Does Heateor Social Login WordPress have any unpatched vulnerabilities?

Yes — Heateor Social Login WordPress currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Heateor Social Login WordPress compatible with WordPress 6.8.5?

According to WordPress.org data, Heateor Social Login WordPress 1.1.39 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Heateor Social Login WordPress updated?

Heateor Social Login WordPress was last updated on Sep 17, 2025. Frequent updates are generally a positive security signal.

What is Heateor Social Login WordPress's security score?

Heateor Social Login WordPress has a WP-Safety security score of 62/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Heateor Social Login WordPress Security & Risk Analysis

wordpress.org/plugins/heateor-social-login

One click login and registration via Facebook, Twitter, Linkedin, Google and 23 others.

1K active installs v1.1.39 PHP + WP 2.5.0+ Updated Sep 17, 2025

facebook-loginlinkedin-logintwitter-loginxx-login

C · Use Caution

CVEs total6

Unpatched1

Last CVEDec 26, 2025

Plugin page Download

Safety Verdict

Is Heateor Social Login WordPress Safe to Use in 2026?

Use With Caution

Score 62/100

Heateor Social Login WordPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

6 known CVEs 1 unpatched Last CVE: Dec 26, 2025Updated 6mo ago

Risk Assessment

The "heateor-social-login" plugin v1.1.39 presents a moderate security risk, primarily due to an unprotected AJAX handler and a history of significant vulnerabilities. While the plugin demonstrates some good practices like a moderate percentage of prepared SQL statements and proper output escaping, the presence of an unprotected AJAX entry point is a critical concern, creating an immediate attack vector. The taint analysis also highlights two high-severity flows with unsanitized paths, indicating potential for code injection or data manipulation if these paths are reachable by unauthenticated users.

The vulnerability history is a significant red flag. With six known CVEs, including one currently unpatched and two high-severity past vulnerabilities, the plugin has a pattern of introducing security flaws, particularly related to Cross-Site Request Forgery (CSRF), improper authentication, and Cross-Site Scripting (XSS). This history suggests recurring weaknesses in the plugin's security architecture and development process. While the plugin has some positive attributes, the combination of an unprotected AJAX handler, high-severity taint flows, and a history of unpatched vulnerabilities warrants caution.

Overall, users should be aware that this plugin carries inherent risks. The absence of proper authentication checks on a critical entry point and the recurring nature of security issues suggest that diligent security monitoring and prompt updating are essential. While not all aspects of the plugin are inherently insecure, the identified weaknesses, especially the unpatched CVE, significantly elevate the overall risk profile.

Key Concerns

Unprotected AJAX handler detected
High severity taint flows (2)
Currently unpatched CVE (1)
History of 6 CVEs
2 High severity CVEs
No nonce checks on AJAX
Only 2 capability checks for entry points
SQL queries: only 44% using prepared statements
Output escaping: only 60% properly escaped

Vulnerabilities

Heateor Social Login WordPress Security Vulnerabilities

CVEs by Year

5 CVEs in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

6 total CVEs

CVE-2025-68998medium · 4.3Cross-Site Request Forgery (CSRF)

Heateor Social Login <= 1.1.39 - Cross-Site Request Forgery

Dec 26, 2025Unpatched

CVE-2024-10020high · 8.1Improper Authentication

Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass via Disqus OAuth provider

Nov 5, 2024 Patched in 1.1.36 (107d)

CVE-2024-35706high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Heateor Social Login WordPress <= 1.1.32 - Unauthenticated Stored Cross-Site Scripting

Jun 6, 2024 Patched in 1.1.33 (8d)

CVE-2024-35707medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Heateor Social Login WordPress <= 1.1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 6, 2024 Patched in 1.1.33 (8d)

CVE-2024-32674medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Heateor Social Login WordPress <= 1.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 8, 2024 Patched in 1.1.32 (9d)

CVE-2024-24712medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Heateor Social Login <= 1.1.30 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 31, 2024 Patched in 1.1.31 (3d)

Code Analysis

Analyzed Mar 16, 2026

Heateor Social Login WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

240

357 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

44% prepared9 total queries

Output Escaping

60% escaped597 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

frontend_scripts (public\class-heateor-social-login-public.php:2641)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Heateor Social Login WordPress Attack Surface

Entry Points3

Unprotected1

AJAX Handlers 1

authwp_ajax_heateor_sl_unlinkincludes\class-heateor-social-login.php:169

Shortcodes 2

[Heateor_Social_Login] includes\class-heateor-social-login.php:232

[Heateor_Social_Linking] includes\class-heateor-social-login.php:233

WordPress Hooks 45

actionwpmu_new_blogheateor-social-login.php:137

actionadmin_menuincludes\class-heateor-social-login.php:132

actionadmin_noticesincludes\class-heateor-social-login.php:133

actionadmin_initincludes\class-heateor-social-login.php:134

actionlogin_formincludes\class-heateor-social-login.php:137

actionbp_before_sidebar_login_formincludes\class-heateor-social-login.php:138

actionregister_formincludes\class-heateor-social-login.php:141

actionafter_signup_formincludes\class-heateor-social-login.php:142

actionbp_before_account_details_fieldsincludes\class-heateor-social-login.php:143

actioncomment_form_must_log_in_afterincludes\class-heateor-social-login.php:148

actioncomment_form_topincludes\class-heateor-social-login.php:150

actionwoocommerce_before_customer_login_formincludes\class-heateor-social-login.php:154

actionwoocommerce_login_formincludes\class-heateor-social-login.php:157

actionwoocommerce_register_formincludes\class-heateor-social-login.php:160

actionwoocommerce_checkout_before_customer_detailsincludes\class-heateor-social-login.php:163

actionastra_checkout_login_field_beforeincludes\class-heateor-social-login.php:165

actionplugins_loadedincludes\class-heateor-social-login.php:167

actionplugin_action_links_heateor-social-login/heateor-social-login.phpincludes\class-heateor-social-login.php:168

actionedit_user_profileincludes\class-heateor-social-login.php:172

actionshow_user_profileincludes\class-heateor-social-login.php:173

actionpersonal_options_updateincludes\class-heateor-social-login.php:176

actionedit_user_profile_updateincludes\class-heateor-social-login.php:177

filtersanitize_userincludes\class-heateor-social-login.php:180

actionbp_includeincludes\class-heateor-social-login.php:182

actionmanage_users_columnsincludes\class-heateor-social-login.php:185

filtermanage_users_custom_columnincludes\class-heateor-social-login.php:186

actionadmin_headincludes\class-heateor-social-login.php:189

actioninitincludes\class-heateor-social-login.php:200

filterget_avatarincludes\class-heateor-social-login.php:201

filterbp_core_fetch_avatarincludes\class-heateor-social-login.php:202

filterget_avatar_urlincludes\class-heateor-social-login.php:203

actionheateor_sl_before_registrationincludes\class-heateor-social-login.php:204

actionadmin_noticesincludes\class-heateor-social-login.php:205

actionbp_setup_navincludes\class-heateor-social-login.php:206

filterlogin_messageincludes\class-heateor-social-login.php:207

actionbp_includeincludes\class-heateor-social-login.php:209

actionwidgets_initincludes\class-heateor-social-login.php:220

actionwp_enqueue_scriptspublic\class-heateor-social-login-public.php:2313

actionlogin_enqueue_scriptspublic\class-heateor-social-login-public.php:2314

actionwp_enqueue_scriptspublic\class-heateor-social-login-public.php:2315

actionlogin_enqueue_scriptspublic\class-heateor-social-login-public.php:2316

actionwp_enqueue_scriptspublic\class-heateor-social-login-public.php:2317

actionlogin_enqueue_scriptspublic\class-heateor-social-login-public.php:2318

actionparse_requestpublic\class-heateor-social-login-public.php:2319

actionbp_template_contentpublic\class-heateor-social-login-public.php:2426

Maintenance & Trust

Heateor Social Login WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 17, 2025

PHP min version

Downloads35K

Community Trust

Rating88/100

Number of ratings18

Active installs1K

Alternatives

Heateor Social Login WordPress Alternatives

Social Login

oa-social-login

With Social Login your users can login, register and comment with 40+ Social Networks. Maintenance Free. Uptime Guarantee. Fulltime devs

5K 1 CVE

UsersWP – Social Login

userswp-social-login

100

Social Login addon for UsersWP.

2K No CVEs

JSON API User

json-api-user

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K 1 CVE

Happy Social Login

happy-social-login

Enables user authentication through various social media accounts. Login through Google, Facebook, LinkedIn, GitHub and more.

100 No CVEs

Ultimate AJAX Login

ultimate-ajax-login

Very flexible and easy to use AJAX Login plugin with redirects, customizable templates...

100 1 unpatched

Developer Profile

Heateor Social Login WordPress Developer Profile

Heateor Support

6 plugins · 107K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

174 days

View full developer profile

Detection Fingerprints

How We Detect Heateor Social Login WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/heateor-social-login/css/heateor-social-login-admin.css/wp-content/plugins/heateor-social-login/css/heateor-social-login-public.css/wp-content/plugins/heateor-social-login/js/heateor-social-login-admin.js/wp-content/plugins/heateor-social-login/js/heateor-social-login-fb-sdk.js/wp-content/plugins/heateor-social-login/js/heateor-social-login-public.js

Version Parameters

heateor-social-login/css/heateor-social-login-admin.css?ver=heateor-social-login/css/heateor-social-login-public.css?ver=heateor-social-login/js/heateor-social-login-admin.js?ver=heateor-social-login/js/heateor-social-login-fb-sdk.js?ver=heateor-social-login/js/heateor-social-login-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

heateor_social_loginheateor_sl_loginheateor_sl_social_login_div

Data Attributes

data-plugin-name="heateor-social-login"data-version="1.1.39"

JS Globals

heateorSlWebsiteUrlheateorSlHelpBubbleTitle

FAQ