WP-Safety

Clean Login Security & Risk Analysis

wordpress.org/plugins/clean-login

A plugin for displaying useful forms in front-end only using shortcodes. Login, Registration, Profile Editor and Lost Password forms

6K active installs v1.14.6 PHP + WP 3.4+ Updated Aug 28, 2024
editorformloginlost-passwordregistration
87
A · Safe
CVEs total5
Unpatched0
Last CVEAug 29, 2024
Plugin page Download
Safety Verdict

Is Clean Login Safe to Use in 2026?

Generally Safe

Score 87/100

Clean Login has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Aug 29, 2024Updated 1yr ago
Risk Assessment

The 'clean-login' plugin v1.14.6 exhibits a mixed security posture. On the positive side, the code analysis shows good practices in several areas, including 100% of SQL queries using prepared statements, the presence of nonce checks and capability checks on its entry points, and no reported dangerous functions or file operations. The absence of critical or high-severity taint flows is also a positive indicator.

However, several areas raise concerns. The relatively low percentage of properly escaped output (32%) suggests a potential for Cross-Site Scripting (XSS) vulnerabilities, especially when considering its past vulnerability history. The plugin has a history of 5 known CVEs, with 2 high and 3 medium severity issues, including common types like PHP Remote File Inclusion, XSS, and CSRF. While there are currently no *unpatched* CVEs, this history indicates a recurring pattern of security weaknesses that require careful monitoring. The presence of one flow with an unsanitized path, even if not critical, warrants attention.

In conclusion, while the plugin demonstrates some solid security implementations, the significant vulnerability history, particularly the prevalence of XSS and RFI, combined with the low output escaping rate, indicates a moderate to high risk that necessitates vigilant monitoring and potentially a deeper audit of the code to ensure all potential vulnerabilities have been addressed. The single unsanitized path flow is a specific point of concern.

Key Concerns

  • Low output escaping rate (32%)
  • 1 unsanitized path flow
  • 5 known CVEs (2 high, 3 medium)
Vulnerabilities
5

Clean Login Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2020
2020
1 CVE in 2021
2021
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2024-8252high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Clean Login <= 1.14.5 - Authenticated (Contributor+) Local File Inclusion

Aug 29, 2024 Patched in 1.14.6 (1d)
CVE-2022-4838medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Clean Login <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 10, 2023 Patched in 1.13.7 (378d)
WF-1a91e973-f669-49a6-8c74-f6fbc4dc8db9-clean-loginmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Clean Login 1.12.6.3 - Cross-Site Scripting

Aug 9, 2021 Patched in 1.12.6.4 (897d)
CVE-2017-8875high · 8.8Cross-Site Request Forgery (CSRF)

Clean Login <= 1.10.3 - Cross-Site Request Forgery

Jun 29, 2020 Patched in 1.10.4 (1303d)
CVE-2015-9336medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Clean Login <= 1.5 - Reflected Cross-Site Scripting

Jul 27, 2015 Patched in 1.5.1 (3102d)
Code Analysis
Analyzed Mar 16, 2026

Clean Login Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
189
90 escaped
Nonce Checks
4
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

32% escaped279 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
valid_gcaptcha (include\controller.php:461)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Clean Login Attack Surface

Entry Points4
Unprotected0

Shortcodes 4

[clean-login] include\shortcodes.php:5
[clean-login-edit] include\shortcodes.php:6
[clean-login-register] include\shortcodes.php:7
[clean-login-restore] include\shortcodes.php:8
WordPress Hooks 18
actionplugins_loadedclean-login.php:25
actionplugins_loadedclean-login.php:27
filterplugin_action_links_clean-login/clean-login.phpclean-login.php:40
filterplugin_row_metaclean-login.php:41
actionwp_logoutclean-login.php:42
actiontemplate_redirectinclude\controller.php:5
actiontemplate_redirectinclude\controller.php:6
actioncleanlogin_before_login_edit_form_containerinclude\controller.php:7
actionwp_enqueue_scriptsinclude\frontend.php:5
actionplugins_loadedinclude\i18n.php:6
actionadmin_initinclude\nav_menu_links.php:8
actionadmin_initinclude\roles.php:8
actionafter_setup_themeinclude\settings.php:7
actionadmin_initinclude\settings.php:8
actionadmin_menuinclude\settings.php:9
actionsave_postinclude\shortcodes.php:10
actionwp_trash_postinclude\shortcodes.php:11
actionwidgets_initinclude\widget.php:5
Maintenance & Trust

Clean Login Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedAug 28, 2024
PHP min version
Downloads488K

Community Trust

Rating94/100
Number of ratings143
Active installs6K
Alternatives

Clean Login Alternatives

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

userswp

A
89

Light weight Front-end login form, User Registration, User Profile and Members Directory plugin.

20K 14 CVEs
No CAPTCHA reCAPTCHA

No CAPTCHA reCAPTCHA

no-captcha-recaptcha

A
85

Protect WordPress login, registration, comment and BuddyPress registration forms with Google's No CAPTCHA reCAPTCHA.

5K No CVEs
AJAX Login and Registration modal popup + inline form

AJAX Login and Registration modal popup + inline form

ajax-login-and-registration-modal-popup

A
99

Easy to integrate modal with Login and Registration features.

4K 2 CVEs
Pie Register – User Registration, Profiles & Content Restriction

Pie Register – User Registration, Profiles & Content Restriction

pie-register

D
40

Create customized registration forms, Invite through email, Email Notification, User Roles assignment, and more. Pie Register is a User Registration p &hellip;

2K 1 unpatched
User Registration Using Contact Form 7

User Registration Using Contact Form 7

user-registration-using-contact-form-7

A
98

User Registration Using Contact Form 7 plugin provides the feature to register the user to the website.

500 2 CVEs
Developer Profile

Clean Login Developer Profile

Alberto Hornero

2 plugins · 6K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
1136 days
View full developer profile
Detection Fingerprints

How We Detect Clean Login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Clean Login