Does HTAuth Sync have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is HTAuth Sync compatible with WordPress 3.7.41?

According to WordPress.org data, HTAuth Sync 1.1 has been tested up to WordPress 3.7.41. Check the plugin's changelog for the latest compatibility information.

How often is HTAuth Sync updated?

HTAuth Sync was last updated on Jan 7, 2014. Frequent updates are generally a positive security signal.

What is HTAuth Sync's security score?

HTAuth Sync has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTAuth Sync Security & Risk Analysis

wordpress.org/plugins/htauth-sync

Synchronize your Wordpress users with a htusers file for authentication outside of Wordpress

10 active installs v1.1 PHP + WP 3.5+ Updated Jan 7, 2014

apacheauthenticationhtaccesshtauthhtdigesthtusers

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is HTAuth Sync Safe to Use in 2026?

Generally Safe

Score 85/100

HTAuth Sync has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago

Risk Assessment

The "htauth-sync" v1.1 plugin presents a mixed security posture. On one hand, the absence of known vulnerabilities (CVEs) and the use of prepared statements for all SQL queries are positive indicators. The plugin also has a seemingly small attack surface with no reported AJAX handlers, REST API routes, shortcodes, or cron events that are accessible externally.

However, significant concerns arise from the static code analysis. The presence of the `unserialize` function is a critical risk, especially without proper input validation or sanitization. Furthermore, 100% of the output is unescaped, making the plugin highly vulnerable to Cross-Site Scripting (XSS) attacks. The taint analysis revealing two flows with unsanitized paths further exacerbates these risks, suggesting that attacker-controlled data could be processed in a dangerous manner.

The lack of any recorded vulnerability history is encouraging but should be viewed cautiously given the evident code weaknesses. The plugin's strengths lie in its SQL practices and limited external entry points, but these are overshadowed by the critical risks associated with unserialization and unescaped output. A balanced conclusion is that while the plugin may not have a history of being exploited, the current code contains fundamental security flaws that require immediate attention.

Key Concerns

Unescaped output (100%)
Dangerous function: unserialize used
Taint flow with unsanitized path (x2)
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

HTAuth Sync Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

HTAuth Sync Release Timeline

v1.1Current

v1.0.0

Code Analysis

Analyzed Mar 17, 2026

HTAuth Sync Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeupdate_option(HTDIGESTSYNC_OPTIONS, unserialize(HTDIGESTSYNC_DEFAULT_OPTIONS));htauthsync.php:58

unserialize$defaultOptions = unserialize(HTDIGESTSYNC_DEFAULT_OPTIONS);htauthsync.php:68

Output Escaping

0% escaped7 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

optionsPage (htauthsync.php:354)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

HTAuth Sync Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionedit_user_profile_updatehtauthsync.php:434

actionpersonal_options_updatehtauthsync.php:435

filterwp_authenticate_userhtauthsync.php:436

actionadmin_menuhtauthsync.php:438

Maintenance & Trust

HTAuth Sync Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41

Last updatedJan 7, 2014

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

HTAuth Sync Alternatives

Redirection

redirection

Manage 301 redirects, track 404 errors, and improve your site. No knowledge of Apache or Nginx required.

2.0M 5 CVEs

Spider Blocker

spiderblocker

SpiderBlocker will block most common bots that consume bandwidth and slow down your blog.

20K No CVEs

Custom PHP Settings

custom-php-settings

100

This plugin makes it possible to override php settings.

10K No CVEs

phpinfo() WP

phpinfo-wp

A simple plugin to look up server info and manage server configuration of wordpress site

3K 2 CVEs

Apache Status & Info

htaccess-server-info-server-status

100

Apache server-info and server-status monitoring right in your WordPress admin.

100 No CVEs

Developer Profile

HTAuth Sync Developer Profile

John Luetke

3 plugins · 120 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect HTAuth Sync

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Version Parameters

htauth-sync/style.css?ver=htauth-sync/htauth-sync.js?ver=

HTML / DOM Fingerprints

HTML Comments

JS Globals

htauth_sync_ajax_object

FAQ