[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBFuMagN0nKeTH5CCQCoJp40CRqdhdGdhjrr5JoJNlYI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":117,"fingerprints":294},"getotp-otp-verification","GetOTP OTP Verification","1.4.1","LaLoka Labs","https:\u002F\u002Fprofiles.wordpress.org\u002Flalokalabs\u002F","\u003Cp>This plugin is an official integration of GetOTP for WordPress.\u003C\u002Fp>\n\u003Cp>GetOTP is a service that lets you implement a simple, secure, multi-channel authentication flow. It supplies the user’s data – like emails – to perform a complete OTP flow.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fotp.dev\u002Fen\u002F\" rel=\"nofollow ugc\">GetOTP website\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fotp.dev\u002Fen\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">Privacy Policy for GetOTP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fotp.dev\u002Fen\u002Fterms-and-conditions\u002F\" rel=\"nofollow ugc\">GetOTP Terms and Conditions\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>EMAIL OTP VERIFICATION\u003C\u002Fh4>\n\u003Cp>Verifies user by sending Email OTP verification. Enjoy \u003Cstrong>free 100 emails per month with the free plan\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>SMS OTP VERIFICATION\u003C\u002Fh4>\n\u003Cp>Verifies user by sending SMS OTP verification. Only available for the paid plan.\u003C\u002Fp>\n\u003Ch4>2FA LOGIN\u003C\u002Fh4>\n\u003Cp>You can let the user log in with Username and Password, followed by OTP verification via Email or SMS.\u003C\u002Fp>\n\u003Ch4>Supported Forms\u003C\u002Fh4>\n\u003Cp>WordPress Login, WooCommerce Login, WooCommerce Checkout (coming soon)\u003C\u002Fp>\n\u003Ch4>SUPPORT\u003C\u002Fh4>\n\u003Cp>Email us at \u003Ca href=\"mailto:help@otp.dev\" rel=\"nofollow ugc\">help@otp.dev\u003C\u002Fa>\u003C\u002Fp>\n","Implement Email OTP and SMS OTP for WordPress and WooCommerce. Support Login with 2FA.",10,1741,0,"2022-08-01T06:55:00.000Z","5.9.13","5.0","",[19,20,21,22,23],"2fa","otp","two-factor","two-factor-authentication","two-step-verification","https:\u002F\u002Fgetotp.dev","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgetotp-otp-verification.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"lalokalabs",1,30,84,"2026-04-04T15:39:52.905Z",[37,57,74,89,104],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":34,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":54,"download_link":55,"security_score":56,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"wordpress-2-step-verification","WP 2-step verification","2.6.4","as247","https:\u002F\u002Fprofiles.wordpress.org\u002Fas247\u002F","\u003Ch4>WordPress 2-Step Verification (Wp2sv) adds an extra layer of security to your WordPress Account.\u003C\u002Fh4>\n\u003Cp>In addition to your username and password, you’ll enter a code that generated by Android\u002FiPhone\u002FBlackberry app or Plugin will send you via email upon signing in.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Easy setup\u003C\u002Fli>\n\u003Cli>Multisite supported\u003C\u002Fli>\n\u003Cli>Option to use application or email\u003C\u002Fli>\n\u003Cli>Backup codes\u003C\u002Fli>\n\u003Cli>Protect XML-RPC with app password\u003C\u002Fli>\n\u003Cli>App passwords for apps that don’t support 2-Step Verification\u003C\u002Fli>\n\u003Cli>Easy recovery(via ftp) if lost phone\u003C\u002Fli>\n\u003Cli>Setup 2-Step at front page for Woocommerce\u003C\u002Fli>\n\u003C\u002Ful>\n","Adds an extra layer of security to your Wordpress Account. Same as Google 2-step verification.",2000,80954,27,"2025-10-10T15:40:00.000Z","6.8.5","4.5","5.6.0",[19,53,21,22,23],"authentication","https:\u002F\u002Ftinyinstaller.top\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-2-step-verification.2.6.4.zip",100,{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":11,"downloaded":65,"rating":13,"num_ratings":13,"last_updated":66,"tested_up_to":67,"requires_at_least":50,"requires_php":68,"tags":69,"homepage":72,"download_link":73,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"passclip-auth-for-wordpress","PassClip Auth for WordPress","1.0.5","Passlogy","https:\u002F\u002Fprofiles.wordpress.org\u002Fpasslogy\u002F","\u003Cp>You need strong password to protect your site. However, how do you remember it or is it really strong?\u003Cbr \u002F>\n“PassClip Auth” provides really strong password that is also easy to remember.\u003Cbr \u002F>\nOnce you make your “pattern”, you can get your password using “PassClip”. And the password will change every 30 seconds(at the shortest).\u003C\u002Fp>\n\u003Ch4>Get and sign up for PassClip\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fwww.passclip.com\u002F\" rel=\"nofollow ugc\">the page about PassClip\u003C\u002Fa> and install PassClip on your smart phone.\u003C\u002Fli>\n\u003Cli>Activate your PassClip by registering your “pattern” and email address.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Sign up for PassClip Auth(PCA)\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Input PassClip Code “paauth” in your PassClip. That makes a new slot in your PassClip.\u003C\u002Fli>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fmember.passclip.com\u002Fmember\u002Fui\u002F\" rel=\"nofollow ugc\">PassClip Auth member’s page\u003C\u002Fa> and log in with your email address and password which the slot shows you.\u003C\u002Fli>\n\u003Cli>Make your “PassClip Code”. And then you get your “PassClip Auth app service id(PCA app service id)”. You need both “code” and “id” to use this plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to apply PassClip Auth to your site\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate this plugin to your WordPress.\u003C\u002Fli>\n\u003Cli>Go to PassClip Auth Options Setting from the menu.\u003C\u002Fli>\n\u003Cli>Input the PassClip Auth app service id(PCA app service id), PassClip Code and other items in the setting page and click the “Save Change” button.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to log in to WordPress site with PassClip Auth\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Users register PassClip Code of your site in their PassClip. That makes a new slot to get password to log in to your site.\u003C\u002Fli>\n\u003Cli>Show the password in PassClip (tap the new slot).\u003C\u002Fli>\n\u003Cli>In login form of your site, users enter email address and password in the slot. (\u003Cstrong>Users do not need general WordPress password.\u003C\u002Fstrong>)\u003C\u002Fli>\n\u003Cli>Click the “Log in” button.\u003C\u002Fli>\n\u003C\u002Fol>\n","\"PassClip Auth\" provides strong and easy authentication. \"PassClip Auth for WordPress\" is the plugin to launch PassClip Auth to Wo &hellip;",2199,"2019-12-27T07:42:00.000Z","5.3.21","5.3.3",[19,70,20,71,22],"login","security","https:\u002F\u002Fwww.passclip.com\u002Fja\u002Fpca\u002Fpca_for_wp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassclip-auth-for-wordpress.1.0.6.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":13,"downloaded":82,"rating":13,"num_ratings":13,"last_updated":17,"tested_up_to":49,"requires_at_least":83,"requires_php":84,"tags":85,"homepage":86,"download_link":87,"security_score":56,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":88},"4login-for-secure-and-smart-access","4Login for Secure And Smart Access","0.1.0","4login","https:\u002F\u002Fprofiles.wordpress.org\u002F4login\u002F","\u003Cp>Secure your site with a strong password — without the hassle of remembering it.\u003Cbr \u002F>\nWith 4Login, you get simple yet powerful authentication that connects to an external server.\u003Cbr \u002F>\nSimply create your own pattern to generate a dynamic password that updates every 60 minutes.\u003C\u002Fp>\n\u003Cp>Please refer to the \u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002F\" rel=\"nofollow ugc\">operation Instructions \u003C\u002Fa> for instructions on how to use 4Login.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an external API to enable 4Login authentication.\u003Cbr \u002F>\nWhen logging in with 4Login, the plugin sends the 4Login App Service ID, the user’s email address, and a dynamic password .\u003Cbr \u002F>\nThese credentials are entered directly within the WordPress login interface.\u003C\u002Fp>\n\u003Cp>This authentication service is provided by Passlogy.\u003Cbr \u002F>\nFor more information, please review our\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002Fen\u002Fauto_terms\u002F\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> and\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002Fprivacy-policy\u002F?en=app\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>.\u003C\u002Fp>\n","4Login will give you an easy and powerful authentication (connect to an external server for authentication).",431,"6.7","8.0",[19,70,20,71,22],"https:\u002F\u002Fwww.4login.jp\u002F4login-for-secure-and-smart-access\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002F4login-for-secure-and-smart-access.0.1.0.zip","2026-03-15T10:48:56.248Z",{"slug":90,"name":91,"version":92,"author":93,"author_profile":94,"description":95,"short_description":96,"active_installs":13,"downloaded":97,"rating":13,"num_ratings":13,"last_updated":98,"tested_up_to":99,"requires_at_least":16,"requires_php":84,"tags":100,"homepage":102,"download_link":103,"security_score":56,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"flavor-2fa","Flavor 2FA","1.0.0","kuckovic","https:\u002F\u002Fprofiles.wordpress.org\u002Fkuckovic\u002F","\u003Cp>\u003Cstrong>Flavor 2FA\u003C\u002Fstrong> adds powerful two-factor authentication to your WordPress site without the complexity. No bloat, no confusing settings – just solid security that protects your site from unauthorized access.\u003C\u002Fp>\n\u003Ch4>Why Flavor 2FA?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Zero configuration needed\u003C\u002Fstrong> – Works out of the box\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Native WordPress styling\u003C\u002Fstrong> – Feels like part of WordPress\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two verification methods\u003C\u002Fstrong> – Authenticator apps (Google Authenticator, Authy, 1Password) or email codes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User-friendly setup\u003C\u002Fstrong> – Guided 3-step process with QR code scanning\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Complete admin control\u003C\u002Fstrong> – Force 2FA, reset users, manage lockouts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>For Users:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Choose between authenticator app or email verification\u003Cbr \u002F>\n* 10 recovery codes for emergency access\u003Cbr \u002F>\n* “Trust this device” option to skip 2FA on personal devices\u003Cbr \u002F>\n* Simple, clean verification screens\u003C\u002Fp>\n\u003Cp>\u003Cstrong>For Admins:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Require 2FA for specific user roles\u003Cbr \u002F>\n* Grace period for new users\u003Cbr \u002F>\n* Force immediate 2FA setup on next login\u003Cbr \u002F>\n* Lockout protection against brute force attacks\u003Cbr \u002F>\n* Reset 2FA or unlock accounts with one click\u003Cbr \u002F>\n* See 2FA status for all users at a glance\u003C\u002Fp>\n\u003Ch4>Perfect For\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Agencies managing client sites\u003C\u002Fli>\n\u003Cli>WooCommerce stores handling sensitive data\u003C\u002Fli>\n\u003Cli>Membership sites with user accounts\u003C\u002Fli>\n\u003Cli>Any WordPress site that needs extra security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin uses a third-party service to generate QR codes during the TOTP authenticator app setup process.\u003C\u002Fp>\n\u003Ch4>QR Server API\u003C\u002Fh4>\n\u003Cp>When a user chooses the “Authenticator App” method during 2FA setup, the plugin generates a QR code image via the QR Server API. This QR code contains the TOTP secret URI (which includes the site name, user email, and secret key) so the user can scan it with their authenticator app.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>What data is sent:\u003C\u002Fstrong> A TOTP provisioning URI containing the site name, user email address, and a generated secret key.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>When it is sent:\u003C\u002Fstrong> Only once, when a user sets up TOTP-based two-factor authentication. No data is sent during normal login verification.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Service provider:\u003C\u002Fstrong> goQR.me \u002F QR Server\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Service URL:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fgoqr.me\u002Fapi\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fgoqr.me\u002Fapi\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Terms of service:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fgoqr.me\u002Fapi\u002Fdoc\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fgoqr.me\u002Fapi\u002Fdoc\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy policy:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fgoqr.me\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fgoqr.me\u002Fprivacy-policy\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Lightweight two-factor authentication that just works. Protect your WordPress site with authenticator apps or email codes in under 2 minutes.",109,"2026-02-17T08:46:00.000Z","6.9.4",[19,70,71,101,22],"totp","https:\u002F\u002Fbranchout.dk\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fflavor-2fa.1.0.0.zip",{"slug":105,"name":106,"version":92,"author":107,"author_profile":108,"description":109,"short_description":110,"active_installs":13,"downloaded":111,"rating":13,"num_ratings":13,"last_updated":112,"tested_up_to":49,"requires_at_least":16,"requires_php":17,"tags":113,"homepage":17,"download_link":116,"security_score":56,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"secureauth-authenticator-2fa","SecureAuth Authenticator 2FA","Helmi","https:\u002F\u002Fprofiles.wordpress.org\u002Fhelmimubarak\u002F","\u003Cp>\u003Cstrong>SecureAuth Authenticator 2FA\u003C\u002Fstrong> enhances your WordPress login security by requiring a time-based one-time password (TOTP) in addition to the regular username and password. The TOTP code is generated by an authenticator app on your mobile device, adding an extra layer of protection even if your password is compromised.\u003C\u002Fp>\n\u003Cp>This plugin is lightweight, secure, and easy to use. It integrates directly into the user profile page to allow users to set up and manage their two-factor authentication with ease.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Adds a TOTP (Time-Based One-Time Password) field to the login form.\u003C\u002Fli>\n\u003Cli>User-friendly 2FA setup available on each user’s profile page.\u003C\u002Fli>\n\u003Cli>Generates secret keys and displays QR codes for scanning with mobile apps.\u003C\u002Fli>\n\u003Cli>Compatible with apps like Google Authenticator, Microsoft Authenticator, and Authy.\u003C\u002Fli>\n\u003Cli>Secure handling with nonce verification and input sanitization.\u003C\u002Fli>\n\u003Cli>No external libraries required (except Google Chart API for QR code).\u003C\u002Fli>\n\u003C\u002Ful>\n","Adds TOTP-based two-factor authentication (2FA) via SecureAuth Authenticator to your WordPress login page.",265,"2025-07-09T00:00:00.000Z",[19,114,101,22,115],"login-security","wordpress-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecureauth-authenticator-2fa.1.0.0.zip",{"attackSurface":118,"codeSignals":191,"taintFlows":215,"riskAssessment":283,"analyzedAt":293},{"hooks":119,"ajaxHandlers":176,"restRoutes":187,"shortcodes":188,"cronEvents":189,"entryPointCount":190,"unprotectedCount":190},[120,126,129,131,134,137,140,143,146,149,152,155,157,160,163,167,170,173],{"type":121,"name":122,"callback":123,"file":124,"line":125},"action","plugins_loaded","anonymous","includes\\class-getotp.php",143,{"type":121,"name":127,"callback":123,"file":124,"line":128},"admin_enqueue_scripts",157,{"type":121,"name":127,"callback":123,"file":124,"line":130},158,{"type":121,"name":132,"callback":123,"file":124,"line":133},"admin_menu",162,{"type":121,"name":135,"callback":123,"file":124,"line":136},"admin_init",163,{"type":121,"name":138,"callback":123,"file":124,"line":139},"admin_notices",172,{"type":121,"name":141,"callback":123,"file":124,"line":142},"show_user_profile",178,{"type":121,"name":144,"callback":123,"file":124,"line":145},"edit_user_profile",179,{"type":121,"name":147,"callback":123,"file":124,"line":148},"personal_options_update",181,{"type":121,"name":150,"callback":123,"file":124,"line":151},"edit_user_profile_update",182,{"type":121,"name":153,"callback":123,"file":124,"line":154},"wp_enqueue_scripts",196,{"type":121,"name":153,"callback":123,"file":124,"line":156},197,{"type":121,"name":158,"callback":123,"file":124,"line":159},"login_enqueue_scripts",201,{"type":121,"name":161,"callback":123,"file":124,"line":162},"login_form",203,{"type":164,"name":165,"callback":123,"file":124,"line":166},"filter","login_message",204,{"type":164,"name":168,"callback":123,"file":124,"line":169},"authenticate",207,{"type":121,"name":171,"callback":123,"file":124,"line":172},"wp_loaded",209,{"type":121,"name":174,"callback":123,"file":124,"line":175},"woocommerce_login_form",213,[177,181,184],{"action":178,"nopriv":179,"callback":123,"hasNonce":179,"hasCapCheck":179,"file":124,"line":180},"my_dismiss_getotp_notice",false,174,{"action":182,"nopriv":179,"callback":123,"hasNonce":179,"hasCapCheck":179,"file":124,"line":183},"getotp_ajax_login_with_otp",217,{"action":182,"nopriv":185,"callback":123,"hasNonce":179,"hasCapCheck":179,"file":124,"line":186},true,218,[],[],[],3,{"dangerousFunctions":192,"sqlUsage":193,"outputEscaping":196,"fileOperations":13,"externalRequests":32,"nonceChecks":194,"capabilityChecks":32,"bundledLibraries":214},[],{"prepared":194,"raw":13,"locations":195},2,[],{"escaped":197,"rawEcho":198,"locations":199},41,6,[200,204,206,208,210,212],{"file":201,"line":202,"context":203},"admin\\class-getotp-admin.php",516,"raw output",{"file":201,"line":205,"context":203},518,{"file":201,"line":207,"context":203},592,{"file":201,"line":209,"context":203},594,{"file":201,"line":211,"context":203},596,{"file":201,"line":213,"context":203},598,[],[216,241,271],{"entryPoint":217,"graph":218,"unsanitizedCount":13,"severity":240},"wp_otp_login_form (public\\class-getotp-public.php:283)",{"nodes":219,"edges":237},[220,226,231,235],{"id":221,"type":222,"label":223,"file":224,"line":225},"n0","source","$_REQUEST['getotp_status']","public\\class-getotp-public.php",289,{"id":227,"type":228,"label":229,"file":224,"line":225,"wp_function":230},"n1","sink","echo() [XSS]","echo",{"id":232,"type":222,"label":233,"file":224,"line":234},"n2","$_REQUEST['_getotp_nonce']",290,{"id":236,"type":228,"label":229,"file":224,"line":234,"wp_function":230},"n3",[238,239],{"from":221,"to":227,"sanitized":185},{"from":232,"to":236,"sanitized":185},"low",{"entryPoint":242,"graph":243,"unsanitizedCount":13,"severity":240},"\u003Cclass-getotp-public> (public\\class-getotp-public.php:0)",{"nodes":244,"edges":266},[245,246,247,248,249,253,258,261],{"id":221,"type":222,"label":223,"file":224,"line":225},{"id":227,"type":228,"label":229,"file":224,"line":225,"wp_function":230},{"id":232,"type":222,"label":233,"file":224,"line":234},{"id":236,"type":228,"label":229,"file":224,"line":234,"wp_function":230},{"id":250,"type":222,"label":251,"file":224,"line":252},"n4","$_GET",1035,{"id":254,"type":228,"label":255,"file":224,"line":256,"wp_function":257},"n5","get_row() [SQLi]",1065,"get_row",{"id":259,"type":222,"label":251,"file":224,"line":260},"n6",1041,{"id":262,"type":228,"label":263,"file":224,"line":264,"wp_function":265},"n7","wp_redirect() [Open Redirect]",1112,"wp_redirect",[267,268,269,270],{"from":221,"to":227,"sanitized":185},{"from":232,"to":236,"sanitized":185},{"from":250,"to":254,"sanitized":185},{"from":259,"to":262,"sanitized":185},{"entryPoint":272,"graph":273,"unsanitizedCount":194,"severity":282},"authenticate_otp_user (public\\class-getotp-public.php:1020)",{"nodes":274,"edges":279},[275,276,277,278],{"id":221,"type":222,"label":251,"file":224,"line":252},{"id":227,"type":228,"label":255,"file":224,"line":256,"wp_function":257},{"id":232,"type":222,"label":251,"file":224,"line":260},{"id":236,"type":228,"label":263,"file":224,"line":264,"wp_function":265},[280,281],{"from":221,"to":227,"sanitized":179},{"from":232,"to":236,"sanitized":179},"high",{"summary":284,"deductions":285},"The 'getotp-otp-verification' plugin v1.4.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL query handling, with 100% using prepared statements and a high percentage of properly escaped output. The absence of dangerous functions and file operations is also a strong indicator of secure coding. Furthermore, its vulnerability history is clean, with no known CVEs, suggesting a generally well-maintained codebase. \n\nHowever, significant concerns arise from the static analysis. The plugin exposes three AJAX handlers, all of which lack authentication checks. This creates a substantial attack surface that could be exploited by unauthenticated users. The taint analysis revealed one flow with an unsanitized path of high severity, which could potentially lead to arbitrary code execution or file manipulation if not handled correctly. While the plugin does implement nonce and capability checks, their application seems insufficient given the unprotected AJAX endpoints.\n\nIn conclusion, while the plugin avoids common pitfalls like raw SQL and outdated libraries, the unprotected AJAX endpoints and the identified high-severity unsanitized path are critical weaknesses. The lack of a vulnerability history is positive, but it doesn't negate the immediate risks identified in the code. Immediate attention should be paid to securing the AJAX handlers and sanitizing the identified unsanitized path.",[286,288,290],{"reason":287,"points":11},"Unprotected AJAX handlers present",{"reason":289,"points":11},"High severity unsanitized path found",{"reason":291,"points":292},"Attack surface without auth checks",5,"2026-03-17T01:05:44.622Z",{"wat":295,"direct":304},{"assetPaths":296,"generatorPatterns":299,"scriptPaths":300,"versionParams":301},[297,298],"\u002Fwp-content\u002Fplugins\u002Fgetotp-otp-verification\u002Fadmin\u002Fcss\u002Fgetotp-admin.css","\u002Fwp-content\u002Fplugins\u002Fgetotp-otp-verification\u002Fadmin\u002Fjs\u002Fgetotp-admin.js",[],[298],[302,303],"getotp-otp-verification\u002Fadmin\u002Fcss\u002Fgetotp-admin.css?ver=","getotp-otp-verification\u002Fadmin\u002Fjs\u002Fgetotp-admin.js?ver=",{"cssClasses":305,"htmlComments":307,"htmlAttributes":308,"restEndpoints":311,"jsGlobals":312,"shortcodeOutput":313},[306],"getotp-notice",[],[309,310],"name=\"mobile_phone\"","id=\"mobile_phone\"",[],[],[]]