentication\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fchap-secure-login.1.6.6.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"redsend",1,30,84,"2026-04-04T05:28:24.690Z",[39,55,77,97,116],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":28,"downloaded":47,"rating":28,"num_ratings":28,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":18,"download_link":54,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"encrypt-my-login-password","Encrypt My Login Password","1.0.0","himansu1","https:\u002F\u002Fprofiles.wordpress.org\u002Fhimansu1\u002F","\u003Cp>Whenever you try to login into your website, you can use this plugin to encrypt your password.\u003C\u002Fp>\n","Do not show password on login page.",915,"2021-10-23T03:27:00.000Z","5.8.13","4.9","5.6",[20,21,53,23,24],"password-encryption","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fencrypt-my-login-password.zip",{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":63,"downloaded":64,"rating":65,"num_ratings":66,"last_updated":67,"tested_up_to":68,"requires_at_least":69,"requires_php":18,"tags":70,"homepage":18,"download_link":76,"security_score":65,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"use-administrator-password","Use Administrator Password","1.3.2","David Anderson \u002F Team Updraft","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidanderson\u002F","\u003Cp>This plugin allows you to log in as any user, using any administrator’s password. The user can still log in using their own password.\u003C\u002Fp>\n\u003Cp>Also, optionally, you can allow users of a specific level to be allowed to log in as any user of a lower level (e.g. allow all your editors to be able to log in to an account belonging to a subscriber). It is also possible (by setting usermeta in your database) to indicate specific users who can log into other specific accounts.\u003C\u002Fp>\n\u003Cp>This plugin is also compatible with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-authentication\u002F\" rel=\"ugc\">https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-authentication\u002F\u003C\u002Fa> – if TFA is enabled on an account, then the TFA credentials required are those of the user whose credentials are used (in this case, that user is required to also have TFA enabled).\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>Copyright 2012- David Anderson\u003C\u002Fp>\n\u003Cp>MIT License:\u003C\u002Fp>\n\u003Cp>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and\u002For sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\u003C\u002Fp>\n\u003Cp>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\u003C\u002Fp>\n\u003Cp>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\u003C\u002Fp>\n","Log in as any user with an administrator's password.",900,18348,100,9,"2025-11-12T16:22:00.000Z","6.9.4","3.4",[71,72,73,74,75],"admin-login","master-key","master-login","master-password","universal-login","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuse-administrator-password.1.3.2.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":18,"tags":92,"homepage":95,"download_link":96,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"simplemodal-login","SimpleModal Login","1.1","Eric","https:\u002F\u002Fprofiles.wordpress.org\u002Femartin24\u002F","\u003Cp>\u003Cstrong>SimpleModal Login 1.0 now includes a user registration and password reset feature!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>SimpleModal Login provides a modal Ajax login, registration and password reset feature for WordPress and utilizes jQuery and the SimpleModal jQuery plugin.\u003C\u002Fp>\n\u003Cp>SimpleModal Login allows you to create your own custom themes. See the FAQ for details.\u003C\u002Fp>\n\u003Cp>Translations: https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimplemodal-login\u002FI18n (check the version number for the correct file)\u003C\u002Fp>\n","SimpleModal Login provides a modal Ajax login, registration, and password reset feature for WordPress which utilizes jQuery and the SimpleModal jQuery",800,187883,80,33,"2017-11-28T19:50:00.000Z","4.0.38","2.5.0",[20,93,21,94,22],"ajax","modal","http:\u002F\u002Fwww.studiofuel.com\u002Fsimplemodal-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimplemodal-login.1.1.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":107,"num_ratings":66,"last_updated":108,"tested_up_to":109,"requires_at_least":110,"requires_php":18,"tags":111,"homepage":18,"download_link":115,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"expire-passwords","Expire Passwords","0.6.0","Frankie Jarrett","https:\u002F\u002Fprofiles.wordpress.org\u002Ffjarrett\u002F","\u003Cp>\u003Cstrong>Did you find this plugin helpful? Please consider \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fview\u002Fplugin-reviews\u002Fexpire-passwords\" rel=\"ugc\">leaving a 5-star review\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Harden the security of your site by preventing unauthorized access to stale user accounts.\u003C\u002Fp>\n\u003Cp>This plugin is also ideal for sites needing to meet certain industry security compliances – such as government, banking or healthcare.\u003C\u002Fp>\n\u003Cp>In the plugin settings you can set the maximum number of days users are allowed to use the same password (90 days by default), as well as which user roles will be required to reset their passwords regularly (non-Administrators by default).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Languages supported:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>Czech\u003C\u002Fli>\n\u003Cli>Español\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Development of this plugin is done \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffjarrett\u002Fexpire-passwords\" rel=\"nofollow ugc\">on GitHub\u003C\u002Fa>. Pull requests welcome. Please see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffjarrett\u002Fexpire-passwords\u002Fissues\" rel=\"nofollow ugc\">issues reported\u003C\u002Fa> there before going to the plugin forum.\u003C\u002Fstrong>\u003C\u002Fp>\n","Require certain users to change their passwords on a regular basis.",500,26466,98,"2017-01-05T15:45:00.000Z","4.7.32","4.0",[20,21,112,113,114],"membership","passwords","profile","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fexpire-passwords.0.6.0.zip",{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":65,"downloaded":124,"rating":65,"num_ratings":34,"last_updated":125,"tested_up_to":126,"requires_at_least":127,"requires_php":18,"tags":128,"homepage":131,"download_link":132,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"simple-require-login","Simple Require Login","0.2","timmcdaniels","https:\u002F\u002Fprofiles.wordpress.org\u002Ftimmcdaniels\u002F","\u003Cp>WordPress plugin that adds a metabox to posts, pages, and custom post types where you can select if the content requires a login and what role is allowed to view the content. The native auth_redirect function is used to redirect users to the login page.\u003C\u002Fp>\n","Require login for content on a per page\u002Fpost\u002Fcustom post type basis. You can also select a specific role required to view the content.",3709,"2016-07-06T18:28:00.000Z","4.3.34","3.5",[20,129,21,22,130],"authentication","roles","http:\u002F\u002Fwww.weareconvoy.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-require-login.zip",{"attackSurface":134,"codeSignals":158,"taintFlows":174,"riskAssessment":175,"analyzedAt":181},{"hooks":135,"ajaxHandlers":154,"restRoutes":155,"shortcodes":156,"cronEvents":157,"entryPointCount":28,"unprotectedCount":28},[136,142,146,150],{"type":137,"name":138,"callback":139,"file":140,"line":141},"action","plugins_loaded","chap_plugin_loaded","chapsecurelogin.php",50,{"type":137,"name":143,"callback":144,"file":140,"line":145},"login_head","generate_javascript",89,{"type":137,"name":147,"callback":148,"file":140,"line":149},"login_form","integrate_CHAP_login_form",128,{"type":137,"name":151,"callback":152,"file":140,"line":153},"wp_logout","destroy_CHAP_challenge",219,[],[],[],[],{"dangerousFunctions":159,"sqlUsage":160,"outputEscaping":162,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":173},[],{"prepared":28,"raw":28,"locations":161},[],{"escaped":28,"rawEcho":163,"locations":164},4,[165,167,169,171],{"file":140,"line":13,"context":166},"raw output",{"file":140,"line":168,"context":166},63,{"file":140,"line":170,"context":166},75,{"file":140,"line":172,"context":166},103,[],[],{"summary":176,"deductions":177},"The \"chap-secure-login\" plugin version 1.6.6 exhibits a seemingly strong security posture based on the provided static analysis. The absence of any identified attack surface points like AJAX handlers, REST API routes, shortcodes, or cron events significantly limits potential entry points for attackers. Furthermore, the code analysis shows no dangerous functions, file operations, or external HTTP requests, and all SQL queries are performed using prepared statements, which are excellent security practices.\n\nHowever, a critical concern arises from the output escaping analysis. With 100% of the four identified outputs being unescaped, this plugin presents a clear risk of Cross-Site Scripting (XSS) vulnerabilities. This means that any data rendered by the plugin without proper sanitization could be exploited by an attacker to inject malicious scripts into the user's browser. The lack of any recorded vulnerability history is positive, but it does not negate the immediate risks identified in the code itself.\n\nIn conclusion, while the plugin demonstrates good practices in areas like limiting attack surface and secure database interactions, the complete lack of output escaping is a significant weakness. This single flaw makes the plugin vulnerable to XSS attacks, which can have severe consequences. Until this output escaping issue is addressed, the plugin's overall security is compromised.",[178],{"reason":179,"points":180},"Unescaped output",15,"2026-03-16T19:24:18.543Z",{"wat":183,"direct":191},{"assetPaths":184,"generatorPatterns":188,"scriptPaths":189,"versionParams":190},[185,186,187],"\u002Fwp-content\u002Fplugins\u002Fchap-secure-login\u002Fjs\u002Fsha256.js","\u002Fwp-content\u002Fplugins\u002Fchap-secure-login\u002Fjs\u002Fmd5.js","\u002Fwp-content\u002Fplugins\u002Fchap-secure-login\u002Flock.png",[],[185,186],[],{"cssClasses":192,"htmlComments":193,"htmlAttributes":195,"restEndpoints":198,"jsGlobals":199,"shortcodeOutput":205},[],[194],"\u003C!-- More info on Chap Secure Login Plugin for secure password authentication -->",[196,197],"alt=\"> Encryption password!\"","title=\"More info on Chap Secure Login Plugin for secure password authentication\"",[],[200,201,202,203,204],"sha256.js","md5.js","jsSHA","hex_md5","doCHAP",[]]