Does JSON API User have any unpatched vulnerabilities?

No. All known vulnerabilities in JSON API User have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is JSON API User compatible with WordPress 6.8.5?

According to WordPress.org data, JSON API User 4.1.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is JSON API User compatible with PHP 5.3+?

JSON API User requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is JSON API User updated?

JSON API User was last updated on Jul 29, 2025. Frequent updates are generally a positive security signal.

What is JSON API User's security score?

JSON API User has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

JSON API User Security & Risk Analysis

wordpress.org/plugins/json-api-user

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K active installs v4.1.0 PHP 5.3+ WP 3.0.1+ Updated Jul 29, 2025

authenticationjson-apirestful-facebook-loginrestful-user-meta-and-buddypress-xprofilerestful-user-registration

A · Safe

CVEs total1

Unpatched0

Last CVEJul 10, 2024

Plugin page Download

Safety Verdict

Is JSON API User Safe to Use in 2026?

Generally Safe

Score 97/100

JSON API User has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 10, 2024Updated 8mo ago

Risk Assessment

The static analysis of the 'json-api-user' v4.1.0 plugin indicates a generally good security posture with no immediately apparent vulnerabilities within the current code version. The absence of dangerous functions, the exclusive use of prepared statements for SQL queries, and the proper escaping of all output are significant strengths. The plugin also correctly implements nonce checks for its single external HTTP request. However, the plugin does exhibit a concerning vulnerability history. The single known CVE, marked as critical and related to improper privilege management, remains a significant red flag, even though it is currently patched. This suggests that in the past, the plugin has had severe security flaws, implying potential for future issues if not actively maintained and scrutinized. While the current code appears clean, the historical context warrants caution and underscores the importance of staying updated with any future patches.

Key Concerns

Past critical CVE related to Improper Privilege Management

Vulnerabilities

JSON API User Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2024-6624critical · 9.8Improper Privilege Management

JSON API User <= 3.9.3 - Unauthenticated Privilege Escalation

Jul 10, 2024 Patched in 3.9.4 (20d)

Code Analysis

Analyzed Mar 16, 2026

JSON API User Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped11 total outputs

Attack Surface

JSON API User Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionadmin_noticesjson-api-user.php:31

filterjson_api_controllersjson-api-user.php:49

filterjson_api_user_controller_pathjson-api-user.php:51

actioninitjson-api-user.php:53

Maintenance & Trust

JSON API User Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJul 29, 2025

PHP min version5.3

Downloads121K

Community Trust

Rating78/100

Number of ratings21

Active installs1K

Alternatives

JSON API User Alternatives

JSON API Auth

json-api-auth

100

Extends the JSON API Plugin for RESTful user authentication

800 No CVEs

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs

Limit Login Attempts

limit-login-attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

300K 3 CVEs

Two Factor

two-factor

100

Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.

100K No CVEs

Developer Profile

JSON API User Developer Profile

Ali Qureshi

5 plugins · 2K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

20 days

View full developer profile

Detection Fingerprints

How We Detect JSON API User

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/json-api-user/css/json-api-user.css/wp-content/plugins/json-api-user/js/json-api-user.js

Script Paths

/wp-content/plugins/json-api-user/js/json-api-user.js

Version Parameters

json-api-user/css/json-api-user.css?ver=json-api-user/js/json-api-user.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-nonce-value

JS Globals

json_api_user_pluginjson_api_noncejson_api_user

REST Endpoints

/wp-json/user/info/wp-json/user/register/wp-json/user/reset_password/wp-json/user/auth/wp-json/user/facebook_connect/wp-json/user/get_avatar/wp-json/user/get_user_meta/wp-json/user/update_user_meta/wp-json/user/get_users/wp-json/user/get_user/wp-json/user/update_user/wp-json/user/create_token/wp-json/user/get_nonce

FAQ