[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0bwrSRg8sbN2xPYdaYpR_FZ3_Cu7dt3Ila4bc-Mejz0":3,"$fAAzLg2rckog0P3vopXnJhGPH2mzh5vgP9HWXeHOC1z0":227,"$f6DiIZ0cQbpaahUkLwLHmR3QnsWrL3DDvEw9HPGGUL-s":232},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":56,"crawl_stats":36,"alternatives":60,"analysis":146,"fingerprints":209},"cyberus-key","Cyberus Key","1.1","piotrwolski1","https:\u002F\u002Fprofiles.wordpress.org\u002Fpiotrwolski1\u002F","\u003Cp>OVERVIEW\u003C\u002Fp>\n\u003Cp>\u003Cem>Cyberus Key\u003C\u002Fem> solves one of the biggest problems of any online-based human activity responsible for 80% of data breaches – \u003Cem>the risk of stolen credentials\u003C\u002Fem>.\u003Cbr \u002F>\nWe offer a one-touch, 2-factor authentication system for user identification and transaction confirmation. Cyberus Key’s multi-layer, smartphone-based authentication platform offers password-free login that enables businesses and online users to conduct streamlined yet highly secure web-based transactions.\u003C\u002Fp>\n\u003Cp>Cyberus Key’s unique approach results in a frictionless user experience, streamlined customer acquisition, higher levels of security, the end of passwords.\u003C\u002Fp>\n\u003Cp>HOW DOES IT WORK?\u003C\u002Fp>\n\u003Ch3>User perspective\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.cyberuskeyapp\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fus\u002Fapp\u002Fcyberuskey\u002Fid1197275016\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> application and register.\u003C\u002Fli>\n\u003Cli>Remember to use the same email address as you do on your wordpress website.\u003C\u002Fli>\n\u003Cli>On your wordpress site login page (\u002Fwp-login.php), instead of the traditional login\u002Fpassword, click the “Login with CyberusKey” widget.\u003C\u002Fli>\n\u003Cli>The One-Time token is transmitted to mobile app via sound, no need to type anything!\u003C\u002Fli>\n\u003Cli>You are authenticated on the website and logged in.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>SYSTEM OWNER PERSPECTIVE – INTEGRATION STEPS\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.cyberuskeyapp\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fus\u002Fapp\u002Fcyberuskey\u002Fid1197275016\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> mobile application and register.\u003C\u002Fli>\n\u003Cli>Follow steps presented on our integration form [here][https:\u002F\u002Floginwithoutpasswords.com\u002Fintegration\u002F]\u003C\u002Fli>\n\u003Cli>On the Integration tab on our website create a redirection: YOUR_SITE_URL +’\u002Fwp-json\u002Fapi\u002Flogin’ e.g. https:\u002F\u002Fexample.com\u002Fwp-json\u002Fapi\u002Flogin\u003C\u002Fli>\n\u003Cli>Copy Client Id and Client Secret for later usage\u003C\u002Fli>\n\u003Cli>Once you download and activate this plugin, go to settings and paste Client Id and Secret into appropriate fields. \u003C\u002Fli>\n\u003Cli>Done. You can change to Users perspective to see how it works. \u003C\u002Fli>\n\u003Cli>For additional information about the logins performed on your website visit cyberuskey.com\u003C\u002Fli>\n\u003C\u002Fol>\n","Cyberus Key eliminates passwords using one-time tokens delivered via ultrasounds.",0,1011,"2023-03-18T22:14:00.000Z","6.1.10","5.4.1","7.0",[18,19,20,21,22],"2fa","authentication","cybersecurity","passwordless","sonic-authentication","https:\u002F\u002Floginwithoutpasswords.com\u002Fcyberus\u002F2-wordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcyberus-key.1.1.zip",84,2,"2023-03-20 00:00:00","2026-04-06T09:54:40.288Z","no_bundle",[31,48],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":6,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":45,"patch_diff_files":46,"patch_trac_url":36,"research_status":36,"research_verified":47,"research_rounds_completed":11,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":47,"poc_model_used":36,"poc_verification_depth":36},"CVE-2023-28620","cyberus-key-authenticated-administrator-stored-cross-site-scripting-via-uid-in-cyberkeysettings-plugin-setting","Cyberus Key \u003C= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'uid' in 'cyberkey_settings' Plugin Setting","The Cyberus Key plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'uid' in 'cyberkey_settings' plugin setting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.0","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbf5e5eaf-b42d-49b9-8f55-6025e64748c9?source=api-prod",309,[],false,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":6,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":53,"days_to_patch":45,"patch_diff_files":55,"patch_trac_url":36,"research_status":36,"research_verified":47,"research_rounds_completed":11,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":47,"poc_model_used":36,"poc_verification_depth":36},"WF-f3944b2d-c431-4a53-b4e2-740480e746d6-cyberus-key","cyberus-key-authenticated-administrator-stored-cross-site-scripting","Cyberus Key \u003C= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Cyberus Key plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",[54],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff3944b2d-c431-4a53-b4e2-740480e746d6?source=api-prod",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":26,"total_installs":11,"avg_security_score":57,"avg_patch_time_days":45,"trust_score":58,"computed_at":59},85,69,"2026-05-20T01:16:35.440Z",[61,72,92,108,125],{"slug":62,"name":63,"version":64,"author":7,"author_profile":8,"description":65,"short_description":66,"active_installs":11,"downloaded":67,"rating":11,"num_ratings":11,"last_updated":68,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":69,"homepage":23,"download_link":70,"security_score":57,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":71},"eliot-pro","ElIoT Pro Passwordless Login","1.0","\u003Cp>OVERVIEW\u003C\u002Fp>\n\u003Cp>\u003Cem>ElIoT Pro\u003C\u002Fem> solves one of the biggest problems of any online-based human activity responsible for 80% of data breaches – \u003Cem>the risk of stolen credentials\u003C\u002Fem>.\u003Cbr \u002F>\nWe offer a one-touch, 2-factor authentication system for user identification and transaction confirmation. ElIoT Pro’s multi-layer, smartphone-based authentication platform offers password-free login that enables businesses and online users to conduct streamlined yet highly secure web-based transactions.\u003C\u002Fp>\n\u003Cp>ElIoT Pro’s unique approach results in a frictionless user experience, streamlined customer acquisition, higher levels of security, the end of passwords.\u003C\u002Fp>\n\u003Cp>HOW DOES IT WORK?\u003C\u002Fp>\n\u003Ch3>User perspective\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.eliotpro\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fpl\u002Fapp\u002Feliot-pro\u002Fid1458095747\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> application and register.\u003C\u002Fli>\n\u003Cli>Remember to use the same email address as you do on your wordpress website.\u003C\u002Fli>\n\u003Cli>On your wordpress site login page (\u002Fwp-login.php), instead of the traditional login\u002Fpassword, click the “Login with ElIoT Pro” widget.\u003C\u002Fli>\n\u003Cli>The One-Time token is transmitted to mobile app via sound, no need to type anything!\u003C\u002Fli>\n\u003Cli>You are authenticated on the website and logged in.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>SYSTEM OWNER PERSPECTIVE – INTEGRATION STEPS\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download our \u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.cyberuslabs.eliotpro\" rel=\"nofollow ugc\">Android\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fapps.apple.com\u002Fpl\u002Fapp\u002Feliot-pro\u002Fid1458095747\" rel=\"nofollow ugc\">iOS\u003C\u002Fa> mobile application and register.\u003C\u002Fli>\n\u003Cli>Follow steps presented on our integration form [here][https:\u002F\u002Floginwithoutpasswords.com\u002Fintegration\u002F]\u003C\u002Fli>\n\u003Cli>On the Integration tab on our website create a redirection: YOUR_SITE_URL +’\u002Fwp-json\u002Fapi\u002Flogin’ e.g. https:\u002F\u002Fexample.com\u002Fwp-json\u002Fapi\u002Flogin\u003C\u002Fli>\n\u003Cli>Copy Client Id and Client Secret for later usage\u003C\u002Fli>\n\u003Cli>Once you download and activate this plugin, go to settings and paste Client Id and Secret into appropriate fields. \u003C\u002Fli>\n\u003Cli>Done. You can change to Users perspective to see how it works. \u003C\u002Fli>\n\u003Cli>For additional information about the logins performed on your website visit cyberuskey.com\u003C\u002Fli>\n\u003C\u002Fol>\n","ElIoT Pro eliminates passwords using one-time tokens delivered via ultrasounds.",2184,"2023-03-30T17:40:00.000Z",[18,19,20,21,22],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feliot-pro.1.0.zip","2026-04-16T10:56:18.058Z",{"slug":73,"name":74,"version":75,"author":76,"author_profile":77,"description":78,"short_description":79,"active_installs":80,"downloaded":81,"rating":11,"num_ratings":11,"last_updated":82,"tested_up_to":83,"requires_at_least":84,"requires_php":85,"tags":86,"homepage":89,"download_link":90,"security_score":91,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":71},"keyless-auth","Keyless Auth – Login without Passwords","3.2.4","Chris Martens","https:\u002F\u002Fprofiles.wordpress.org\u002Fchrmrtns\u002F","\u003Cp>Transform your WordPress login experience with passwordless authentication. Users simply enter their email address and receive a secure magic link – click to login instantly. It’s more secure than weak passwords and infinitely more user-friendly.\u003C\u002Fp>\n\u003Ch4>Why Choose Keyless Auth?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Enhanced Security\u003C\u002Fstrong>: No more weak, reused, or compromised passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Better User Experience\u003C\u002Fstrong>: One click instead of remembering complex passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reduced Support\u003C\u002Fstrong>: Eliminate “forgot password” requests\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Authentication\u003C\u002Fstrong>: Enterprise-grade security used by Slack, Medium, and others\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Hardening\u003C\u002Fstrong>: Built-in protection against brute force attacks and username enumeration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Quick Start\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate the plugin\u003C\u002Fli>\n\u003Cli>Create a new page and add the shortcode \u003Ccode>[keyless-auth]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Configure email templates in \u003Cstrong>Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Templates\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Done! Users can now login passwordlessly\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Core Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Ready to Use\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>Magic Link Authentication\u003C\u002Fstrong> – Secure, one-time login links via email\u003Cbr \u002F>\n* \u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong> – Complete TOTP support with Google Authenticator\u003Cbr \u002F>\n* \u003Cstrong>Role-Based 2FA\u003C\u002Fstrong> – Require 2FA for specific user roles (admins, editors, etc.)\u003Cbr \u002F>\n* \u003Cstrong>Custom 2FA Setup URLs\u003C\u002Fstrong> – Direct users to branded frontend 2FA setup pages\u003Cbr \u002F>\n* \u003Cstrong>SMTP Integration\u003C\u002Fstrong> – Reliable email delivery through your mail server\u003Cbr \u002F>\n* \u003Cstrong>Email Templates\u003C\u002Fstrong> – Professional, customizable login emails\u003Cbr \u002F>\n* \u003Cstrong>Mail Logging\u003C\u002Fstrong> – Track all sent emails with delivery status\u003Cbr \u002F>\n* \u003Cstrong>Custom Database Tables\u003C\u002Fstrong> – Scalable architecture with dedicated audit logs\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Security\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>Token Security\u003C\u002Fstrong>: 10-minute expiration, single-use tokens\u003Cbr \u002F>\n* \u003Cstrong>Audit Logging\u003C\u002Fstrong>: IP addresses, device types, login attempts\u003Cbr \u002F>\n* \u003Cstrong>Emergency Mode\u003C\u002Fstrong>: Grace period system with admin controls\u003Cbr \u002F>\n* \u003Cstrong>Secure Storage\u003C\u002Fstrong>: SMTP credentials in wp-config.php option\u003Cbr \u002F>\n* \u003Cstrong>XML-RPC Disable\u003C\u002Fstrong>: Block brute force attacks via XML-RPC interface\u003Cbr \u002F>\n* \u003Cstrong>Application Passwords Control\u003C\u002Fstrong>: Disable programmatic authentication when not needed\u003Cbr \u002F>\n* \u003Cstrong>User Enumeration Prevention\u003C\u002Fstrong>: Block username discovery attacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customization\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>WYSIWYG Email Editor\u003C\u002Fstrong>: Full HTML support with live preview\u003Cbr \u002F>\n* \u003Cstrong>Advanced Color Controls\u003C\u002Fstrong>: Hex, RGB, HSL color formats\u003Cbr \u002F>\n* \u003Cstrong>Template System\u003C\u002Fstrong>: German, English, and custom templates\u003Cbr \u002F>\n* \u003Cstrong>Branding Options\u003C\u002Fstrong>: Custom sender names and professional styling\u003C\u002Fp>\n\u003Ch4>Installation & Setup\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Basic Installation\u003C\u002Fstrong>\u003Cbr \u002F>\n1. WordPress Admin \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Plugins \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Add New\u003Cbr \u002F>\n2. Search for “Keyless Auth”\u003Cbr \u002F>\n3. Install and activate\u003Cbr \u002F>\n4. Add [keyless-auth] shortcode to any page\u003C\u002Fp>\n\u003Cp>\u003Cstrong>SMTP Configuration (Recommended)\u003C\u002Fstrong>\u003Cbr \u002F>\n1. Navigate to Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> SMTP\u003Cbr \u002F>\n2. Configure your email provider (Gmail, Outlook, SendGrid, etc.)\u003Cbr \u002F>\n3. Test email delivery\u003Cbr \u002F>\n4. Save settings\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Two-Factor Authentication Setup\u003C\u002Fstrong>\u003Cbr \u002F>\n1. Go to Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Options\u003Cbr \u002F>\n2. Enable “Two-Factor Authentication”\u003Cbr \u002F>\n3. Select required user roles\u003Cbr \u002F>\n4. Users scan QR code with authenticator app\u003C\u002Fp>\n\u003Ch4>Email Templates\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Template Options\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>German Professional\u003C\u002Fstrong>: Sleek German-language template\u003Cbr \u002F>\n* \u003Cstrong>English Simple\u003C\u002Fstrong>: Clean, minimalist design\u003Cbr \u002F>\n* \u003Cstrong>Custom HTML\u003C\u002Fstrong>: Create your own with WYSIWYG editor\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customization Features\u003C\u002Fstrong>\u003Cbr \u002F>\n* Full HTML and CSS support\u003Cbr \u002F>\n* Color picker for buttons and links\u003Cbr \u002F>\n* Responsive email design\u003Cbr \u002F>\n* Live template preview\u003Cbr \u002F>\n* Placeholder system for dynamic content\u003C\u002Fp>\n\u003Ch4>Security & Compliance\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Token Security\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generated using WordPress security standards\u003Cbr \u002F>\n* Based on user ID, timestamp, and wp-config.php salt\u003Cbr \u002F>\n* 10-minute expiration with single-use enforcement\u003Cbr \u002F>\n* Secure database storage with automatic cleanup\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Two-Factor Authentication\u003C\u002Fstrong>\u003Cbr \u002F>\n* TOTP-based system compatible with Google Authenticator, Authy\u003Cbr \u002F>\n* Role-based requirements for granular control\u003Cbr \u002F>\n* Grace period system for smooth user transitions\u003Cbr \u002F>\n* Custom verification forms with professional styling\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Database Architecture\u003C\u002Fstrong>\u003Cbr \u002F>\n* Custom tables for optimal performance\u003Cbr \u002F>\n* Comprehensive audit logging\u003Cbr \u002F>\n* Device tracking and IP monitoring\u003Cbr \u002F>\n* Automatic maintenance and cleanup routines\u003C\u002Fp>\n\u003Ch4>Security Hardening\u003C\u002Fh4>\n\u003Cp>Keyless Auth includes comprehensive security hardening features to protect your WordPress site from common attack vectors. All features are optional and can be enabled based on your site’s needs.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Disable\u003C\u002Fstrong>\u003Cbr \u002F>\n* Prevents brute force attacks via WordPress XML-RPC interface\u003Cbr \u002F>\n* Reduces attack surface by disabling legacy API\u003Cbr \u002F>\n* Recommended for sites not using Jetpack, mobile apps, or pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Application Passwords Control\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable REST API and XML-RPC authentication when programmatic access isn’t needed\u003Cbr \u002F>\n* Prevents unauthorized API access\u003Cbr \u002F>\n* Recommended for simple sites without third-party integrations\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Prevention\u003C\u002Fstrong>\u003Cbr \u002F>\n* Blocks REST API user endpoints (\u003Ccode>\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fcode>)\u003Cbr \u002F>\n* Redirects author archives and \u003Ccode>?author=N\u003C\u002Fcode> queries\u003Cbr \u002F>\n* Removes login error messages that reveal usernames\u003Cbr \u002F>\n* Strips comment author CSS classes\u003Cbr \u002F>\n* Removes author data from oEmbed responses\u003Cbr \u002F>\n* Recommended for business\u002Fcorporate sites without author profiles\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Benefits\u003C\u002Fstrong>\u003Cbr \u002F>\n* Combined protection against brute force attacks\u003Cbr \u002F>\n* Prevents username discovery for targeted attacks\u003Cbr \u002F>\n* Reduces unauthorized API access\u003Cbr \u002F>\n* Easy to configure without code or .htaccess modifications\u003Cbr \u002F>\n* All features include comprehensive documentation\u003Cbr \u002F>\n* FTP recovery available if needed\u003C\u002Fp>\n\u003Ch4>SMTP & Email Delivery\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Supported Providers\u003C\u002Fstrong>\u003Cbr \u002F>\n* Gmail \u002F Google Workspace\u003Cbr \u002F>\n* Outlook \u002F Microsoft 365\u003Cbr \u002F>\n* Mailgun, SendGrid, Amazon SES\u003Cbr \u002F>\n* Any SMTP-compatible service\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Email Features\u003C\u002Fstrong>\u003Cbr \u002F>\n* Message-ID domain alignment for deliverability\u003Cbr \u002F>\n* SPF\u002FDKIM\u002FDMARC compliance\u003Cbr \u002F>\n* Custom sender names and addresses\u003Cbr \u002F>\n* Bulk email log management\u003Cbr \u002F>\n* Delivery status tracking\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Secure Credential Storage\u003C\u002Fstrong>\u003Cbr \u002F>\nStore SMTP credentials securely in wp-config.php:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('CHRMRTNS_KLA_SMTP_USERNAME', 'your-email@example.com');\ndefine('CHRMRTNS_KLA_SMTP_PASSWORD', 'your-smtp-password');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WordPress Integration\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Login Page Integration\u003C\u002Fstrong>\u003Cbr \u002F>\n* Optional magic login field on wp-login.php\u003Cbr \u002F>\n* Seamless integration with existing login flow\u003Cbr \u002F>\n* Toggle control for easy enable\u002Fdisable\u003Cbr \u002F>\n* Clean, responsive form styling\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Shortcode Usage\u003C\u002Fstrong>\u003Cbr \u002F>\nUse \u003Ccode>[keyless-auth]\u003C\u002Fcode> anywhere: pages, posts, widgets, or custom templates.\u003C\u002Fp>\n\u003Ch4>Developer Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Hooks & Filters\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Customize login redirect:\u003Cbr \u002F>\n    add_filter(‘wpa_after_login_redirect’, ‘custom_redirect_function’);\u003C\u002Fp>\n\u003Cp>Modify email headers:\u003Cbr \u002F>\n    add_filter(‘wpa_email_headers’, ‘custom_email_headers’);\u003C\u002Fp>\n\u003Cp>Change token expiration:\u003Cbr \u002F>\n    add_filter(‘wpa_change_link_expiration’, ‘custom_expiration_time’);\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Modular Architecture\u003C\u002Fstrong>\u003Cbr \u002F>\n* Clean, organized class structure\u003Cbr \u002F>\n* Separated concerns for easy maintenance\u003Cbr \u002F>\n* WordPress coding standards compliance\u003Cbr \u002F>\n* Extensive documentation and comments\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>WordPress\u003C\u002Fstrong>: 3.9 or higher (tested up to 6.8)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>PHP\u003C\u002Fstrong>: 7.4 or higher\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Delivery\u003C\u002Fstrong>: SMTP recommended for reliability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Note\u003C\u002Fstrong>: Keyless Auth complements WordPress’s default login system – it doesn’t replace it.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Developed by Chris Martens | Based on the original Passwordless Login plugin by Cozmoslabs\u003C\u002Fstrong>\u003C\u002Fp>\n","Secure, passwordless authentication for WordPress. Your users login via magic email links – no passwords to remember or forget.",30,1287,"2025-11-24T22:55:00.000Z","6.8.5","3.9","",[18,19,21,87,88],"secure-login","smtp","https:\u002F\u002Fgithub.com\u002Fchrmrtns\u002Fkeyless-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkeyless-auth.3.2.4.zip",100,{"slug":93,"name":94,"version":64,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":99,"downloaded":100,"rating":11,"num_ratings":11,"last_updated":101,"tested_up_to":102,"requires_at_least":103,"requires_php":85,"tags":104,"homepage":106,"download_link":107,"security_score":57,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":71},"passwordless-entry","Passwordless Entry","JohnoTheCoder","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohnothecoder\u002F","\u003Cp>WordPress Passwordless Entry is a plugin which allows users to authenticate into a WordPress installation against an existing account, without knowledge of the password for that account.\u003C\u002Fp>\n\u003Cp>This is done by sending a single time authentication code to the email address for that user.\u003C\u002Fp>\n\u003Cp>The reason I have developed this plugin is that I manage many WordPress installations, and some are within directories of a domain (meaning multiple sets of user credentials for the same domain, breaking most browser password memory functionalities).\u003C\u002Fp>\n\u003Cp>When users forget their passwords, or are using very secure passwords across multiple devices, the easiest way back into their account is to request a password reset, follow the link in their email, set a new password, and then log in using that password. Repeating this process again every time they wish to authenticate.\u003C\u002Fp>\n\u003Cp>If, like me, you use secure passwords generated by Safari or Chrome, you’ll never remember them. To shorten this workflow, an email is sent to your account (if an account is found by the specified email) with a link to log in, this link is only valid for one time use, and is only valid for 5 minutes. The code in the URL is generated by WP password generation.\u003C\u002Fp>\n\u003Cp>Please note, that for all intents and purposes this does not conform to the specification of multi-factor authentication, as we do not verify the password of the user (this would defeat the point of the plugin), instead for two factor authentication we suggest using WordFence (we’d advise putting this on your site anyway, to protect security and authentication).\u003C\u002Fp>\n","WordPress Passwordless Entry is a plugin which allows users to authenticate into a WordPress installation against an existing account, without knowled &hellip;",10,1735,"2021-05-01T10:24:00.000Z","5.7.15","5.7.0",[105],"authentication-passwordless-administration-admin-2fa","https:\u002F\u002Fjtclabs.com\u002Fwp-passwordless-entry","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpasswordless-entry.1.0.0.zip",{"slug":109,"name":110,"version":111,"author":112,"author_profile":113,"description":114,"short_description":115,"active_installs":11,"downloaded":116,"rating":11,"num_ratings":11,"last_updated":117,"tested_up_to":83,"requires_at_least":118,"requires_php":119,"tags":120,"homepage":123,"download_link":124,"security_score":91,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":71},"dolutech-passwordless-login","Dolutech Passwordless Login","1.1.0","Lucas Catão Moraes","https:\u002F\u002Fprofiles.wordpress.org\u002Fdolutech\u002F","\u003Cp>Este plugin substitui o formulário de login padrão do WordPress por um sistema de autenticação sem senha mais seguro.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Recursos principais:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Login sem senha via link seguro enviado por e-mail\u003Cbr \u002F>\n* Autenticação de dois fatores (2FA) via TOTP (Google Authenticator, Authy, etc.)\u003Cbr \u002F>\n* Códigos de backup para recuperação de acesso\u003Cbr \u002F>\n* Verificação de IP para segurança adicional\u003Cbr \u002F>\n* Rate limiting para prevenir ataques de força bruta\u003Cbr \u002F>\n* Painel de configurações completo no wp-admin\u003Cbr \u002F>\n* Opção de tornar 2FA obrigatório para perfis específicos\u003C\u002Fp>\n\u003Cp>O link de login expira imediatamente após o primeiro uso ou após o tempo configurado (padrão 15 minutos). A autenticação só é permitida pelo mesmo IP que solicitou o login.\u003C\u002Fp>\n","Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.",423,"2025-09-02T19:34:00.000Z","6.5","8.2",[18,19,121,21,122],"login","security","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdolutech-passwordless-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdolutech-passwordless-login.1.1.0.zip",{"slug":126,"name":127,"version":128,"author":129,"author_profile":130,"description":131,"short_description":132,"active_installs":133,"downloaded":134,"rating":135,"num_ratings":136,"last_updated":137,"tested_up_to":138,"requires_at_least":139,"requires_php":140,"tags":141,"homepage":144,"download_link":145,"security_score":91,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":71},"two-factor","Two Factor","0.16.0","WordPress.org","https:\u002F\u002Fprofiles.wordpress.org\u002Fwordpressdotorg\u002F","\u003Cp>The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password.  This helps protect against unauthorized access even if passwords are compromised.\u003C\u002Fp>\n\u003Ch3>Setup Instructions\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Important\u003C\u002Fstrong>: Each user must individually configure their two-factor authentication settings.\u003C\u002Fp>\n\u003Ch3>For Individual Users\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Navigate to your profile\u003C\u002Fstrong>: Go to “Users” \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> “Your Profile” in the WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Find Two-Factor Options\u003C\u002Fstrong>: Scroll down to the “Two-Factor Options” section\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose your methods\u003C\u002Fstrong>: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):\n\u003Cul>\n\u003Cli>\u003Cstrong>Authenticator App (TOTP)\u003C\u002Fstrong> – Use apps like Google Authenticator, Authy, or 1Password\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Codes\u003C\u002Fstrong> – Receive one-time codes via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergencies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dummy Method\u003C\u002Fstrong> – For testing purposes only (requires WP_DEBUG)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configure each method\u003C\u002Fstrong>: Follow the setup instructions for each enabled provider\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Set primary method\u003C\u002Fstrong>: Choose which method to use as your default authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Save changes\u003C\u002Fstrong>: Click “Update Profile” to save your settings\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>For Site Administrators\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Plugin settings\u003C\u002Fstrong>: The plugin provides a settings page under “Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Two-Factor” to configure which providers should be disabled site-wide.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User management\u003C\u002Fstrong>: Administrators can configure 2FA for other users by editing their profiles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security recommendations\u003C\u002Fstrong>: Encourage users to enable backup methods to prevent account lockouts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Available Authentication Methods\u003C\u002Fh3>\n\u003Ch3>Authenticator App (TOTP) – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Time-based one-time passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Scan QR code with authenticator app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with Google Authenticator, Authy, 1Password, and other TOTP apps\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Most users, provides excellent security with good usability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Backup Codes – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time use codes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Generate 10 backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works everywhere, no special hardware needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Emergency access when other methods are unavailable\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Email Codes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time codes sent via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Automatic – uses your WordPress email address\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with any email-capable device\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users who prefer email-based authentication\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>FIDO U2F Security Keys\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Deprecated and removed due to loss of browser support.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Dummy Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: None – Always succeeds\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Only available when WP_DEBUG is enabled\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Testing and development only\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Developers testing the plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Important Notes\u003C\u002Fh3>\n\u003Ch3>HTTPS Requirement\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>All methods work on both HTTP and HTTPS sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Browser Compatibility\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>TOTP and email methods work on all devices and browsers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Account Recovery\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Always enable backup codes to prevent being locked out of your account\u003C\u002Fli>\n\u003Cli>If you lose access to all authentication methods, contact your site administrator\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Best Practices\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Use multiple authentication methods when possible\u003C\u002Fli>\n\u003Cli>Keep backup codes in a secure location\u003C\u002Fli>\n\u003Cli>Regularly review and update your authentication settings\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For more information about two-factor authentication in WordPress, see the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fmfa\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration Security Guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>For more history, see \u003Ca href=\"https:\u002F\u002Fgeorgestephanis.wordpress.com\u002F2013\u002F08\u002F14\u002Ftwo-cents-on-two-factor\u002F\" rel=\"nofollow ugc\">this post\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Actions & Filters\u003C\u002Fh4>\n\u003Cp>Here is a list of action and filter hooks provided by the plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>two_factor_providers\u003C\u002Fcode> filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_providers_for_user\u003C\u002Fcode> filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object \u003Ccode>WP_User\u003C\u002Fcode> is available as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_enabled_providers_for_user\u003C\u002Fcode> filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_authenticated\u003C\u002Fcode> action which receives the logged in \u003Ccode>WP_User\u003C\u002Fcode> object as the first argument for determining the logged in user right after the authentication workflow.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_api_login_enable\u003C\u002Fcode> filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_ttl\u003C\u002Fcode> filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the \u003Ccode>WP_User\u003C\u002Fcode> object being authenticated.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_length\u003C\u002Fcode> filter overrides the default 8 character count for email tokens.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_backup_code_length\u003C\u002Fcode> filter overrides the default 8 character count for backup codes. Provides the \u003Ccode>WP_User\u003C\u002Fcode> of the associated user as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_rest_api_can_edit_user\u003C\u002Fcode> filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current \u003Ccode>$can_edit\u003C\u002Fcode> boolean, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_before_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires prior to the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires after the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_input\u003C\u002Fcode> action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after \u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode>).\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_login_backup_links\u003C\u002Fcode> filters the backup links displayed on the two-factor login form.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Redirect After the Two-Factor Challenge\u003C\u002Fh3>\n\u003Cp>To redirect users to a specific URL after completing the two-factor challenge, use WordPress Core built-in login_redirect filter. The filter works the same way as in a standard WordPress login flow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'login_redirect', function( $redirect_to, $requested_redirect_to, $user ) {\n    return home_url( '\u002Fdashboard\u002F' );\n}, 10, 3 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), email, and backup verification codes.",100000,1606507,96,202,"2026-03-27T17:24:00.000Z","6.9.4","6.8","7.2",[18,19,142,122,143],"mfa","totp","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor.0.16.0.zip",{"attackSurface":147,"codeSignals":184,"taintFlows":195,"riskAssessment":196,"analyzedAt":208},{"hooks":148,"ajaxHandlers":172,"restRoutes":173,"shortcodes":181,"cronEvents":182,"entryPointCount":183,"unprotectedCount":183},[149,155,159,162,167],{"type":150,"name":151,"callback":152,"file":153,"line":154},"action","admin_menu","cyberus_key_create_plugin_settings_page","inc\u002Fcyberkey-class.php",7,{"type":150,"name":156,"callback":157,"file":153,"line":158},"admin_init","cyberus_key_setup_sections",8,{"type":150,"name":156,"callback":160,"file":153,"line":161},"cyberus_key_setup_fields",9,{"type":150,"name":163,"callback":164,"file":165,"line":166},"rest_api_init","closure","inc\u002Fcyberkey-login.php",11,{"type":150,"name":168,"callback":169,"file":170,"line":171},"login_enqueue_scripts","cyberus_key_login_add_scripts","inc\u002Fcyberkey-scripts.php",43,[],[174],{"namespace":175,"route":176,"methods":177,"callback":179,"permissionCallback":36,"file":165,"line":180},"api","\u002Flogin\u002F",[178],"GET","cyberus_key_login_callback",12,[],[],1,{"dangerousFunctions":185,"sqlUsage":186,"outputEscaping":188,"fileOperations":11,"externalRequests":183,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":194},[],{"prepared":11,"raw":11,"locations":187},[],{"escaped":189,"rawEcho":183,"locations":190},6,[191],{"file":153,"line":192,"context":193},48,"raw output",[],[],{"summary":197,"deductions":198},"The \"cyberus-key\" plugin v1.1 presents a mixed security posture.  While it demonstrates good practices in its use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface and lack of robust security checks.  The presence of one unprotected REST API route is a critical vulnerability, providing an easily exploitable entry point for attackers.  Furthermore, the complete absence of nonce and capability checks across all entry points is alarming, suggesting a broad susceptibility to various attack vectors such as Cross-Site Request Forgery (CSRF) and unauthorized privilege escalation.  The plugin's history of two medium-severity Cross-Site Scripting (XSS) vulnerabilities, with the last one occurring in March 2023, indicates a recurring pattern of input sanitization issues. Although there are no currently unpatched CVEs, this history, coupled with the identified code weaknesses, points to a plugin that requires immediate attention to secure its exposed functionalities.",[199,201,203,205],{"reason":200,"points":99},"Unprotected REST API route",{"reason":202,"points":99},"No nonce checks on entry points",{"reason":204,"points":99},"No capability checks on entry points",{"reason":206,"points":207},"History of XSS vulnerabilities",5,"2026-04-16T13:13:28.877Z",{"wat":210,"direct":218},{"assetPaths":211,"generatorPatterns":215,"scriptPaths":216,"versionParams":217},[212,213,214],"\u002Fwp-content\u002Fplugins\u002Fcyberus-key\u002Fjs\u002Fcyberuskey.min.js","\u002Fwp-content\u002Fplugins\u002Fcyberus-key\u002Fjs\u002Fintegration.js","\u002Fwp-content\u002Fplugins\u002Fcyberus-key\u002Fcss\u002Fstyle.css",[],[212,213],[],{"cssClasses":219,"htmlComments":220,"htmlAttributes":221,"restEndpoints":222,"jsGlobals":224,"shortcodeOutput":226},[],[],[],[223],"\u002Fwp-json\u002Fapi\u002Flogin\u002F",[225],"cyberkey_ajax_object",[],{"error":228,"url":229,"statusCode":230,"statusMessage":231,"message":231},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fcyberus-key\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":26,"versions":233},[234,239],{"version":6,"download_url":24,"svn_tag_url":235,"released_at":36,"has_diff":47,"diff_files_changed":236,"diff_lines":36,"trac_diff_url":237,"vulnerabilities":238,"is_current":228},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fcyberus-key\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fcyberus-key%2Ftags%2F1.0&new_path=%2Fcyberus-key%2Ftags%2F1.1",[],{"version":64,"download_url":240,"svn_tag_url":241,"released_at":36,"has_diff":47,"diff_files_changed":242,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":243,"is_current":47},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcyberus-key.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fcyberus-key\u002Ftags\u002F1.0\u002F",[],[244,245],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6},{"id":49,"url_slug":50,"title":51,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6}]