WP-Safety

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/fluent-security

Enhance the Security and User Experience of Your Site with Login/Signup Security, Two-Factor Email Authentication, Social Logins and more...

10K active installs v2.1.1 PHP 7.3+ WP 5.0+ Updated Dec 3, 2025
login-limitlogin-logslogin-redirectssocial-loginsxml-rpc
98
A · Safe
CVEs total2
Unpatched0
Last CVEDec 15, 2025
Plugin page Download
Safety Verdict

Is FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Safe to Use in 2026?

Generally Safe

Score 98/100

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 15, 2025Updated 4mo ago
Risk Assessment

The "fluent-security" v2.1.1 plugin exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface and vulnerability history. The presence of 4 AJAX handlers without authentication checks presents a considerable risk, as these could be exploited by unauthenticated users to perform unintended actions or expose sensitive information. The taint analysis, although showing no critical or high severity flows, did reveal 6 flows with unsanitized paths, indicating potential, albeit low-severity, vulnerabilities if not properly handled downstream. The plugin's vulnerability history shows 2 medium-severity CVEs, which, while currently patched, suggest a past susceptibility to certain types of attacks. The last vulnerability being in late 2025 is unusual and might indicate a data anomaly, but the pattern of medium severity issues warrants attention for future development. The plugin's strengths lie in its code hygiene regarding SQL and output, but the unprotected AJAX endpoints are a critical oversight that needs immediate remediation.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths detected
  • Medium severity CVEs in history
Vulnerabilities
2

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-13728medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FluentAuth - Auth Security Plugin <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode

Dec 15, 2025 Patched in 2.1.0 (1d)
CVE-2022-4746medium · 6.5Use of Less Trusted Source

FluentAuth <= 1.0.1 - IP Spoofing to Protection Mechanism Bypass

Dec 27, 2022 Patched in 1.0.2 (392d)
Code Analysis
Analyzed Mar 16, 2026

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
30 prepared
Unescaped Output
6
204 escaped
Nonce Checks
4
Capability Checks
7
File Operations
1
External Requests
11
Bundled Libraries
0

SQL Query Safety

83% prepared36 total queries

Output Escaping

97% escaped210 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths
handleSignupAjax (app\Hooks\Handlers\CustomAuthHandler.php:780)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Attack Surface

Entry Points15
Unprotected4

AJAX Handlers 8

noprivwp_ajax_fluent_auth_loginapp\Hooks\Handlers\CustomAuthHandler.php:28
noprivwp_ajax_fluent_auth_signupapp\Hooks\Handlers\CustomAuthHandler.php:29
noprivwp_ajax_fluent_auth_rpapp\Hooks\Handlers\CustomAuthHandler.php:30
authwp_ajax_fluent_security_google_one_tap_loginapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:61
noprivwp_ajax_fluent_security_google_one_tap_loginapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:62
noprivwp_ajax_fls_magic_send_magic_emailapp\Hooks\Handlers\MagicLoginHandler.php:18
noprivwp_ajax_fluent_auth_2fa_emailapp\Hooks\Handlers\TwoFaHandler.php:16
authwp_ajax_fluent_auth_2fa_emailapp\Hooks\Handlers\TwoFaHandler.php:17

Shortcodes 7

[fluent_auth_login] app\Hooks\Handlers\CustomAuthHandler.php:16
[fluent_auth_signup] app\Hooks\Handlers\CustomAuthHandler.php:17
[fluent_auth] app\Hooks\Handlers\CustomAuthHandler.php:18
[fluent_auth_reset_password] app\Hooks\Handlers\CustomAuthHandler.php:19
[fluent_auth_magic_login] app\Hooks\Handlers\CustomAuthHandler.php:20
[fluent_auth_google_one_tap] app\Hooks\Handlers\GoogleOneTapAuthHandler.php:42
[fs_auth_buttons] app\Hooks\Handlers\SocialAuthHandler.php:22
WordPress Hooks 71
actionadmin_menuapp\Hooks\Handlers\AdminMenuHandler.php:12
filteradmin_footer_textapp\Hooks\Handlers\AdminMenuHandler.php:106
filteruser_can_richeditapp\Hooks\Handlers\AdminMenuHandler.php:114
filterwp_is_application_passwords_availableapp\Hooks\Handlers\BasicTasksHandler.php:13
filterxmlrpc_enabledapp\Hooks\Handlers\BasicTasksHandler.php:16
filterrest_user_queryapp\Hooks\Handlers\BasicTasksHandler.php:19
filterrest_user_queryapp\Hooks\Handlers\BasicTasksHandler.php:22
filterrest_prepare_userapp\Hooks\Handlers\BasicTasksHandler.php:23
actionadmin_noticesapp\Hooks\Handlers\BasicTasksHandler.php:25
actionfluent_auth_daily_tasksapp\Hooks\Handlers\BasicTasksHandler.php:30
filtershow_admin_barapp\Hooks\Handlers\BasicTasksHandler.php:38
actionadmin_initapp\Hooks\Handlers\BasicTasksHandler.php:69
actionfluent_auth_hourly_tasksapp\Hooks\Handlers\BasicTasksHandler.php:91
filterlogin_redirectapp\Hooks\Handlers\CustomAuthHandler.php:25
filterlogout_redirectapp\Hooks\Handlers\CustomAuthHandler.php:26
actionfls_load_login_helperapp\Hooks\Handlers\CustomAuthHandler.php:31
filterfluent_auth/social_redirect_toapp\Hooks\Handlers\CustomAuthHandler.php:114
actionfluent_auth/init_google_popup_authapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:15
actionfluent_auth/social/rendering_button_googleapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:17
filterfluent_auth/is_google_one_tap_enabledapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:27
actionlogin_enqueue_scriptsapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:31
actionwp_enqueue_scriptsapp\Hooks\Handlers\GoogleOneTapAuthHandler.php:191
actionlogin_headapp\Hooks\Handlers\LoginCustomizerHandler.php:14
actionregister_formapp\Hooks\Handlers\LoginCustomizerHandler.php:35
filterregistration_errorsapp\Hooks\Handlers\LoginCustomizerHandler.php:42
actionregister_postapp\Hooks\Handlers\LoginCustomizerHandler.php:43
actionlogin_initapp\Hooks\Handlers\LoginCustomizerHandler.php:45
actionlogin_enqueue_scriptsapp\Hooks\Handlers\LoginCustomizerHandler.php:101
actionlogin_headerapp\Hooks\Handlers\LoginCustomizerHandler.php:133
actionlogin_footerapp\Hooks\Handlers\LoginCustomizerHandler.php:148
actionregister_formapp\Hooks\Handlers\LoginCustomizerHandler.php:256
actionlogin_body_classapp\Hooks\Handlers\LoginCustomizerHandler.php:260
filterauthenticateapp\Hooks\Handlers\LoginSecurityHandler.php:14
filterlostpassword_errorsapp\Hooks\Handlers\LoginSecurityHandler.php:15
actionwp_login_failedapp\Hooks\Handlers\LoginSecurityHandler.php:16
actionwp_loginapp\Hooks\Handlers\LoginSecurityHandler.php:17
actionlogin_formapp\Hooks\Handlers\MagicLoginHandler.php:16
actionlogin_enqueue_scriptsapp\Hooks\Handlers\MagicLoginHandler.php:17
actioninitapp\Hooks\Handlers\MagicLoginHandler.php:20
filterlogin_form_bottomapp\Hooks\Handlers\MagicLoginHandler.php:39
filterfluent_auth/login_token_by_user_idapp\Hooks\Handlers\MagicLoginHandler.php:44
filterfluent_auth/login_token_by_user_emailapp\Hooks\Handlers\MagicLoginHandler.php:58
filterauthenticateapp\Hooks\Handlers\MagicLoginHandler.php:452
filterfluent_security/app_varsapp\Hooks\Handlers\ServerModeHandler.php:16
filterfluent_auth/validated_redirectapp\Hooks\Handlers\ServerModeHandler.php:21
actioninitapp\Hooks\Handlers\ServerModeHandler.php:46
filterlogin_redirectapp\Hooks\Handlers\ServerModeHandler.php:48
actionlogin_initapp\Hooks\Handlers\SocialAuthHandler.php:19
actionlogin_formapp\Hooks\Handlers\SocialAuthHandler.php:20
actionregister_formapp\Hooks\Handlers\SocialAuthHandler.php:21
filterlogin_form_bottomapp\Hooks\Handlers\SocialAuthHandler.php:24
filterfluent_support/before_registration_form_closeapp\Hooks\Handlers\SocialAuthHandler.php:26
filterfluent_auth/after_registration_form_closeapp\Hooks\Handlers\SocialAuthHandler.php:27
filterwp_login_errorsapp\Hooks\Handlers\SocialAuthHandler.php:100
filterwp_login_errorsapp\Hooks\Handlers\SocialAuthHandler.php:122
filterwp_login_errorsapp\Hooks\Handlers\SocialAuthHandler.php:143
actionfluent_auth/login_attempts_checkedapp\Hooks\Handlers\TwoFaHandler.php:14
actionlogin_form_fls_2fa_emailapp\Hooks\Handlers\TwoFaHandler.php:15
filterauthenticateapp\Hooks\Handlers\TwoFaHandler.php:207
filterfluent_auth/parse_smartcodeapp\Hooks\Handlers\WPSystemEmailHandler.php:18
filterwp_new_user_notification_emailapp\Hooks\Handlers\WPSystemEmailHandler.php:22
filterretrieve_password_notification_emailapp\Hooks\Handlers\WPSystemEmailHandler.php:23
filternew_user_email_contentapp\Hooks\Handlers\WPSystemEmailHandler.php:24
filteremail_change_emailapp\Hooks\Handlers\WPSystemEmailHandler.php:26
filterwp_new_user_notification_email_adminapp\Hooks\Handlers\WPSystemEmailHandler.php:28
actionfluent_auth/after_creating_userapp\Hooks\Handlers\WPSystemEmailHandler.php:30
filterwp_send_new_user_notification_to_userapp\Hooks\Handlers\WPSystemEmailHandler.php:37
filterwp_send_new_user_notification_to_adminapp\Hooks\Handlers\WPSystemEmailHandler.php:51
filterwp_mailapp\Hooks\Handlers\WPSystemEmailHandler.php:142
filterwp_send_new_user_notification_to_userapp\Hooks\Handlers\WPSystemEmailHandler.php:218
actionrest_api_initfluent-security.php:75

Scheduled Events 4

fluent_auth_daily_tasks
fluent_auth_hourly_tasks
fluent_auth_daily_tasks
fluent_auth_hourly_tasks
Maintenance & Trust

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version7.3
Downloads93K

Community Trust

Rating80/100
Number of ratings28
Active installs10K
Alternatives

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Alternatives

Disable XML-RPC-API

Disable XML-RPC-API

disable-xml-rpc-api

A
100

A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website

100K No CVEs
Disable XML-RPC Pingback

Disable XML-RPC Pingback

disable-xml-rpc-pingback

A
100

Stops abuse of your site's XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.

60K No CVEs
Inactive Logout

Inactive Logout

inactive-logout

A
96

Automatically logout idle user sessions, with logout redirections and concurrent limit logins all in one place.

20K 3 CVEs
Remove & Disable XML-RPC Pingback

Remove & Disable XML-RPC Pingback

remove-xmlrpc-pingback-ping

A
85

Prevent pingback, XML-RPC and denial of service DDOS attacks by disabling the XML-RPC pingback functionality.

9K No CVEs
DoLogin Security

DoLogin Security

dologin

A
98

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs
Developer Profile

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Developer Profile

Shahjahan Jewel

17 plugins · 1.3M total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
113 days
View full developer profile
Detection Fingerprints

How We Detect FluentAuth – The Ultimate Authorization & Security Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fluent-security/dist/admin/app.js/wp-content/plugins/fluent-security/dist/libs/diff.js
Script Paths
/wp-content/plugins/fluent-security/dist/admin/app.js/wp-content/plugins/fluent-security/dist/libs/diff.js
Version Parameters
fluent-security/dist/admin/app.js?ver=fluent-security/dist/libs/diff.js?ver=

HTML / DOM Fingerprints

CSS Classes
fluent_auth_admin_app
Data Attributes
data-nonce="wp_rest"data-namespace="fluent-auth"data-version="1"
JS Globals
fluentAuthAdmin
REST Endpoints
/wp-json/fluent-auth
FAQ

Frequently Asked Questions about FluentAuth – The Ultimate Authorization & Security Plugin for WordPress