[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fU_sL8gVyAWdCTtfC4zFpceSTuR-_DBdR0dTiQCpy5g4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":64,"crawl_stats":38,"alternatives":72,"analysis":187,"fingerprints":651},"fluent-security","FluentAuth – The Ultimate Authorization & Security Plugin for WordPress","2.1.1","Shahjahan Jewel","https:\u002F\u002Fprofiles.wordpress.org\u002Ftechjewel\u002F","\u003Cp>Boost Your Website’s Security with Login\u002FSignup Security, Two-Factor Email Authentication, Login\u002FLogout Redirects, Social Logins, Detailed Audit Logs, and More. FluentAuth is the lightest and blazing fast security plugin for WordPress.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Highlighted Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Two-Factor Authentication for Login\u003C\u002Fli>\n\u003Cli>Magic Login via Email\u003C\u002Fli>\n\u003Cli>Social Login \u002F Register\u003C\u002Fli>\n\u003Cli>Limit Login Attempts\u003C\u002Fli>\n\u003Cli>Dynamic Login Redirects\u003C\u002Fli>\n\u003Cli>Detailed Audit Logs\u003C\u002Fli>\n\u003Cli>Core Security Enhancement\u003C\u002Fli>\n\u003Cli>Security Email Notifications\u003C\u002Fli>\n\u003Cli>Super Fast Solution\u003C\u002Fli>\n\u003Cli>Restrict \u002Fwp-admin for low level user roles\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What’s new in version 2.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FP_vREW7s2B4?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F5t_8rvtrkk4?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Cstrong>🚀 Two-Factor Authentication for Login\u003C\u002Fstrong>\u003Cbr \u002F>\nEnsure secure access to your admin panel with Two-Factor Login via email for high-level user roles like Administrator \u002F Editor. Even if a password gets compromised, only the right person will be able to log in with the additional authentication step.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Magic Login via Email\u003C\u002Fstrong>\u003Cbr \u002F>\nSimplify the login process for end users like customers and subscribers. No more password resets or forgotten passwords that cause users to leave your site. With our improved flow and features, users can log in to your site simply by typing their username or email address and clicking on a secure one-time use link sent to their email.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Social Login \u002F Register\u003C\u002Fstrong>\u003Cbr \u002F>\nAllow users to log in to your site with their GitHub, Facebook or Google accounts. This feature is lightweight and easy to enable.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Limit Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\nProtect your site against brute force attacks by blocking excessive login attempts. Our simple yet powerful tools also improve site security and performance, and allow for customizable lockout timings.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Dynamic Login Redirects\u003C\u002Fstrong>\u003Cbr \u002F>\nEasily redirect users to specific pages after they log in or log out. Our drag-and-drop builder lets you customize the login and logout flow for different types of businesses.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Detailed Audit Logs\u003C\u002Fstrong>\u003Cbr \u002F>\nTrack exactly when users log in to your site and via which method (normal login form, magic URL, or social media) with our powerful audit logs.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Core Security Enhancement\u003C\u002Fstrong>\u003Cbr \u002F>\nXML-RPC is a common target for WordPress attacks, but most sites don’t actually need it. This plugin enables you to disable XML-RPC, Remote Application Login, and protect the wp-users listing for REST API for enhanced security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Security Email Notifications\u003C\u002Fstrong>\u003Cbr \u002F>\nAs a business owner, it’s important to know when high-level users like administrators, editors, and authors log in to your site, or if someone unauthorized is trying to log in. Our plugin includes email notifications to alert you of these events.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Super Fast Solution\u003C\u002Fstrong>\u003Cbr \u002F>\nWe’ve built this plugin to be super-fast and simple yet powerful, using the latest technologies like WordPress REST-API, VueJS V3, Vue-Router, and Element-Plus for UI building. We also use custom database tables to store audit logs, so they don’t interfere with your default WordPress database tables.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Restrict \u002Fwp-admin for low level user roles\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you want to restrict \u002Fwp-admin access for subscribers or other low level user roles then you can easily enable that and select the user roles that you want to restrict \u002Fwp-admin access.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Customize WordPress Signup Emails\u003C\u002Fstrong>\u003Cbr \u002F>\nCustomize the WordPress default signup emails with your own branding and content. This feature allows you to create a more personalized experience for your users, enhancing their engagement with your site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Custom Login\u002FSignup Shortcodes\u003C\u002Fstrong>\u003Cbr \u002F>\nCreate custom login and signup forms using shortcodes. This feature allows you to easily integrate login and signup forms into your pages or posts, providing a seamless user experience.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Disable Admin Email Notifications on User Signup\u003C\u002Fstrong>\u003Cbr \u002F>\nDisable the default WordPress admin email notifications that are sent when a new user signs up. This feature helps you manage your email notifications more effectively, reducing clutter in your inbox.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🚀 Scan WordPress Core File Changes\u003C\u002Fstrong>\u003Cbr \u002F>\nFluentAuth includes a feature to scan WordPress core files for changes, helping you identify any unauthorized modifications. This is crucial for maintaining the integrity of your WordPress installation and ensuring that your site remains secure.\u003C\u002Fp>\n\u003Ch3>Why FluentAuth?\u003C\u002Fh3>\n\u003Cp>To improve the security and user experience of a WordPress website, the default authentication system may need to be enhanced with additional plugins. One common issue that WordPress site owners face is their site getting hacked. This is often due to hackers using brute-force attacks to guess passwords and gain access to the admin panel, leading to site takeover. Additionally, the use of common passwords on multiple sites can put all of them at risk if one password is compromised.\u003C\u002Fp>\n\u003Cp>Using multiple security plugins can be detrimental to the performance of a WordPress website. These plugins, which are often bloated, intercept every WordPress request and run it through a large number of unnecessary rules, resulting in increased server resource usage and slower site performance. To avoid this issue, consider using a comprehensive security solution that offers multiple features in one package, instead of relying on multiple individual plugins. This will help save server resources and improve the overall performance of your website.\u003C\u002Fp>\n\u003Cp>To Solve these issues, we decided to build FluentAuth and made it free.\u003C\u002Fp>\n\u003Ch3>Replace Multiple Plugins with FluentAuth\u003C\u002Fh3>\n\u003Cp>FluentAuth has been designed to provide light-weight security solution while adding better UX and performance of your site. If you use FluentAuth then you don’t need the following plugins\u003C\u002Fp>\n\u003Cp>\u003Cstrong>For Login Limit and ban brute force attacks\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded\u003C\u002Fli>\n\u003Cli>WPS Limit Login\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>For Login & Logout Redirections\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>LoginWP (Formerly Peter’s Login Redirect)\u003C\u002Fli>\n\u003Cli>Sky Login Redirect\u003C\u002Fli>\n\u003Cli>WP Login and Logout Redirect\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>For Login & Logout Redirections\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>LoginWP (Formerly Peter’s Login Redirect)\u003C\u002Fli>\n\u003Cli>Sky Login Redirect\u003C\u002Fli>\n\u003Cli>WP Login and Logout Redirect\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>For Hide Admin Bar and Access Restriction\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hide Admin Bar\u003C\u002Fli>\n\u003Cli>Hide Admin Bar Based on User Roles\u003C\u002Fli>\n\u003Cli>Auto Hide Admin Bar\u003C\u002Fli>\n\u003Cli>Hide Admin Bar from Non-Admins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>User Guides\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffluentauth.com\u002Fdocs\u002Fgetting-started\u002F\" rel=\"nofollow ugc\">Getting Started with FluentAuth\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffluentauth.com\u002Fdocs\u002Flogin-redirects\u002F\" rel=\"nofollow ugc\">Login \u002F Logout Redirects\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffluentauth.com\u002Fdocs\u002Fshortcodes\u002F\" rel=\"nofollow ugc\">Register\u002FLogin Shortcodes in FluentAuth\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffluentauth.com\u002Fdocs\u002Fgithub-auth-connection\u002F\" rel=\"nofollow ugc\">Configure Login with GitHub\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffluentauth.com\u002Fdocs\u002Fgoogle-auth-connection\u002F\" rel=\"nofollow ugc\">Configure Login with Google\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Other Plugins By The Same Team\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffluent-cart\u002F\" rel=\"ugc\">FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffluent-crm\u002F\" rel=\"ugc\">FluentCRM – Email Marketing, Newsletter, Email Automation and CRM Plugin for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffluentform\u002F\" rel=\"ugc\">Fluent Forms – Fastest WordPress Form Builder Plugin\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fninja-tables\u002F\" rel=\"ugc\">Ninja Tables – Best WP DataTables Plugin for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fninja-charts\u002F\" rel=\"ugc\">Ninja Charts – Best WP Charts Plugin for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-payment-form\u002F\" rel=\"ugc\">WPPayForm – Stripe Payments Plugin for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmautic-for-fluent-forms\u002F\" rel=\"ugc\">Mautic Integration For Fluent Forms\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffluentforms-pdf\u002F\" rel=\"ugc\">Fluent Forms PDF – PDF Entries for Fluent Forms\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffluent-smtp\u002F\" rel=\"ugc\">FluentSMTP – WordPress Mail SMTP, SES, SendGrid, MailGun Plugin\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>CONTRIBUTE\u003C\u002Fh3>\n\u003Cp>If you want to contribute to this project or just report a bug, you are more than welcome. Please check repository from \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWPManageNinja\u002Ffluent-security\u002F\" rel=\"nofollow ugc\">Github\u003C\u002Fa>.\u003C\u002Fp>\n","Enhance the Security and User Experience of Your Site with Login\u002FSignup Security, Two-Factor Email Authentication, Social Logins and more...",10000,92766,80,28,"2025-12-03T12:25:00.000Z","6.9.4","5.0","7.3",[20,21,22,23,24],"login-limit","login-logs","login-redirects","social-logins","xml-rpc","https:\u002F\u002Ffluentauth.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffluent-security.2.1.1.zip",98,2,0,"2025-12-15 02:19:04","2026-03-15T15:16:48.613Z",[33,49],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":40,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48},"CVE-2025-13728","fluentauth-auth-security-plugin-authenticated-contributor-stored-cross-site-scripting-via-fluentauthresetpassword-shortc","FluentAuth - Auth Security Plugin \u003C= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode","The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2.0.3","2.1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-12-15 14:25:12",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3187d3e-e1da-4af7-a1fa-9657389f9e22?source=api-prod",1,{"id":50,"url_slug":51,"title":52,"description":53,"plugin_slug":4,"theme_slug":38,"affected_versions":54,"patched_in_version":55,"severity":41,"cvss_score":56,"cvss_vector":57,"vuln_type":58,"published_date":59,"updated_date":60,"references":61,"days_to_patch":63},"CVE-2022-4746","fluentauth-ip-spoofing-to-protection-mechanism-bypass","FluentAuth \u003C= 1.0.1 -  IP Spoofing to Protection Mechanism Bypass","The FluentAuth plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address.","\u003C=1.0.1","1.0.2",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Use of Less Trusted Source","2022-12-27 00:00:00","2024-01-22 19:56:02",[62],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5b4f563c-a17b-4d69-9e94-7287da976e85?source=api-prod",392,{"slug":65,"display_name":7,"profile_url":8,"plugin_count":66,"total_installs":67,"avg_security_score":68,"avg_patch_time_days":69,"trust_score":70,"computed_at":71},"techjewel",17,1330140,92,113,73,"2026-04-03T23:28:02.856Z",[73,96,117,143,164],{"slug":74,"name":75,"version":76,"author":77,"author_profile":78,"description":79,"short_description":80,"active_installs":81,"downloaded":82,"rating":83,"num_ratings":84,"last_updated":85,"tested_up_to":16,"requires_at_least":17,"requires_php":86,"tags":87,"homepage":93,"download_link":94,"security_score":95,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"disable-xml-rpc-api","Disable XML-RPC-API","2.1.7","Amin Nazemi","https:\u002F\u002Fprofiles.wordpress.org\u002Faminnz\u002F","\u003Cp>Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>PLUGIN FEATURES\u003C\u002Fstrong>\u003Cbr \u002F>\n(These are options you can enable or disable each one)\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable access to xmlrpc.php file using .httacess file \u003C\u002Fli>\n\u003Cli>Automatically change htaccess file permission to read-only (0444)\u003C\u002Fli>\n\u003Cli>Disable X-pingback to minimize CPU usage \u003C\u002Fli>\n\u003Cli>Disable selected methods from XML-RPC\u003C\u002Fli>\n\u003Cli>Remove pingback-ping link from header\u003C\u002Fli>\n\u003Cli>Disable trackbacks and pingbacks to avoid spammers and hackers\u003C\u002Fli>\n\u003Cli>Rename XML-RPC slug to whatever you want\u003C\u002Fli>\n\u003Cli>Black list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>White list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>Some options to speed-up your wordpress website\u003C\u002Fli>\n\u003Cli>Disable JSON REST API\u003C\u002Fli>\n\u003Cli>Hide WordPress Version\u003C\u002Fli>\n\u003Cli>Disable built-in WordPress file editor\u003C\u002Fli>\n\u003Cli>Disable wlw manifest\u003C\u002Fli>\n\u003Cli>And some other options\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What is XMLRPC\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.\u003Cbr \u002F>\nBeginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable\u002Fenable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why you should disable XML-RPC\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>Xmlrpc has two main weaknesses\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Brute force attacks:\u003Cbr \u002F>\nAttackers try to login to WordPress using xmlrpc.php with as many username\u002Fpassword combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”\u003C\u002Fli>\n\u003Cli>Denial of Service Attacks via Pingback:\u003Cbr \u002F>\nBack in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website",100000,792973,82,42,"2026-02-04T06:54:00.000Z","",[88,89,90,91,92],"disable-xml-rpc","disable-xmlrpc","pingback","stop-brute-force-attacks","xmlrpc","https:\u002F\u002Fneatma.com\u002Fdsxmlrpc-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc-api.zip",100,{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":106,"num_ratings":107,"last_updated":108,"tested_up_to":109,"requires_at_least":110,"requires_php":111,"tags":112,"homepage":86,"download_link":116,"security_score":95,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"disable-xml-rpc-pingback","Disable XML-RPC Pingback","1.2.2","Samuel Aguilera","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamuelaguilera\u002F","\u003Cp>Stops abuse of your site’s XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.\u003C\u002Fp>\n\u003Cp>This is more friendly than disabling totally XML-RPC, that it’s needed by some plugins and apps (I.e. Mobile apps or some Jetpack’s modules).\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The original one.\u003C\u002Fli>\n\u003Cli>Simple and effective.\u003C\u002Fli>\n\u003Cli>No marketing buzz.\u003C\u002Fli>\n\u003Cli>Maintained and \u003Cstrong>updated when needed\u003C\u002Fstrong> since 2014.\u003C\u002Fli>\n\u003Cli>100% compliant with \u003Cstrong>WordPress coding standards\u003C\u002Fstrong> which makes it fail safe.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>60,000+ active installations\u003C\u002Fstrong> can’t be wrong.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you’re happy with the plugin \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fdisable-xml-rpc-pingback\u002Freviews\u002F?filter=5\" rel=\"ugc\">please don’t forget to give it a good rating\u003C\u002Fa>, it will motivate me to keep sharing and improving this plugin (and others).\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Removes the following methods from XML-RPC interface.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>pingback.ping\u003C\u002Fli>\n\u003Cli>pingback.extensions.getPingbacks\u003C\u002Fli>\n\u003Cli>X-Pingback from HTTP headers. This will hopefully stops some bots from trying to hit your xmlrpc.php file.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.8.1 or higher.\u003C\u002Fli>\n\u003C\u002Ful>\n","Stops abuse of your site's XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.",60000,420220,78,14,"2025-11-24T11:09:00.000Z","6.8.5","4.8","5.6",[113,90,114,115,24],"ddos","rpc","xml","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc-pingback.1.2.2.zip",{"slug":118,"name":119,"version":120,"author":121,"author_profile":122,"description":123,"short_description":124,"active_installs":125,"downloaded":126,"rating":127,"num_ratings":128,"last_updated":129,"tested_up_to":16,"requires_at_least":130,"requires_php":131,"tags":132,"homepage":138,"download_link":139,"security_score":140,"vuln_count":141,"unpatched_count":29,"last_vuln_date":142,"fetched_at":31},"inactive-logout","Inactive Logout","3.6.1","Deepen Bajracharya","https:\u002F\u002Fprofiles.wordpress.org\u002Fj_3rk\u002F","\u003Cp>Protect your WordPress users’ sessions from prying eyes and snoopers!\u003C\u002Fp>\n\u003Cp>The Inactive Logout plugin automatically terminates idle user sessions, safeguarding your site if users leave their sessions unattended.\u003C\u002Fp>\n\u003Cp>A simple plugin which is easy to configure and use. After installing and activating it, just set the idle timeout from the plugin settings. From then on, any unattended idle WordPress sessions will be automatically terminated. You can also display a custom message to users, warning them that their session is about to end.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Try it out ==> \u003Ca href=\"https:\u002F\u002Ftastewp.org\u002Fplugins\u002Finactive-logout\u002F\" title=\"Demo Link\" rel=\"nofollow ugc\">Demo\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>FEATURES:\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Change idle timeout time.\u003C\u002Fli>\n\u003Cli>Count down of 10 seconds before actual logout. You can remove this feature if you dont want it.\u003C\u002Fli>\n\u003Cli>Add only \u003Cstrong>Wake Up!\u003C\u002Fstrong> message where user will not logout but instead a wakeup message will be shown upon inactive.\u003C\u002Fli>\n\u003Cli>Custom Popup Message.\u003C\u002Fli>\n\u003Cli>Show idle message for non authenticated users or redirect them.\u003C\u002Fli>\n\u003Cli>Concurrent user logouts.\u003C\u002Fli>\n\u003Cli>Toast notification on Logout.\u003C\u002Fli>\n\u003Cli>Redirect to a Different Page instead of Popup box. Create a page such as timeout page and add your content there by creating a blank template or style it as you wish according to your theme.\u003C\u002Fli>\n\u003Cli>Multiple User Role Configurations for individual timeout and session logout redirects.\u003C\u002Fli>\n\u003Cli>Logout to custom page or existing page.\u003C\u002Fli>\n\u003Cli>Clean UI\u003C\u002Fli>\n\u003Cli>WooCommerce Supported.\u003C\u002Fli>\n\u003Cli>Multisite Support: Override all sites with one setting.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>EXTEND OTHER FEATURES:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Few of the key features to \u003Cstrong>\u003Ca href=\"https:\u002F\u002Finactive-logout.com\u002Fpricing\u002F\" title=\"Inactive Logout Pro\" rel=\"nofollow ugc\">Inactive Logout Pro\u003C\u002Fa>\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Auto browser close logout after defined duration.\u003C\u002Fli>\n\u003Cli>Fully functional multi-tab support.\u003C\u002Fli>\n\u003Cli>User Based Logout\u003C\u002Fli>\n\u003Cli>Track Visitors based on \u003Cstrong>(Login time, logout time, browser, online status, session duration, role, os, IP)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Force Logout All Users\u003C\u002Fli>\n\u003Cli>Logout Specific User(s)\u003C\u002Fli>\n\u003Cli>Bulk Logout Users\u003C\u002Fli>\n\u003Cli>Concurrent Login Limits.\u003C\u002Fli>\n\u003Cli>Last Login Activity\u003C\u002Fli>\n\u003Cli>Override Multiple Login priority\u003C\u002Fli>\n\u003Cli>User Lock whenever certain limit login has been reached.\u003C\u002Fli>\n\u003Cli>Track user login sessions.\u003C\u002Fli>\n\u003Cli>Logout redirects.\u003C\u002Fli>\n\u003Cli>Login redirects.\u003C\u002Fli>\n\u003Cli>Email notification and email template overrides for Locked concurrent session.\u003C\u002Fli>\n\u003Cli>Disable inactive logout for specified pages according to your need. Check this \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fgist.github.com\u002Ftechies23\u002F6d2852eedd6ae56c486056e021e4ee48\" title=\"documentation\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fstrong> for additional post type support.\u003C\u002Fli>\n\u003Cli>Disable native wordpress login popup after logout\u003C\u002Fli>\n\u003Cli>Modal Customizer\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>**See the \u003Ca href=\"https:\u002F\u002Finactive-logout.com\u002F\" title=\"Inactive Logout\" rel=\"nofollow ugc\">Inactive Logout\u003C\u002Fa> homepage for further information.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Please consider giving a \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Finactive-logout\u002Freviews\u002F#new-post\" title=\"5 star thumbs up\" rel=\"ugc\">5 star thumbs up\u003C\u002Fa> if you found this useful.\u003C\u002Fstrong>\u003C\u002Fp>\n","Automatically logout idle user sessions, with logout redirections and concurrent limit logins all in one place.",20000,656143,94,106,"2025-12-09T05:09:00.000Z","6.6","7.4",[133,134,135,136,137],"concurrent-login-limit","idle-logout","logout","security","user-redirection","https:\u002F\u002Finactive-logout.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finactive-logout.3.6.1.zip",96,3,"2025-10-31 13:27:51",{"slug":144,"name":145,"version":146,"author":147,"author_profile":148,"description":149,"short_description":150,"active_installs":151,"downloaded":152,"rating":153,"num_ratings":154,"last_updated":155,"tested_up_to":156,"requires_at_least":157,"requires_php":111,"tags":158,"homepage":161,"download_link":162,"security_score":163,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"remove-xmlrpc-pingback-ping","Remove & Disable XML-RPC Pingback","1.6","cleverplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fcleverplugins\u002F","\u003Cp>Prevent your WordPress site from participating and being a victim of pingback denial of service attacks. \u003Cstrong>After activation the plugin automatically disables XML-RPC. There’s no need to configure anything.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>By disabling the XML-RPC pingback you’ll:\u003Cbr \u002F>\n* lower your server CPU usage\u003Cbr \u002F>\n* prevent malicious scripts from using your site to run pingback denial of service attacks\u003Cbr \u002F>\n* prevent malicious scripts to run denial of service attacks on your site via pingback\u003C\u002Fp>\n\u003Cp>From sucuri.net:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>Learn More\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwptavern.com\u002Fhow-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks\" rel=\"nofollow ugc\">How To Prevent WordPress From Participating In Pingback Denial of Service Attacks\u003C\u002Fa> – wptavern.com\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fblog.sucuri.net\u002F2014\u002F03\u002Fmore-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html\" rel=\"nofollow ugc\">More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack\u003C\u002Fa> – sucuri.net\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fhackguard.com\u002Fxmlrpc-php-ping-backs-hackers-denial-service-attacks\" rel=\"nofollow ugc\">xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!\u003C\u002Fa> – hackguard.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Is Your Site Attacking Others?\u003C\u002Fh4>\n\u003Cp>Use \u003Ca href=\"http:\u002F\u002Flabs.sucuri.net\u002F?is-my-wordpress-ddosing\" rel=\"nofollow ugc\">Sucuri’s WordPress DDOS Scanner\u003C\u002Fa> to check if your site is DDOS’ing other websites\u003C\u002Fp>\n\u003Ch4>Why Not Just Disable XMLRPC Altogether?\u003C\u002Fh4>\n\u003Cp>Yes, you can choose to do that, but if you use popular plugins like JetPack (that use XMLRPC) then those plugins will stop working. That is why this small plugin exists.\u003C\u002Fp>\n","Prevent pingback, XML-RPC and denial of service DDOS attacks by disabling the XML-RPC pingback functionality.",9000,94267,60,6,"2023-07-24T23:03:00.000Z","6.3.8","5.2",[159,160,90,24,92],"disable-ping","ping","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fremove-xmlrpc-pingback-ping","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fremove-xmlrpc-pingback-ping.1.6.zip",85,{"slug":165,"name":166,"version":167,"author":168,"author_profile":169,"description":170,"short_description":171,"active_installs":172,"downloaded":173,"rating":174,"num_ratings":175,"last_updated":176,"tested_up_to":109,"requires_at_least":177,"requires_php":86,"tags":178,"homepage":86,"download_link":184,"security_score":27,"vuln_count":185,"unpatched_count":29,"last_vuln_date":186,"fetched_at":31},"dologin","DoLogin Security","4.3","WPDO","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpdo5ea\u002F","\u003Cp>In one click, your WordPress login page will be pretected with the smart brute force attack protection! Any login attempts more than 6 in 10 minutes (default value) will be limited.\u003C\u002Fp>\n\u003Cp>Limit the number of login attempts through both the login and the auth cookies.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Two-factor Authentication login.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Text SMS message passcode for 2nd step verification support.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cloudflare Turnstile (better than Google reCAPTCHA).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>GeoLocation (Continent\u002FCountry\u002FCity) or IP range to limit login attempts.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Passwordless login link.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Support Whitelist and Blacklist.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>WooCommerce Login supported.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>XMLRPC gateway protection.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>API\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>Call the function \u003Ccode>$link = function_exists( 'dologin_gen_link' ) ? dologin_gen_link( 'your plugin name or tag' ) : '';\u003C\u002Fcode> to generate one passwordless login link for the current user.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Call the function \u003Ccode>$link = function_exists( 'dologin_gen_link' ) ? dologin_gen_link( 'note\u002Ftip for this generation', $user_id ) : '';\u003C\u002Fcode> to generate a passwordless login link for the user which ID is \u003Ccode>$user_id\u003C\u002Fcode>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The generated one-time used link will be expired after 7 days.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Define const \u003Ccode>SILENCE_INSTALL\u003C\u002Fcode> to avoid redirecting to setting page after installtion.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>CLI\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>List all passwordless links: \u003Ccode>wp dologin list\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Generate a passwordless link for one username (for the login name \u003Ccode>root\u003C\u002Fcode>): \u003Ccode>wp dologin gen root\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Delete a passwordless link w\u002F the ID in list (for the record w\u002F ID 5): \u003Ccode>wp dologin del 5\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How GeoLocation works\u003C\u002Fh4>\n\u003Cp>When visitors hit the login page, this plugin will lookup the Geolocation info from API, compare the Geolocation setting (if has) with the whitelist\u002Fblacklist to decide if allow login attempts.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>The online IP lookup service is provided by https:\u002F\u002Fwww.doapi.us. The provider’s privacy policy is https:\u002F\u002Fwww.doapi.us\u002Fprivacy.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attemps plugin and Limit Login Attemps Reloaded plugin.\u003C\u002Fp>\n","Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent\u002FCountry\u002FCity)\u002FIP range to limit login attempts.",7000,162727,90,13,"2025-06-11T14:21:00.000Z","4.0",[179,180,181,182,183],"2fa-login","cloudflare-turnstile-recaptcha","easy-login","geolocation-login-limit","login-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdologin.4.3.zip",4,"2023-10-24 00:00:00",{"attackSurface":188,"codeSignals":472,"taintFlows":509,"riskAssessment":640,"analyzedAt":650},{"hooks":189,"ajaxHandlers":417,"restRoutes":443,"shortcodes":444,"cronEvents":463,"entryPointCount":258,"unprotectedCount":185},[190,196,200,204,208,212,216,218,223,227,230,233,237,240,244,248,252,254,259,261,264,266,269,272,275,278,282,286,288,291,294,296,299,303,306,309,312,316,318,321,325,328,331,334,337,341,344,348,351,353,355,358,361,363,365,367,369,373,376,378,382,385,388,391,394,397,400,403,406,410,413],{"type":191,"name":192,"callback":193,"file":194,"line":195},"action","admin_menu","addMenu","app\\Hooks\\Handlers\\AdminMenuHandler.php",12,{"type":197,"name":198,"callback":199,"file":194,"line":128},"filter","admin_footer_text","closure",{"type":197,"name":201,"callback":202,"file":194,"line":203},"user_can_richedit","__return_true",114,{"type":197,"name":205,"callback":206,"file":207,"line":175},"wp_is_application_passwords_available","maybeDisableAppPassword","app\\Hooks\\Handlers\\BasicTasksHandler.php",{"type":197,"name":209,"callback":210,"file":207,"line":211},"xmlrpc_enabled","maybeDisableXmlRpc",16,{"type":197,"name":213,"callback":214,"file":207,"line":215},"rest_user_query","maybeInterceptRestUserQuery",19,{"type":197,"name":213,"callback":214,"file":207,"line":217},22,{"type":197,"name":219,"callback":220,"priority":221,"file":207,"line":222},"rest_prepare_user","maybeInterceptRestUserResponse",10,23,{"type":191,"name":224,"callback":225,"file":207,"line":226},"admin_notices","maybeAddAdminNotice",25,{"type":191,"name":228,"callback":199,"file":207,"line":229},"fluent_auth_daily_tasks",30,{"type":197,"name":231,"callback":199,"file":207,"line":232},"show_admin_bar",38,{"type":191,"name":234,"callback":199,"priority":235,"file":207,"line":236},"admin_init",999,69,{"type":191,"name":238,"callback":199,"file":207,"line":239},"fluent_auth_hourly_tasks",91,{"type":197,"name":241,"callback":242,"priority":235,"file":243,"line":226},"login_redirect","alterLoginRedirectUrl","app\\Hooks\\Handlers\\CustomAuthHandler.php",{"type":197,"name":245,"callback":246,"priority":235,"file":243,"line":247},"logout_redirect","alterLogoutRedirectUrl",26,{"type":191,"name":249,"callback":250,"file":243,"line":251},"fls_load_login_helper","loadAssets",31,{"type":197,"name":253,"callback":199,"file":243,"line":203},"fluent_auth\u002Fsocial_redirect_to",{"type":191,"name":255,"callback":256,"file":257,"line":258},"fluent_auth\u002Finit_google_popup_auth","initGooglePopupAuth","app\\Hooks\\Handlers\\GoogleOneTapAuthHandler.php",15,{"type":191,"name":260,"callback":199,"file":257,"line":66},"fluent_auth\u002Fsocial\u002Frendering_button_google",{"type":197,"name":262,"callback":199,"file":257,"line":263},"fluent_auth\u002Fis_google_one_tap_enabled",27,{"type":191,"name":265,"callback":199,"file":257,"line":251},"login_enqueue_scripts",{"type":191,"name":267,"callback":199,"file":257,"line":268},"wp_enqueue_scripts",191,{"type":191,"name":270,"callback":199,"file":271,"line":107},"login_head","app\\Hooks\\Handlers\\LoginCustomizerHandler.php",{"type":191,"name":273,"callback":199,"file":271,"line":274},"register_form",35,{"type":197,"name":276,"callback":277,"priority":221,"file":271,"line":84},"registration_errors","maybeInterceptRegistration",{"type":191,"name":279,"callback":280,"priority":221,"file":271,"line":281},"register_post","maybeIntercept2FaRegistration",43,{"type":191,"name":283,"callback":284,"file":271,"line":285},"login_init","maybeCustomizeAuthPage",45,{"type":191,"name":265,"callback":199,"file":271,"line":287},101,{"type":191,"name":289,"callback":199,"file":271,"line":290},"login_header",133,{"type":191,"name":292,"callback":199,"file":271,"line":293},"login_footer",148,{"type":191,"name":273,"callback":199,"file":271,"line":295},256,{"type":191,"name":297,"callback":199,"file":271,"line":298},"login_body_class",260,{"type":197,"name":300,"callback":301,"priority":235,"file":302,"line":107},"authenticate","maybeCheckLoginAttempts","app\\Hooks\\Handlers\\LoginSecurityHandler.php",{"type":197,"name":304,"callback":305,"priority":221,"file":302,"line":258},"lostpassword_errors","maybeBlockPasswordReset",{"type":191,"name":307,"callback":308,"priority":221,"file":302,"line":211},"wp_login_failed","logFailedAuth",{"type":191,"name":310,"callback":311,"priority":221,"file":302,"line":66},"wp_login","logAuthSuccess",{"type":191,"name":313,"callback":314,"file":315,"line":211},"login_form","maybePushMagicForm","app\\Hooks\\Handlers\\MagicLoginHandler.php",{"type":191,"name":265,"callback":317,"file":315,"line":66},"pushAssets",{"type":191,"name":319,"callback":199,"priority":48,"file":315,"line":320},"init",20,{"type":197,"name":322,"callback":323,"file":315,"line":324},"login_form_bottom","maybeMagicFormOnLoginFunc",39,{"type":197,"name":326,"callback":199,"priority":221,"file":315,"line":327},"fluent_auth\u002Flogin_token_by_user_id",44,{"type":197,"name":329,"callback":199,"priority":221,"file":315,"line":330},"fluent_auth\u002Flogin_token_by_user_email",58,{"type":197,"name":300,"callback":332,"priority":221,"file":315,"line":333},"allowProgrammaticLogin",452,{"type":197,"name":335,"callback":199,"file":336,"line":211},"fluent_security\u002Fapp_vars","app\\Hooks\\Handlers\\ServerModeHandler.php",{"type":197,"name":338,"callback":199,"priority":339,"file":336,"line":340},"fluent_auth\u002Fvalidated_redirect",99,21,{"type":191,"name":319,"callback":342,"priority":48,"file":336,"line":343},"maybeRemoteLoginInit",46,{"type":197,"name":241,"callback":345,"priority":346,"file":336,"line":347},"maybeRemoteLoginRedirect",9999999,48,{"type":191,"name":283,"callback":349,"priority":48,"file":350,"line":215},"maybeSocialAuth","app\\Hooks\\Handlers\\SocialAuthHandler.php",{"type":191,"name":313,"callback":352,"file":350,"line":320},"pushLoginWithButtons",{"type":191,"name":273,"callback":354,"file":350,"line":340},"pushRegisterWithButtons",{"type":197,"name":322,"callback":356,"file":350,"line":357},"maybePushToCustomForm",24,{"type":197,"name":359,"callback":360,"file":350,"line":247},"fluent_support\u002Fbefore_registration_form_close","maybePushRegistrationField",{"type":197,"name":362,"callback":360,"file":350,"line":263},"fluent_auth\u002Fafter_registration_form_close",{"type":197,"name":364,"callback":199,"file":350,"line":95},"wp_login_errors",{"type":197,"name":364,"callback":199,"file":350,"line":366},122,{"type":197,"name":364,"callback":199,"file":350,"line":368},143,{"type":191,"name":370,"callback":371,"priority":48,"file":372,"line":107},"fluent_auth\u002Flogin_attempts_checked","maybe2FaRedirect","app\\Hooks\\Handlers\\TwoFaHandler.php",{"type":191,"name":374,"callback":375,"priority":48,"file":372,"line":258},"login_form_fls_2fa_email","render2FaForm",{"type":197,"name":300,"callback":332,"priority":221,"file":372,"line":377},207,{"type":197,"name":379,"callback":199,"priority":221,"file":380,"line":381},"fluent_auth\u002Fparse_smartcode","app\\Hooks\\Handlers\\WPSystemEmailHandler.php",18,{"type":197,"name":383,"callback":384,"priority":339,"file":380,"line":217},"wp_new_user_notification_email","maybeAlterUserRegistrationEmail",{"type":197,"name":386,"callback":387,"priority":339,"file":380,"line":222},"retrieve_password_notification_email","maybeAlterPasswordResetEmail",{"type":197,"name":389,"callback":390,"priority":339,"file":380,"line":357},"new_user_email_content","maybeAlterEmailChangeNotificationEmailToUser",{"type":197,"name":392,"callback":393,"priority":339,"file":380,"line":247},"email_change_email","maybeAlterEmailChangedEmailToUser",{"type":197,"name":395,"callback":396,"priority":339,"file":380,"line":14},"wp_new_user_notification_email_admin","maybeAlterUserRegistrationEmailToAdmin",{"type":191,"name":398,"callback":399,"priority":221,"file":380,"line":229},"fluent_auth\u002Fafter_creating_user","maybeSendCustomizedEmailOnFluentAuthSignup",{"type":197,"name":401,"callback":199,"priority":95,"file":380,"line":402},"wp_send_new_user_notification_to_user",37,{"type":197,"name":404,"callback":199,"priority":221,"file":380,"line":405},"wp_send_new_user_notification_to_admin",51,{"type":197,"name":407,"callback":408,"priority":339,"file":380,"line":409},"wp_mail","alterEmailChangeNotificationEmailSubjectHeader",142,{"type":197,"name":401,"callback":411,"priority":339,"file":380,"line":412},"__return_false",218,{"type":191,"name":414,"callback":199,"file":415,"line":416},"rest_api_init","fluent-security.php",75,[418,423,427,430,434,436,439,442],{"action":419,"nopriv":420,"callback":421,"hasNonce":420,"hasCapCheck":422,"file":243,"line":14},"fluent_auth_login",true,"handleLoginAjax",false,{"action":424,"nopriv":420,"callback":425,"hasNonce":420,"hasCapCheck":422,"file":243,"line":426},"fluent_auth_signup","handleSignupAjax",29,{"action":428,"nopriv":420,"callback":429,"hasNonce":420,"hasCapCheck":422,"file":243,"line":229},"fluent_auth_rp","handlePasswordResentAjax",{"action":431,"nopriv":422,"callback":432,"hasNonce":422,"hasCapCheck":422,"file":257,"line":433},"fluent_security_google_one_tap_login","handleGoogleOneTapLogin",61,{"action":431,"nopriv":420,"callback":432,"hasNonce":422,"hasCapCheck":422,"file":257,"line":435},62,{"action":437,"nopriv":420,"callback":438,"hasNonce":420,"hasCapCheck":422,"file":315,"line":381},"fls_magic_send_magic_email","handleMagicLoginAjax",{"action":440,"nopriv":420,"callback":441,"hasNonce":422,"hasCapCheck":422,"file":372,"line":211},"fluent_auth_2fa_email","verify2FaEmailCode",{"action":440,"nopriv":422,"callback":199,"hasNonce":422,"hasCapCheck":422,"file":372,"line":66},[],[445,447,449,452,455,458,460],{"tag":419,"callback":446,"file":243,"line":211},"loginForm",{"tag":424,"callback":448,"file":243,"line":66},"registrationForm",{"tag":450,"callback":451,"file":243,"line":381},"fluent_auth","authForm",{"tag":453,"callback":454,"file":243,"line":215},"fluent_auth_reset_password","restPasswordForm",{"tag":456,"callback":457,"file":243,"line":320},"fluent_auth_magic_login","magicLoginForm",{"tag":459,"callback":199,"file":257,"line":84},"fluent_auth_google_one_tap",{"tag":461,"callback":462,"file":350,"line":217},"fs_auth_buttons","socialAuthShortcode",[464,467,469,470],{"hook":228,"callback":228,"file":465,"line":466},"app\\Helpers\\Activator.php",36,{"hook":238,"callback":238,"file":465,"line":468},40,{"hook":228,"callback":228,"file":194,"line":339},{"hook":238,"callback":238,"file":194,"line":471},103,{"dangerousFunctions":473,"sqlUsage":474,"outputEscaping":491,"fileOperations":48,"externalRequests":506,"nonceChecks":185,"capabilityChecks":507,"bundledLibraries":508},[],{"prepared":229,"raw":154,"locations":475},[476,478,481,483,485,488],{"file":465,"line":66,"context":477},"$wpdb->get_col() with variable interpolation",{"file":465,"line":479,"context":480},50,"$wpdb->get_var() with variable interpolation",{"file":465,"line":482,"context":480},83,{"file":465,"line":484,"context":480},111,{"file":465,"line":486,"context":487},112,"$wpdb->query() with variable interpolation",{"file":489,"line":490,"context":487},"app\\Http\\Controllers\\LogsController.php",67,{"escaped":492,"rawEcho":154,"locations":493},204,[494,497,499,501,502,504],{"file":243,"line":495,"context":496},1223,"raw output",{"file":271,"line":498,"context":496},161,{"file":350,"line":500,"context":496},767,{"file":372,"line":405,"context":496},{"file":503,"line":486,"context":496},"app\\Views\\email_template.php",{"file":505,"line":215,"context":496},"vendor_prefixed\\Emogrifier\\scoped-vendor\\composer\\platform_check.php",11,7,[],[510,532,557,577,592,607,620,632],{"entryPoint":511,"graph":512,"unsanitizedCount":48,"severity":41},"handleSignupAjax (app\\Hooks\\Handlers\\CustomAuthHandler.php:780)",{"nodes":513,"edges":529},[514,519,523],{"id":515,"type":516,"label":517,"file":243,"line":518},"n0","source","$_REQUEST",862,{"id":520,"type":521,"label":522,"file":243,"line":518},"n1","transform","→ sendSignupEmailVerificationHtml()",{"id":524,"type":525,"label":526,"file":243,"line":527,"wp_function":528},"n2","sink","echo() [XSS]",1301,"echo",[530,531],{"from":515,"to":520,"sanitized":422},{"from":520,"to":524,"sanitized":422},{"entryPoint":533,"graph":534,"unsanitizedCount":48,"severity":41},"\u003CCustomAuthHandler> (app\\Hooks\\Handlers\\CustomAuthHandler.php:0)",{"nodes":535,"edges":552},[536,539,540,543,546,548,550],{"id":515,"type":516,"label":537,"file":243,"line":538},"$_SERVER",1145,{"id":520,"type":525,"label":526,"file":243,"line":495,"wp_function":528},{"id":524,"type":516,"label":541,"file":243,"line":542},"$_REQUEST (x2)",802,{"id":544,"type":525,"label":526,"file":243,"line":545,"wp_function":528},"n3",1300,{"id":547,"type":516,"label":517,"file":243,"line":518},"n4",{"id":549,"type":521,"label":522,"file":243,"line":518},"n5",{"id":551,"type":525,"label":526,"file":243,"line":527,"wp_function":528},"n6",[553,554,555,556],{"from":515,"to":520,"sanitized":420},{"from":524,"to":544,"sanitized":420},{"from":547,"to":549,"sanitized":422},{"from":549,"to":551,"sanitized":422},{"entryPoint":558,"graph":559,"unsanitizedCount":28,"severity":41},"maybeSocialAuth (app\\Hooks\\Handlers\\SocialAuthHandler.php:30)",{"nodes":560,"edges":572},[561,562,564,567,568,570],{"id":515,"type":516,"label":517,"file":350,"line":490},{"id":520,"type":521,"label":563,"file":350,"line":490},"→ handleGitHubActions()",{"id":524,"type":525,"label":565,"file":350,"line":140,"wp_function":566},"wp_redirect() [Open Redirect]","wp_redirect",{"id":544,"type":516,"label":517,"file":350,"line":70},{"id":547,"type":521,"label":569,"file":350,"line":70},"→ handleGoogleActions()",{"id":549,"type":525,"label":565,"file":350,"line":571,"wp_function":566},117,[573,574,575,576],{"from":515,"to":520,"sanitized":422},{"from":520,"to":524,"sanitized":422},{"from":544,"to":547,"sanitized":422},{"from":547,"to":549,"sanitized":422},{"entryPoint":578,"graph":579,"unsanitizedCount":28,"severity":41},"\u003CSocialAuthHandler> (app\\Hooks\\Handlers\\SocialAuthHandler.php:0)",{"nodes":580,"edges":587},[581,582,583,584,585,586],{"id":515,"type":516,"label":517,"file":350,"line":490},{"id":520,"type":521,"label":563,"file":350,"line":490},{"id":524,"type":525,"label":565,"file":350,"line":140,"wp_function":566},{"id":544,"type":516,"label":517,"file":350,"line":70},{"id":547,"type":521,"label":569,"file":350,"line":70},{"id":549,"type":525,"label":565,"file":350,"line":571,"wp_function":566},[588,589,590,591],{"from":515,"to":520,"sanitized":422},{"from":520,"to":524,"sanitized":422},{"from":544,"to":547,"sanitized":422},{"from":547,"to":549,"sanitized":422},{"entryPoint":593,"graph":594,"unsanitizedCount":28,"severity":41},"render2FaForm (app\\Hooks\\Handlers\\TwoFaHandler.php:39)",{"nodes":595,"edges":603},[596,597,598,599,601],{"id":515,"type":516,"label":517,"file":372,"line":405},{"id":520,"type":525,"label":526,"file":372,"line":405,"wp_function":528},{"id":524,"type":516,"label":517,"file":372,"line":405},{"id":544,"type":521,"label":600,"file":372,"line":405},"→ get2FaFormHtml()",{"id":547,"type":525,"label":526,"file":372,"line":602,"wp_function":528},391,[604,605,606],{"from":515,"to":520,"sanitized":422},{"from":524,"to":544,"sanitized":422},{"from":544,"to":547,"sanitized":422},{"entryPoint":608,"graph":609,"unsanitizedCount":28,"severity":41},"\u003CTwoFaHandler> (app\\Hooks\\Handlers\\TwoFaHandler.php:0)",{"nodes":610,"edges":616},[611,612,613,614,615],{"id":515,"type":516,"label":517,"file":372,"line":405},{"id":520,"type":525,"label":526,"file":372,"line":405,"wp_function":528},{"id":524,"type":516,"label":517,"file":372,"line":405},{"id":544,"type":521,"label":600,"file":372,"line":405},{"id":547,"type":525,"label":526,"file":372,"line":602,"wp_function":528},[617,618,619],{"from":515,"to":520,"sanitized":422},{"from":524,"to":544,"sanitized":422},{"from":544,"to":547,"sanitized":422},{"entryPoint":621,"graph":622,"unsanitizedCount":29,"severity":631},"addExtendedRegFields (app\\Hooks\\Handlers\\LoginCustomizerHandler.php:175)",{"nodes":623,"edges":629},[624,627],{"id":515,"type":516,"label":625,"file":271,"line":626},"$_POST (x3)",181,{"id":520,"type":525,"label":526,"file":271,"line":628,"wp_function":528},188,[630],{"from":515,"to":520,"sanitized":420},"low",{"entryPoint":633,"graph":634,"unsanitizedCount":29,"severity":631},"\u003CLoginCustomizerHandler> (app\\Hooks\\Handlers\\LoginCustomizerHandler.php:0)",{"nodes":635,"edges":638},[636,637],{"id":515,"type":516,"label":625,"file":271,"line":626},{"id":520,"type":525,"label":526,"file":271,"line":628,"wp_function":528},[639],{"from":515,"to":520,"sanitized":420},{"summary":641,"deductions":642},"The \"fluent-security\" v2.1.1 plugin exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface and vulnerability history. The presence of 4 AJAX handlers without authentication checks presents a considerable risk, as these could be exploited by unauthenticated users to perform unintended actions or expose sensitive information. The taint analysis, although showing no critical or high severity flows, did reveal 6 flows with unsanitized paths, indicating potential, albeit low-severity, vulnerabilities if not properly handled downstream. The plugin's vulnerability history shows 2 medium-severity CVEs, which, while currently patched, suggest a past susceptibility to certain types of attacks. The last vulnerability being in late 2025 is unusual and might indicate a data anomaly, but the pattern of medium severity issues warrants attention for future development. The plugin's strengths lie in its code hygiene regarding SQL and output, but the unprotected AJAX endpoints are a critical oversight that needs immediate remediation.",[643,645,648],{"reason":644,"points":258},"Unprotected AJAX handlers",{"reason":646,"points":647},"Flows with unsanitized paths detected",8,{"reason":649,"points":154},"Medium severity CVEs in history","2026-03-16T17:45:42.009Z",{"wat":652,"direct":661},{"assetPaths":653,"generatorPatterns":656,"scriptPaths":657,"versionParams":658},[654,655],"\u002Fwp-content\u002Fplugins\u002Ffluent-security\u002Fdist\u002Fadmin\u002Fapp.js","\u002Fwp-content\u002Fplugins\u002Ffluent-security\u002Fdist\u002Flibs\u002Fdiff.js",[],[654,655],[659,660],"fluent-security\u002Fdist\u002Fadmin\u002Fapp.js?ver=","fluent-security\u002Fdist\u002Flibs\u002Fdiff.js?ver=",{"cssClasses":662,"htmlComments":664,"htmlAttributes":665,"restEndpoints":669,"jsGlobals":671,"shortcodeOutput":673},[663],"fluent_auth_admin_app",[],[666,667,668],"data-nonce=\"wp_rest\"","data-namespace=\"fluent-auth\"","data-version=\"1\"",[670],"\u002Fwp-json\u002Ffluent-auth",[672],"fluentAuthAdmin",[]]