WP-Safety

JWT Authenticator Security & Risk Analysis

wordpress.org/plugins/jwt-authenticator

This plugin integrates JWT authentication and automates user creation.

10 active installs v1.1 PHP + WP 3.2+ Updated Dec 1, 2016
authenticationjwtloginssotoken
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is JWT Authenticator Safe to Use in 2026?

Generally Safe

Score 85/100

JWT Authenticator has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The "jwt-authenticator" plugin v1.0 exhibits a mixed security posture. A significant concern is the presence of a REST API route that lacks any permission callback, creating a direct and unprotected entry point into the WordPress application. While the static analysis shows no dangerous functions, 100% prepared SQL statements, and high output escaping, the absence of capability checks on the identified REST API route is a critical oversight. The plugin's vulnerability history is clean, with no known CVEs, which is a positive indicator of general stability. However, this lack of historical vulnerabilities should not overshadow the immediate risk posed by the unprotected REST API endpoint, which could potentially be exploited by unauthenticated attackers.

Key Concerns

  • Unprotected REST API route
  • Missing capability checks on entry points
Vulnerabilities
None known

JWT Authenticator Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

JWT Authenticator Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

JWT Authenticator Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
24 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

89% escaped27 total outputs
Attack Surface
1 unprotected

JWT Authenticator Attack Surface

Entry Points1
Unprotected1

REST API Routes 1

POST/wp-json/jwt-auth/v1callbackauth.php:14
WordPress Hooks 4
actionrest_api_initauth.php:13
filterlogin_messageauth.php:97
actionadmin_menusettings.php:15
actionadmin_initsettings.php:16
Maintenance & Trust

JWT Authenticator Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30
Last updatedDec 1, 2016
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

JWT Authenticator Alternatives

AH JWT Auth

AH JWT Auth

ah-jwt-auth

A
92

This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header.

10 No CVEs
Twelve Legs Marketing SSO

Twelve Legs Marketing SSO

twelve-legs-marketing-sso

A
100

Single sign-on plugin for WordPress that accepts RS256 JWTs from the TWL SSO application for secure authentication.

0 No CVEs
Login for Google Apps

Login for Google Apps

google-apps-login

A
92

Simple secure login and user management through your Google Workspace for WordPress (using oAuth2 and MFA if enabled).

10K 1 CVE
JWT Auth – WordPress JSON Web Token Authentication

JWT Auth – WordPress JSON Web Token Authentication

jwt-auth

B
83

Create JSON Web Token Authentication in WordPress.

6K 1 CVE
Log in with Google

Log in with Google

login-with-google

A
100

Minimal plugin that allows WordPress users to log in using Google.

6K No CVEs
Developer Profile

JWT Authenticator Developer Profile

Shawn

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect JWT Authenticator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

REST Endpoints
/wp-json/jwt-auth/v1/callback
FAQ

Frequently Asked Questions about JWT Authenticator