Does IndieAuth have any unpatched vulnerabilities?

No. All known vulnerabilities in IndieAuth have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is IndieAuth compatible with WordPress 6.7.5?

According to WordPress.org data, IndieAuth 4.5.5 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is IndieAuth compatible with PHP 7.4+?

IndieAuth requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is IndieAuth updated?

IndieAuth was last updated on Oct 25, 2025. Frequent updates are generally a positive security signal.

What is IndieAuth's security score?

IndieAuth has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

IndieAuth Security & Risk Analysis

wordpress.org/plugins/indieauth

IndieAuth is a way to allow users to use their own domain to sign into other websites and services.

400 active installs v4.5.5 PHP 7.4+ WP 6.2+ Updated Oct 25, 2025

indieauthindiewebloginoauth

A · Safe

CVEs total1

Unpatched0

Last CVEOct 23, 2025

Plugin page Download

Safety Verdict

Is IndieAuth Safe to Use in 2026?

Generally Safe

Score 97/100

IndieAuth has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 23, 2025Updated 5mo ago

Risk Assessment

The "indieauth" plugin version 4.5.5 exhibits a mixed security posture. On the positive side, the plugin demonstrates good coding practices by extensively using prepared statements for SQL queries and properly escaping a high percentage of output. The absence of dangerous functions, file operations, and critical or high severity taint flows is also encouraging.

However, there are significant concerns regarding the plugin's attack surface. All 9 REST API routes lack permission callbacks, meaning any unauthenticated user can potentially interact with these endpoints. This creates a substantial risk, as these routes are effectively unprotected entry points into the plugin's functionality. While there are no active unpatched vulnerabilities, the plugin has a history of a high severity vulnerability, specifically Cross-Site Request Forgery (CSRF), which suggests a past weakness that attackers might still seek to exploit if similar patterns exist in the current code.

In conclusion, while the core coding practices for data handling are robust, the unprotected REST API routes represent a critical security flaw that overshadows the positive aspects. The history of a high-severity vulnerability, even if patched, warrants careful consideration, especially in conjunction with the exposed attack surface.

Key Concerns

9 REST API routes without permission callbacks
High severity vulnerability in history (CSRF)

Vulnerabilities

IndieAuth Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-12028high · 8.8Cross-Site Request Forgery (CSRF)

IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens

Oct 23, 2025 Patched in 4.5.5 (7d)

Code Analysis

Analyzed Mar 16, 2026

IndieAuth Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

107 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

75% prepared4 total queries

Output Escaping

93% escaped115 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

confirmed (includes\class-indieauth-authorization-endpoint.php:476)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

IndieAuth Attack Surface

Entry Points9

Unprotected9

REST API Routes 9

GET/wp-json/indieauth/1.0/authincludes\class-indieauth-authorization-endpoint.php:67

GET/wp-json/indieauth/1.0/testincludes\class-indieauth-debug.php:79

GET/wp-json/indieauth/1.0/introspectionincludes\class-indieauth-introspection-endpoint.php:37

GET/wp-json/indieauth/1.0/metadataincludes\class-indieauth-metadata-endpoint.php:115

GET/wp-json/indieauth/1.0/revocationincludes\class-indieauth-revocation-endpoint.php:37

GET/wp-json/indieauth/1.0/ticketincludes\class-indieauth-ticket-endpoint.php:43

GET/wp-json/indieauth/1.0/tokenincludes\class-indieauth-token-endpoint.php:63

GET/wp-json/indieauth/1.0/tokenincludes\class-indieauth-token-endpoint.php:101

GET/wp-json/indieauth/1.0/userinfoincludes\class-indieauth-userinfo-endpoint.php:33

WordPress Hooks 60

actionadmin_initincludes\class-external-token-page.php:14

actionadmin_menuincludes\class-external-token-page.php:15

actionadmin_initincludes\class-indieauth-admin.php:10

actioninitincludes\class-indieauth-admin.php:11

actionlogin_form_authdiagincludes\class-indieauth-admin.php:12

actionadmin_menuincludes\class-indieauth-admin.php:13

filtersite_status_testsincludes\class-indieauth-admin.php:14

actionrest_api_initincludes\class-indieauth-authorization-endpoint.php:12

actionlogin_form_indieauthincludes\class-indieauth-authorization-endpoint.php:13

filterindieauth_metadataincludes\class-indieauth-authorization-endpoint.php:14

filterrest_index_indieauth_endpointsincludes\class-indieauth-authorization-endpoint.php:15

actionwp_headincludes\class-indieauth-authorization-endpoint.php:17

actiontemplate_redirectincludes\class-indieauth-authorization-endpoint.php:18

filterdetermine_current_userincludes\class-indieauth-authorize.php:27

filterrest_authentication_errorsincludes\class-indieauth-authorize.php:28

filterindieauth_scopesincludes\class-indieauth-authorize.php:30

filterindieauth_responseincludes\class-indieauth-authorize.php:31

filterwp_rest_server_classincludes\class-indieauth-authorize.php:32

filterrest_request_after_callbacksincludes\class-indieauth-authorize.php:33

actioninitincludes\class-indieauth-client-taxonomy.php:9

filterterms_clausesincludes\class-indieauth-client-taxonomy.php:19

filterhttp_request_argsincludes\class-indieauth-debug.php:7

filterrest_post_dispatchincludes\class-indieauth-debug.php:8

actionrest_api_initincludes\class-indieauth-debug.php:9

actionrest_api_initincludes\class-indieauth-introspection-endpoint.php:9

filterindieauth_metadataincludes\class-indieauth-introspection-endpoint.php:10

filterrest_index_indieauth_endpointsincludes\class-indieauth-introspection-endpoint.php:11

filterrest_pre_serve_requestincludes\class-indieauth-metadata-endpoint.php:8

filterrest_indexincludes\class-indieauth-metadata-endpoint.php:9

actionrest_api_initincludes\class-indieauth-metadata-endpoint.php:10

actionwp_headincludes\class-indieauth-metadata-endpoint.php:11

actiontemplate_redirectincludes\class-indieauth-metadata-endpoint.php:12

actionrest_api_initincludes\class-indieauth-revocation-endpoint.php:8

filterindieauth_metadataincludes\class-indieauth-revocation-endpoint.php:9

filterrest_index_indieauth_endpointsincludes\class-indieauth-revocation-endpoint.php:10

filtermap_meta_capincludes\class-indieauth-scopes.php:12

actionrest_api_initincludes\class-indieauth-ticket-endpoint.php:10

actiontemplate_redirectincludes\class-indieauth-ticket-endpoint.php:11

actionwp_headincludes\class-indieauth-ticket-endpoint.php:12

actionindieauth_metadataincludes\class-indieauth-ticket-endpoint.php:13

actionindieauth_ticket_redeemedincludes\class-indieauth-ticket-endpoint.php:14

actionrest_api_initincludes\class-indieauth-token-endpoint.php:12

filterindieauth_metadataincludes\class-indieauth-token-endpoint.php:13

filterrest_index_indieauth_endpointsincludes\class-indieauth-token-endpoint.php:14

actionwp_headincludes\class-indieauth-token-endpoint.php:16

actiontemplate_redirectincludes\class-indieauth-token-endpoint.php:17

actionadmin_initincludes\class-indieauth-token-ui.php:14

actionadmin_menuincludes\class-indieauth-token-ui.php:15

actionadmin_action_indieauth_newtokenincludes\class-indieauth-token-ui.php:16

actionadmin_action_indieauth_client_discoveryincludes\class-indieauth-token-ui.php:17

actionrest_api_initincludes\class-indieauth-userinfo-endpoint.php:9

filterindieauth_metadataincludes\class-indieauth-userinfo-endpoint.php:10

filterrest_index_indieauth_endpointsincludes\class-indieauth-userinfo-endpoint.php:11

actioninitincludes\class-web-signin.php:8

actionlogin_formincludes\class-web-signin.php:10

actionlogin_form_websigninincludes\class-web-signin.php:11

actionauthenticateincludes\class-web-signin.php:13

actionupgrader_process_completeindieauth.php:30

actionindieauth_cleanupindieauth.php:31

actioninitindieauth.php:178

Scheduled Events 1

indieauth_cleanup

Maintenance & Trust

IndieAuth Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedOct 25, 2025

PHP min version7.4

Downloads30K

Community Trust

Rating100/100

Number of ratings4

Active installs400

Alternatives

IndieAuth Alternatives

OpenID Connect Generic Client

daggerhart-openid-connect-generic

A simple client that provides SSO or opt-in authentication against a generic OAuth2 Server implementation.

10K 2 CVEs

Login for Google Apps

google-apps-login

100

Simple secure login and user management through your Google Workspace for WordPress (using oAuth2 and MFA if enabled).

10K 1 CVE

OAuth Single Sign On – SSO (OAuth Client)

miniorange-login-with-eve-online-google-facebook

WordPress SSO (Single Sign On) with Azure, Azure B2C, Cognito, Okta, Classlink, Discord, Clever, Keycloak, OAuth & OpenID Providers [24/7 SUPPORT].

7K 10 CVEs

Log in with Google

100

Minimal plugin that allows WordPress users to log in using Google.

6K No CVEs

Authorizer

authorizer

Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).

5K 1 CVE

Developer Profile

IndieAuth Developer Profile

IndieWeb

5 plugins · 1K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

4 days

View full developer profile

Detection Fingerprints

How We Detect IndieAuth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/indieauth/includes/class-indieauth-debug.php/wp-content/plugins/indieauth/includes/class-indieauth-introspection-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-revocation-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-token-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-userinfo-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-authorization-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-metadata-endpoint.php/wp-content/plugins/indieauth/includes/class-indieauth-client.php+10 more

HTML / DOM Fingerprints

JS Globals

window.indieauthindieauth

REST Endpoints

/indieauth/1.0/auth/indieauth/1.0/token/indieauth/1.0/revoke/indieauth/1.0/userinfo/indieauth/1.0/introspection

FAQ