Does JWT Auth – WordPress JSON Web Token Authentication have any unpatched vulnerabilities?

No. All known vulnerabilities in JWT Auth – WordPress JSON Web Token Authentication have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is JWT Auth – WordPress JSON Web Token Authentication compatible with WordPress 6.5.8?

According to WordPress.org data, JWT Auth – WordPress JSON Web Token Authentication 3.0.2 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

Is JWT Auth – WordPress JSON Web Token Authentication compatible with PHP 7.2+?

JWT Auth – WordPress JSON Web Token Authentication requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is JWT Auth – WordPress JSON Web Token Authentication's security score?

JWT Auth – WordPress JSON Web Token Authentication has a WP-Safety security score of 90/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

JWT Auth – WordPress JSON Web Token Authentication Security & Risk Analysis

wordpress.org/plugins/jwt-auth

Create JSON Web Token Authentication in WordPress.

6K active installs v3.0.2 PHP 7.2+ WP 5.2+ Updated May 7, 2024

json-web-tokenjwtjwt-authtoken-authentication

A · Safe

CVEs total1

Unpatched0

Last CVENov 11, 2022

Plugin page Download

Safety Verdict

Is JWT Auth – WordPress JSON Web Token Authentication Safe to Use in 2026?

Generally Safe

Score 90/100

JWT Auth – WordPress JSON Web Token Authentication has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 11, 2022Updated 1yr ago

Risk Assessment

The jwt-auth plugin, version 3.0.2, exhibits a generally good security posture with several strengths, including 100% of SQL queries using prepared statements and a single nonce check and capability check present. The absence of dangerous functions, file operations, and external HTTP requests, coupled with no critical or high severity taint flows, indicates careful coding practices in these areas. However, a critical vulnerability in its history, specifically an 'Access of Resource Using Incompatible Type' type, despite being patched, warrants attention and suggests that the plugin may be susceptible to complex vulnerabilities. The relatively low number of total entry points (2) with none noted as unprotected is also a positive indicator.

Key Concerns

Critical vulnerability in history (Type Confusion)
Bundled library (Guzzle) - potential for outdated versions
77% proper output escaping - 23% potentially unescaped

Vulnerabilities

JWT Auth – WordPress JSON Web Token Authentication Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2021-46743critical · 9.1Access of Resource Using Incompatible Type ('Type Confusion')

Firebase PHP-JWT < 6.0.0 - Algorithm Confusion

Nov 11, 2022 Patched in 2.1.1 (438d)

Code Analysis

Analyzed Mar 16, 2026

JWT Auth – WordPress JSON Web Token Authentication Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared4 total queries

Output Escaping

77% escaped43 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<class-devices> (class-devices.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

JWT Auth – WordPress JSON Web Token Authentication Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 1

authwp_ajax_remove_deviceclass-devices.php:24

Shortcodes 1

[jwt_auth_devices] class-devices.php:25

WordPress Hooks 17

filterrest_allowed_cors_headersclass-auth.php:113

actionshow_user_profileclass-devices.php:21

actionedit_user_profileclass-devices.php:22

actionprofile_updateclass-devices.php:27

actionafter_password_resetclass-devices.php:28

actionuser_registerclass-devices.php:29

filterjwt_auth_payloadclass-devices.php:31

filterjwt_auth_extra_token_checkclass-devices.php:32

actioninitclass-setup.php:34

actionrest_api_initclass-setup.php:39

filterrest_api_initclass-setup.php:40

filterrest_pre_dispatchclass-setup.php:41

filterdetermine_current_userclass-setup.php:42

actionjwt_auth_purge_expired_refresh_tokensclass-setup.php:54

actionin_plugin_update_message-jwt-auth/jwt-auth.phpclass-update.php:21

actionadmin_noticesclass-update.php:22

actionadmin_initclass-update.php:23

Scheduled Events 1

jwt_auth_purge_expired_refresh_tokens

Maintenance & Trust

JWT Auth – WordPress JSON Web Token Authentication Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedMay 7, 2024

PHP min version7.2

Downloads104K

Community Trust

Rating100/100

Number of ratings22

Active installs6K

Alternatives

JWT Auth – WordPress JSON Web Token Authentication Alternatives

Simple JWT Auth

simple-jwt-auth

Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.

0 No CVEs

JWT Authentication for WP REST APIs

wp-rest-api-authentication

Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.

20K 2 CVEs

WP Login and Register using JWT

WordPress login (WordPress Single Sign-On) using JWT token obtained from other WordPress sites or any other application. Synchronize user sessions bet …

200 1 CVE

Simple REST API Authenticaton with WooCommerce Credentials

wp-simple-rest-api-authentication

100

Simple REST API Authentication plugin for WordPress - a powerful solution for integrating your website with external applications.

50 No CVEs

JWT Authentication for WP REST API

jwt-authentication-for-wp-rest-api

100

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

60K No CVEs

Developer Profile

JWT Auth – WordPress JSON Web Token Authentication Developer Profile

Bagus

2 plugins · 6K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

438 days

View full developer profile

Detection Fingerprints

How We Detect JWT Auth – WordPress JSON Web Token Authentication

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/jwt-auth/assets/css/jwt-auth-admin.css/wp-content/plugins/jwt-auth/assets/js/jwt-auth-admin.js/wp-content/plugins/jwt-auth/assets/js/jwt-auth-blocks.js/wp-content/plugins/jwt-auth/assets/js/jwt-auth-admin-react.js

Script Paths

/wp-content/plugins/jwt-auth/assets/js/jwt-auth-admin.js/wp-content/plugins/jwt-auth/assets/js/jwt-auth-blocks.js/wp-content/plugins/jwt-auth/assets/js/jwt-auth-admin-react.js

Version Parameters

jwt-auth/assets/css/jwt-auth-admin.css?ver=jwt-auth/assets/js/jwt-auth-admin.js?ver=jwt-auth/assets/js/jwt-auth-blocks.js?ver=jwt-auth/assets/js/jwt-auth-admin-react.js?ver=

HTML / DOM Fingerprints

CSS Classes

jwt-auth-admin-wrapper

Data Attributes

data-jwt-auth-nonce

JS Globals

jwt_auth_ajax_object

REST Endpoints

/jwt-auth/v1/token/jwt-auth/v1/token/validate/jwt-auth/v1/token/refresh

FAQ