[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0y2UzWoJVhpQDvYo35iLrghylMn6kutqFjzj_6QiVB8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":38,"analysis":122,"fingerprints":400},"keys-master","Keys Master","2.4.0","Pierre Lannoy","https:\u002F\u002Fprofiles.wordpress.org\u002Fpierrelannoy\u002F","\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is a powerful application passwords manager for WordPress with role-based usage control and full analytics reporting about passwords usages. It relies on the “application password” core feature introduced in WordPress 5.6. and add it extra features and controls.\u003C\u002Fp>\n\u003Cp>You can limit usage of application passwords, on a per role basis:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>maximum passwords per user;\u003C\u002Fli>\n\u003Cli>specific usage: none (blocks usage), only authentication and revocation or full management (with password creation).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For each roles defined on your site, you can define a period during which a password can be unused before auto-revocation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> can report the following main items and metrics:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>KPIs: authentication success, number, creations and revocations of passwords, adoption and usage rate;\u003C\u002Fli>\n\u003Cli>channels breakdown;\u003C\u002Fli>\n\u003Cli>clients breakdown (requires the free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdevice-detector\u002F\" rel=\"ugc\">Device Detector\u003C\u002Fa> plugin);\u003C\u002Fli>\n\u003Cli>countries breakdown (requires the free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fip-locator\u002F\" rel=\"ugc\">IP Locator\u003C\u002Fa> plugin);\u003C\u002Fli>\n\u003Cli>site breakdowns in multisites environments.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> supports a set of WP-CLI commands to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>manage WordPress application passwords (list, create and revoke) – see \u003Ccode>wp help apwd password\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>toggle on\u002Foff main settings – see \u003Ccode>wp help apwd settings\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>modify operations mode – see \u003Ccode>wp help apwd mode\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>display passwords statistics – see \u003Ccode>wp help apwd analytics\u003C\u002Fcode> for details.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For a full help on WP-CLI commands in Keys Master, please \u003Ca href=\"https:\u002F\u002Fperfops.one\u002Fkeys-master-wpcli\" rel=\"nofollow ugc\">read this guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is part of \u003Ca href=\"https:\u002F\u002Fperfops.one\u002F\" rel=\"nofollow ugc\">PerfOps One\u003C\u002Fa>, a suite of free and open source WordPress plugins dedicated to observability and operations performance.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is a free and open source plugin for WordPress. It integrates many other free and open source works (as-is or modified). Please, see ‘about’ tab in the plugin settings to see the details.\u003C\u002Fp>\n\u003Ch4>Support\u003C\u002Fh4>\n\u003Cp>This plugin is free and provided without warranty of any kind. Use it at your own risk, I’m not responsible for any improper use of this plugin, nor for any damage it might cause to your site. Always backup all your data before installing a new plugin.\u003C\u002Fp>\n\u003Cp>Anyway, I’ll be glad to help you if you encounter issues when using this plugin. Just use the support section of this plugin page.\u003C\u002Fp>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>This plugin, as any piece of software, is neither compliant nor non-compliant with privacy laws and regulations. It is your responsibility to use it – by activating the corresponding options or services – with respect for the personal data of your users and applicable laws.\u003C\u002Fp>\n\u003Cp>This plugin doesn’t set any cookie in the user’s browser.\u003C\u002Fp>\n\u003Cp>This plugin doesn’t handle personally identifiable information (PII).\u003C\u002Fp>\n\u003Ch4>Donation\u003C\u002Fh4>\n\u003Cp>If you like this plugin or find it useful and want to thank me for the work done, please consider making a donation to \u003Ca href=\"https:\u002F\u002Fwww.laquadrature.net\u002Fen\" rel=\"nofollow ugc\">La Quadrature Du Net\u003C\u002Fa> or the \u003Ca href=\"https:\u002F\u002Fwww.eff.org\u002F\" rel=\"nofollow ugc\">Electronic Frontier Foundation\u003C\u002Fa> which are advocacy groups defending the rights and freedoms of citizens on the Internet. By supporting them, you help the daily actions they perform to defend our fundamental freedoms!\u003C\u002Fp>\n","Powerful application passwords manager for WordPress with role-based usage control and full analytics reporting capabilities.",10,5961,0,"2025-11-22T11:42:00.000Z","6.9.4","6.2","8.1",[19,20,21,22,23],"application-password","authentication","rest-api","security","xml-rpc","https:\u002F\u002Fperfops.one\u002Fkeys-master","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkeys-master.2.4.0.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"pierrelannoy",12,15110,99,65,87,"2026-04-03T20:22:33.723Z",[39,56,77,93,109],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":11,"downloaded":47,"rating":13,"num_ratings":13,"last_updated":48,"tested_up_to":15,"requires_at_least":49,"requires_php":50,"tags":51,"homepage":54,"download_link":55,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"ghostgate","GhostGate","1.3.3","codegee0958","https:\u002F\u002Fprofiles.wordpress.org\u002Fcodegee0958\u002F","\u003Cp>\u003Cstrong>GhostGate\u003C\u002Fstrong> is a lightweight yet powerful WordPress security plugin that eliminates the login page as an attack surface. Instead of just defending, it \u003Cstrong>erases the entrance\u003C\u002Fstrong> entirely with dynamic login URLs and multi-layer access verification.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>🔒 Hide your login URL with a custom slug and time-based code\u003C\u002Fli>\n\u003Cli>🔑 Built-in 2FA via email verification\u003C\u002Fli>\n\u003Cli>🚫 Auto-block brute force attacks by IP\u003C\u002Fli>\n\u003Cli>🧱 Disable\u002Flimit unused endpoints like XML-RPC and REST API\u003C\u002Fli>\n\u003Cli>👤 Prevent user enumeration via REST, RSS, and author queries\u003C\u002Fli>\n\u003Cli>🔍 Visualize security status and detect conflicts\u003C\u002Fli>\n\u003Cli>📜 Activity logs with optional file rotation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>GhostGate doesn’t just defend — it disappears.\u003Cbr \u002F>\nInvisible to bots. Intuitive for users.\u003C\u002Fp>\n\u003Cp>👉 \u003Cstrong>Full features \u002F screenshots \u002F pricing \u002F docs\u003C\u002Fstrong>:\u003Cbr \u002F>\nhttps:\u002F\u002Farce-experience.com\u002Fproduct\u002F\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>GhostGate can store the following data locally on your site to provide rate-limiting and security auditing:\u003Cbr \u002F>\n– IP addresses (for temporary throttling \u002F block lists)\u003Cbr \u002F>\n– Timestamps and event metadata (login attempts, REST\u002FXML-RPC hits)\u003Cbr \u002F>\n– Optional log files under \u003Ccode>wp-content\u002Fuploads\u002Fghostgate\u002Flogs\u003C\u002Fcode> (if enabled)\u003C\u002Fp>\n\u003Cp>No data is sent to third-party services.\u003Cbr \u002F>\nSite owners are responsible for informing users\u002Fvisitors where required by local laws. You can clear blocks\u002Flogs from the admin UI or by deleting the log files.\u003C\u002Fp>\n","Invisible, intelligent protection for WordPress. GhostGate hides your login page, blocks bots, and turns your site into a ghost fortress.",405,"2026-01-21T00:06:00.000Z","5.8","7.4",[52,21,22,53,23],"limit-login-attempts","two-factor-authentication","https:\u002F\u002Farce-experience.com\u002Fproduct\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fghostgate.1.3.3.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":13,"num_ratings":13,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":74,"download_link":75,"security_score":76,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"rest-api-key-authentication","WP REST API Key Authentication","1.0","Kamal Hosen","https:\u002F\u002Fprofiles.wordpress.org\u002Fikamal\u002F","\u003Cp>\u003Cstrong>WP REST API Key Authentication\u003C\u002Fstrong> adds a simple API key-based authentication method to the WordPress REST API. This plugin is perfect for developers who want to interact with the REST API securely without relying on complex OAuth authentication mechanisms.\u003C\u002Fp>\n\u003Ch3>Key Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Multiple API Keys\u003C\u002Fstrong>: Create and manage multiple API keys with custom names.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure API Key Storage\u003C\u002Fstrong>: API keys are hashed and securely stored in the WordPress database.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Display for Security\u003C\u002Fstrong>: API keys are shown only once after creation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API Access Control\u003C\u002Fstrong>: Authenticate requests by including an API key in the \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Interface\u003C\u002Fstrong>: Manage API keys with a user-friendly admin page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Copy to Clipboard Popup\u003C\u002Fstrong>: Easily copy generated API keys with a built-in popup.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin is lightweight and integrates seamlessly with WordPress.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong>Generate an API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Go to \u003Cstrong>API Keys\u003C\u002Fstrong> in the WordPress admin menu.\u003C\u002Fli>\n\u003Cli>Enter a name for the API key and click “Generate API Key”.\u003C\u002Fli>\n\u003Cli>The API key will appear in a popup. Copy it immediately, as it will not be displayed again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Use the API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Include the API key in the \u003Ccode>Authorization\u003C\u002Fcode> header of your REST API requests:\u003Cbr \u002F>\n \u003Ccode>Authorization: Bearer YOUR_API_KEY\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Delete API Keys\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>To revoke access, delete an API key from the \u003Cstrong>API Keys\u003C\u002Fstrong> admin page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later. See the License URI for details.\u003C\u002Fp>\n","A simple plugin to add API key-based authentication to the WordPress REST API. Manage multiple API keys and secure your REST API endpoints.",20,952,"2025-01-16T09:18:00.000Z","6.7.5","5.0","7.2",[71,72,73,21,22],"access-control","api-authentication","api-key","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-key-authentication.1.0.zip",92,{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":13,"downloaded":85,"rating":13,"num_ratings":13,"last_updated":86,"tested_up_to":15,"requires_at_least":87,"requires_php":88,"tags":89,"homepage":74,"download_link":92,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"headlesskey-jwt-auth","HeadlessKey – JWT Auth","1.0.0","Hidayat Mahetar","https:\u002F\u002Fprofiles.wordpress.org\u002Fhidayatsafewp\u002F","\u003Cp>\u003Cstrong>HeadlessKey – JWT Auth\u003C\u002Fstrong> extends the REST API to provide a robust and secure authentication system using JSON Web Tokens (JWT). Designed for Headless WordPress, it enables seamless user authentication, registration, and session management via standard REST endpoints.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Secure user authentication using industry-standard RFC 7519 tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Algorithms\u003C\u002Fstrong>: Support for \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, and \u003Ccode>ES256\u003C\u002Fcode> signing algorithms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Endpoints\u003C\u002Fstrong>: Ready-to-use endpoints for Login, Register, Token Refresh, and Password Management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Sign-On (SSO)\u003C\u002Fstrong>: Connect multiple sites with a secure, headers-based SSO exchange mechanism.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Access Control (RBAC)\u003C\u002Fstrong>: Configure public or authenticated access for every endpoint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong>: Protects against attacks by locking users\u002FIPs after failed attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logs\u003C\u002Fstrong>: Detailed audit trail of all authentication events, including IP and device data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Webhooks\u003C\u002Fstrong>: Real-time JSON events sent to your external services for monitoring key actions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Device Limits\u003C\u002Fstrong>: Restrict the number of active devices\u002Fsessions per user.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Extensive hooks and filters for deep customization.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch3>Secret Key\u003C\u002Fh3>\n\u003Cp>The plugin uses a secret key to sign tokens. By default, a secure random key is generated. For better security and consistency across environments, define your key in \u003Ccode>wp-config.php\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_SECRET_KEY', 'your-long-random-secure-string');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a strong salt here: \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">WordPress Salt Generator\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>CORS Support\u003C\u002Fh3>\n\u003Cp>Cross-Origin Resource Sharing (CORS) is enabled by default to allow frontend applications to connect. To disable or customize it via constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_CORS', true); \u002F\u002F or false to disable\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST API Namespace\u003C\u002Fh3>\n\u003Cp>By default, endpoints are under \u003Ccode>wp-json\u002Fwpauthapi\u002Fv1\u003C\u002Fcode>. You can customize this namespace:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_REST_NAMESPACE', 'my-custom-auth');\ndefine('headlesskey_REST_VERSION', 'v2');\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The plugin adds the following endpoints under the \u003Ccode>\u002Fwp-json\u002Fheadlesskey\u002Fv1\u003C\u002Fcode> namespace:\u003C\u002Fp>\n\u003Cp>  Endpoint\u003Cbr \u002F>\n  HTTP Verb\u003Cbr \u002F>\n  Description\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Login\u003C\u002Fstrong>: Exchange username\u002Fpassword for a JWT.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Validate\u003C\u002Fstrong>: Check if a token validity.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Refresh\u003C\u002Fstrong>: Exchange a valid token for a new one (rotation).\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Logout\u003C\u002Fstrong>: Invalidate a specific token.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Register\u003C\u002Fstrong>: Create a new user account.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Profile\u003C\u002Fstrong>: Login and get full user profile data in one request.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Recover\u003C\u002Fstrong>: Request a password reset via Link or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Reset\u003C\u002Fstrong>: Set a new password using a token or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Update\u003C\u002Fstrong>: Change password for authenticated user.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>SSO\u003C\u002Fstrong>: Exchange a remote site token for a local session.\u003C\u002Fp>\n\u003Ch3>1. Login (Generate Token)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Authenticate a user and generate a JWT token.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"expires_in\": 3600,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"refreshable\": true,\u003Cbr \u002F>\n  \"jti\": \"545086b9-450f-488b-a70d-3047d14d1101\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>2. Validate Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Validate if an existing token is valid.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"valid\": true,\u003Cbr \u002F>\n  \"data\": {\u003Cbr \u002F>\n    \"iss\": \"https:\u002F\u002Fexample.com\",\u003Cbr \u002F>\n    \"iat\": 1698393600,\u003Cbr \u002F>\n    \"exp\": 1698397200,\u003Cbr \u002F>\n    \"data\": {\u003Cbr \u002F>\n      \"ID\": 1,\u003Cbr \u002F>\n      \"user_login\": \"admin\"\u003Cbr \u002F>\n    }\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>3. Refresh Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Rotate an expiring token for a fresh one.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.new...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T11:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\"\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"jti\": \"new-uuid-v4\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>4. Revoke Token (Logout)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Invalidate a token immediately.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Token revoked successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>5. Register User\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Create a new user account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"johndoe\",\u003Cbr \u002F>\n  \"email\": \"john@example.com\",\u003Cbr \u002F>\n  \"password\": \"secure-password\",\u003Cbr \u002F>\n  \"name\": \"John Doe\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"user_id\": 45,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 45,\u003Cbr \u002F>\n    \"user_login\": \"johndoe\",\u003Cbr \u002F>\n    \"user_email\": \"john@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"John Doe\",\u003Cbr \u002F>\n    \"roles\": [\"subscriber\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"token_response\": {\u003Cbr \u002F>\n    \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOi...\",\u003Cbr \u002F>\n    \"expiration\": \"2023-10-27T10:00:00+00:00\"\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>6. User Profile (Login Extended)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Alternative login endpoint that returns cleaner profile structure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>7. Forgot Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Initiate password recovery. Note: \u003Ccode>delivery\u003C\u002Fcode> can be \u003Ccode>link\u003C\u002Fcode> or \u003Ccode>otp\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"delivery\": \"link\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password reset email sent.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>8. Reset Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Reset password using the token sent via email or OTP.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request (Link method):\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"password\": \"new-secure-password\",\u003Cbr \u002F>\n  \"token\": \"generated-reset-key\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password updated successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>9. Change Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Change password for currently authenticated user. Requires \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n    Authorization: Bearer \u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"current_password\": \"old-password\",\u003Cbr \u002F>\n  \"new_password\": \"new-secure-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password changed successfully. Please login again.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>10. SSO Token Exchange\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Securely exchange a token from a connected remote site for a local authentication session. This powers the distributed Single Sign-On network.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"site_key\": \"remote-site-id\",\u003Cbr \u002F>\n  \"token\": \"remote-jwt-token\",\u003Cbr \u002F>\n  \"signature\": \"hmac-sha256-signature\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\nReturns a standard \u003Cstrong>Login\u003C\u002Fstrong> response (Token + User Data) if the signature is valid.\u003C\u002Fp>\n","A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.",133,"2026-02-08T10:59:00.000Z","6.0","8.0",[20,90,91,21,22],"headless","jwt","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadlesskey-jwt-auth.1.0.0.zip",{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":13,"downloaded":101,"rating":13,"num_ratings":13,"last_updated":74,"tested_up_to":102,"requires_at_least":103,"requires_php":50,"tags":104,"homepage":106,"download_link":107,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":108},"juanma-jwt-auth-pro","JuanMa JWT Auth Pro","1.2.1","JuanMa Garrido","https:\u002F\u002Fprofiles.wordpress.org\u002Fjuanmaguitar\u002F","\u003Cp>Unlike basic JWT plugins that use \u003Cstrong>single long-lived tokens\u003C\u002Fstrong>, JWT Auth Pro implements \u003Cstrong>modern OAuth 2.0 security best practices\u003C\u002Fstrong> with short-lived access tokens and secure refresh tokens.\u003C\u002Fp>\n\u003Ch4>Why JWT Auth Pro?\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>The Problem with Basic JWT Plugins:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Long-lived tokens (24h+) = Higher security risk\u003Cbr \u002F>\n* No refresh mechanism = Tokens live until expiry\u003Cbr \u002F>\n* XSS vulnerable = Tokens stored in localStorage\u003Cbr \u002F>\n* No revocation = Can’t invalidate compromised tokens\u003C\u002Fp>\n\u003Cp>\u003Cstrong>JWT Auth Pro Solution:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Short-lived access tokens (1h default) = Minimal attack window\u003Cbr \u002F>\n* Secure refresh tokens = HTTP-only cookies, XSS protected\u003Cbr \u002F>\n* Automatic token rotation = Fresh tokens on each refresh\u003Cbr \u002F>\n* Complete session control = Revoke any user session instantly\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Simple JWT Authentication\u003C\u002Fstrong> – Clean, stateless token-based auth\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Refresh Tokens\u003C\u002Fstrong> – Secure refresh tokens in HTTP-only cookies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Automatic refresh token rotation for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CORS Support\u003C\u002Fstrong> – Proper cross-origin request handling\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean Admin Interface\u003C\u002Fstrong> – Simple configuration in WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Clear endpoints and documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Comparison\u003C\u002Fh4>\n\u003Cp>  Feature\u003Cbr \u002F>\n  Basic JWT Plugins\u003Cbr \u002F>\n  JWT Auth Pro\u003C\u002Fp>\n\u003Cp>  Token Lifetime\u003Cbr \u002F>\n  Long (hours\u002Fdays)\u003Cbr \u002F>\n  Short (1 hour)\u003C\u002Fp>\n\u003Cp>  Refresh Tokens\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Secure HTTP-only\u003C\u002Fp>\n\u003Cp>  XSS Protection\u003Cbr \u002F>\n  Limited\u003Cbr \u002F>\n  HTTP-only cookies\u003C\u002Fp>\n\u003Cp>  Token Revocation\u003Cbr \u002F>\n  Manual only\u003Cbr \u002F>\n  Automatic rotation\u003C\u002Fp>\n\u003Cp>  Session Management\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Database tracking\u003C\u002Fp>\n\u003Cp>  Security Metadata\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  IP + User Agent\u003C\u002Fp>\n\u003Ch4>Perfect for:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Single Page Applications (React, Vue, Angular)\u003C\u002Fli>\n\u003Cli>Mobile Applications (iOS, Android)\u003C\u002Fli>\n\u003Cli>API Integrations (Third-party services)\u003C\u002Fli>\n\u003Cli>Headless WordPress (Decoupled architecture)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>API Endpoints\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Ftoken\u003C\u002Fcode> – Login and get access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Frefresh\u003C\u002Fcode> – Refresh access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>GET \u002Fwp-json\u002Fjwt\u002Fv1\u002Fverify\u003C\u002Fcode> – Verify token and get user info\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Flogout\u003C\u002Fcode> – Logout and revoke refresh token\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Stateless Authentication\u003C\u002Fstrong> – JWT tokens contain all necessary information\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Cookies\u003C\u002Fstrong> – Refresh tokens stored securely, inaccessible to JavaScript\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Refresh tokens automatically rotate on use\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Expiration\u003C\u002Fstrong> – Set custom expiration times\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Tracking\u003C\u002Fstrong> – Additional security metadata\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and documentation, visit: https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin stores user session data including IP addresses and user agent strings for security purposes. This data is used solely for authentication and security monitoring.\u003C\u002Fp>\n","Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.",124,"6.8.5","5.6",[20,91,21,22,105],"tokens","https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjuanma-jwt-auth-pro.1.2.1.zip","2026-03-15T10:48:56.248Z",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":13,"downloaded":117,"rating":13,"num_ratings":13,"last_updated":118,"tested_up_to":102,"requires_at_least":68,"requires_php":50,"tags":119,"homepage":120,"download_link":121,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"pkl-wpz-rest-api-auth","PKL WPz REST API Authentication","1.1.0","Kittinan Lamkaek","https:\u002F\u002Fprofiles.wordpress.org\u002Fkittlam\u002F","\u003Cp>PKL WPz REST API Authentication provides a simple way to authenticate WordPress REST API requests using API keys. Users can generate their own API keys from their profile page and use them to make authenticated API requests.\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User-friendly API key generation from profile page\u003C\u002Fli>\n\u003Cli>Secure API key storage with WordPress security standards\u003C\u002Fli>\n\u003Cli>Easy integration with WordPress REST API\u003C\u002Fli>\n\u003Cli>Support for Bearer token authentication\u003C\u002Fli>\n\u003Cli>API key revocation capability\u003C\u002Fli>\n\u003Cli>Admin can manage all users’ API keys\u003C\u002Fli>\n\u003Cli>Multiple authentication methods (Bearer Token, X-API-Key Header, Form-data, Query Parameter)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Developer Documentation\u003C\u002Fh3>\n\u003Cp>For detailed API documentation and examples, visit the plugin settings page in your WordPress admin.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and feature requests, please visit our GitHub repository \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FPalmiizKittinan\" rel=\"nofollow ugc\">@PalmiizKittinan\u003C\u002Fa> .\u003C\u002Fp>\n","Control WordPress REST API access by requiring user authentication with API key system.",194,"2025-10-04T08:48:00.000Z",[73,20,21,22],"https:\u002F\u002Fgithub.com\u002FPalmiizKittinan\u002Fpkl-wpz-rest-api-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpkl-wpz-rest-api-auth.1.1.0.zip",{"attackSurface":123,"codeSignals":283,"taintFlows":385,"riskAssessment":386,"analyzedAt":399},{"hooks":124,"ajaxHandlers":247,"restRoutes":261,"shortcodes":262,"cronEvents":280,"entryPointCount":281,"unprotectedCount":282},[125,130,135,138,141,143,148,153,157,162,165,167,170,173,175,177,178,180,183,186,189,192,194,199,202,206,210,214,218,222,226,231,233,235,237,240,242],{"type":126,"name":127,"callback":127,"file":128,"line":129},"filter","init_perfopsone_admin_menus","admin\\class-keys-master-admin.php",162,{"type":131,"name":132,"callback":132,"priority":11,"file":133,"line":134},"action","wp_create_application_password","includes\\features\\class-capture.php",89,{"type":131,"name":136,"callback":136,"priority":11,"file":133,"line":137},"wp_delete_application_password",90,{"type":131,"name":139,"callback":139,"priority":11,"file":133,"line":140},"application_password_failed_authentication",91,{"type":131,"name":142,"callback":142,"priority":11,"file":133,"line":76},"application_password_did_authenticate",{"type":131,"name":144,"callback":145,"priority":146,"file":147,"line":35},"shutdown","write",11,"includes\\features\\class-schema.php",{"type":131,"name":149,"callback":150,"file":151,"line":152},"wp_create_application_password_form","user_profile","includes\\features\\class-useradministration.php",32,{"type":131,"name":144,"callback":154,"priority":11,"file":155,"line":156},"execute_tasks","includes\\features\\class-zookeeper.php",37,{"type":126,"name":158,"callback":159,"file":160,"line":161},"perfopsone_plugin_info","anonymous","includes\\plugin\\class-core.php",78,{"type":131,"name":163,"callback":159,"file":160,"line":164},"init",79,{"type":131,"name":163,"callback":159,"file":160,"line":166},80,{"type":131,"name":168,"callback":159,"file":160,"line":169},"wp_head",81,{"type":131,"name":171,"callback":159,"file":160,"line":172},"admin_enqueue_scripts",97,{"type":131,"name":171,"callback":159,"file":160,"line":174},98,{"type":131,"name":176,"callback":159,"file":160,"line":34},"admin_menu",{"type":131,"name":176,"callback":159,"file":160,"line":26},{"type":131,"name":176,"callback":159,"file":160,"line":179},101,{"type":131,"name":181,"callback":159,"file":160,"line":182},"admin_init",102,{"type":126,"name":184,"callback":159,"file":160,"line":185},"plugin_row_meta",104,{"type":131,"name":187,"callback":159,"file":160,"line":188},"admin_notices",105,{"type":131,"name":190,"callback":159,"file":160,"line":191},"wp_enqueue_scripts",119,{"type":131,"name":190,"callback":159,"file":160,"line":193},120,{"type":126,"name":195,"callback":196,"file":197,"line":198},"plugins_api","plugin_info","includes\\plugin\\class-updater.php",64,{"type":126,"name":200,"callback":201,"file":197,"line":35},"site_transient_update_plugins","info_update",{"type":131,"name":203,"callback":204,"priority":11,"file":197,"line":205},"upgrader_process_complete","info_reset",66,{"type":126,"name":207,"callback":208,"file":197,"line":209},"clean_url","filter_logo",67,{"type":126,"name":211,"callback":211,"file":212,"line":213},"perfopsone_apcu_info","includes\\system\\class-apcu.php",51,{"type":131,"name":163,"callback":215,"file":216,"line":217},"initialize","includes\\system\\class-password.php",354,{"type":131,"name":219,"callback":220,"file":216,"line":221},"update_user_metadata","limit_management",367,{"type":126,"name":223,"callback":224,"priority":11,"file":216,"line":225},"wp_is_application_passwords_available_for_user","is_available",368,{"type":126,"name":227,"callback":228,"file":229,"line":230},"site_status_tests","perfopsone_test_objectcache","includes\\system\\class-sitehealth.php",77,{"type":126,"name":227,"callback":232,"file":229,"line":161},"perfopsone_test_opcache",{"type":126,"name":227,"callback":234,"file":229,"line":164},"perfopsone_test_shmop",{"type":126,"name":227,"callback":236,"file":229,"line":169},"perfopsone_test_i18n",{"type":126,"name":238,"callback":239,"file":229,"line":140},"debug_information","perfopsone_info",{"type":126,"name":238,"callback":196,"file":229,"line":241},109,{"type":131,"name":243,"callback":244,"file":245,"line":246},"admin_bar_menu","finalize","perfopsone\\class-adminbar.php",54,[248,252,256],{"action":249,"nopriv":250,"callback":159,"hasNonce":250,"hasCapCheck":250,"file":160,"line":251},"hide_pokm_nag",false,106,{"action":253,"nopriv":250,"callback":254,"hasNonce":250,"hasCapCheck":250,"file":160,"line":255},"pokm_get_stats","KeysMaster\\Plugin\\Feature\\AnalyticsFactory",107,{"action":257,"nopriv":250,"callback":258,"hasNonce":259,"hasCapCheck":259,"file":260,"line":152},"poo_switch_autoupdate","poo_switch_autoupdate_callback",true,"perfopsone\\functions.php",[],[263,268,272,276],{"tag":264,"callback":265,"file":266,"line":267},"pokm-wpcli","sc_get_helpfile","includes\\features\\class-wpcli.php",723,{"tag":269,"callback":270,"file":160,"line":271},"pokm-changelog","sc_get_changelog",82,{"tag":273,"callback":274,"file":160,"line":275},"pokm-libraries","sc_get_list",83,{"tag":277,"callback":278,"file":160,"line":279},"pokm-statistics","sc_get_raw",84,[],7,2,{"dangerousFunctions":284,"sqlUsage":285,"outputEscaping":302,"fileOperations":146,"externalRequests":382,"nonceChecks":383,"capabilityChecks":282,"bundledLibraries":384},[],{"prepared":286,"raw":287,"locations":288},26,4,[289,293,295,299],{"file":290,"line":291,"context":292},"includes\\system\\class-cache.php",347,"$wpdb->get_col() with variable interpolation",{"file":290,"line":294,"context":292},350,{"file":296,"line":297,"context":298},"includes\\system\\class-database.php",241,"$wpdb->get_var() with variable interpolation",{"file":300,"line":301,"context":292},"includes\\system\\class-option.php",229,{"escaped":303,"rawEcho":304,"locations":305},58,39,[306,309,311,313,314,316,319,321,322,325,328,329,330,331,332,334,335,337,338,340,341,343,345,347,349,351,354,356,357,360,362,364,366,368,370,372,374,377,380],{"file":307,"line":152,"context":308},"admin\\partials\\keys-master-admin-settings-about.php","raw output",{"file":307,"line":310,"context":308},33,{"file":307,"line":312,"context":308},34,{"file":307,"line":304,"context":308},{"file":307,"line":315,"context":308},42,{"file":317,"line":318,"context":308},"admin\\partials\\keys-master-admin-settings-main.php",96,{"file":320,"line":310,"context":308},"admin\\partials\\keys-master-admin-settings-options.php",{"file":320,"line":310,"context":308},{"file":323,"line":324,"context":308},"admin\\partials\\keys-master-admin-settings-roles.php",30,{"file":326,"line":327,"context":308},"admin\\partials\\keys-master-admin-tools-lines.php",18,{"file":326,"line":327,"context":308},{"file":326,"line":64,"context":308},{"file":326,"line":64,"context":308},{"file":326,"line":64,"context":308},{"file":326,"line":333,"context":308},23,{"file":326,"line":333,"context":308},{"file":336,"line":333,"context":308},"admin\\partials\\keys-master-admin-tools.php",{"file":336,"line":286,"context":308},{"file":339,"line":312,"context":308},"admin\\partials\\keys-master-admin-view-analytics.php",{"file":339,"line":156,"context":308},{"file":339,"line":342,"context":308},40,{"file":339,"line":344,"context":308},44,{"file":339,"line":346,"context":308},45,{"file":339,"line":348,"context":308},50,{"file":339,"line":350,"context":308},55,{"file":352,"line":353,"context":308},"includes\\features\\class-passwords.php",636,{"file":352,"line":355,"context":308},686,{"file":151,"line":344,"context":308},{"file":358,"line":359,"context":308},"includes\\system\\class-form.php",73,{"file":358,"line":361,"context":308},108,{"file":358,"line":363,"context":308},138,{"file":358,"line":365,"context":308},172,{"file":358,"line":367,"context":308},211,{"file":358,"line":369,"context":308},253,{"file":358,"line":371,"context":308},296,{"file":358,"line":373,"context":308},318,{"file":375,"line":376,"context":308},"includes\\system\\class-nag.php",127,{"file":378,"line":379,"context":308},"perfopsone\\class-menus.php",471,{"file":378,"line":381,"context":308},524,5,15,[],[],{"summary":387,"deductions":388},"The \"keys-master\" v2.4.0 plugin exhibits a mixed security posture. On the positive side, it has no recorded historical vulnerabilities (CVEs) and shows good practices regarding SQL query preparedness (87%) and the absence of dangerous functions. The plugin also has a significant number of nonce checks, indicating an awareness of common WordPress security mechanisms. However, concerns arise from the attack surface analysis. There are two AJAX handlers that lack authentication checks, representing direct entry points for potential unauthenticated actions. While taint analysis shows no critical or high severity flows, this is based on zero flows being analyzed, which is a limitation in the static analysis rather than a guarantee of safety. The output escaping is also only 60% proper, suggesting a risk of Cross-Site Scripting (XSS) vulnerabilities in a substantial portion of its outputs. The limited capability checks also suggest that even authenticated users might have access to functionalities they shouldn't.",[389,391,394,396],{"reason":390,"points":11},"AJAX handlers without authentication checks",{"reason":392,"points":393},"Output escaping is only 60% proper",6,{"reason":395,"points":382},"Limited capability checks",{"reason":397,"points":398},"Taint analysis did not analyze any flows",3,"2026-03-17T00:46:11.448Z",{"wat":401,"direct":436},{"assetPaths":402,"generatorPatterns":418,"scriptPaths":419,"versionParams":420},[403,404,405,406,407,408,409,410,411,412,413,414,415,416,417],"\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fadmin\u002Fcss\u002Fkeys-master-admin.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fadmin\u002Fjs\u002Fkeys-master-admin.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Fbootstrap.min.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Ffeather.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Fchoices.min.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fjs\u002Fbootstrap.min.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fjs\u002Fchoices.min.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-capture.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-schema.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-wpcli.css","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-capture.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-schema.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-wpcli.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-passwords.js","\u002Fwp-content\u002Fplugins\u002Fkeys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-logs.js",[],[404,408,409,413,414,415,416,417],[421,422,423,424,425,426,427,428,429,430,431,432,433,434,435],"keys-master\u002Fadmin\u002Fcss\u002Fkeys-master-admin.css?ver=","keys-master\u002Fadmin\u002Fjs\u002Fkeys-master-admin.js?ver=","keys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Fbootstrap.min.css?ver=","keys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Ffeather.css?ver=","keys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fcss\u002Fchoices.min.css?ver=","keys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fjs\u002Fbootstrap.min.js?ver=","keys-master\u002Fincludes\u002Flibraries\u002Fassets\u002Fjs\u002Fchoices.min.js?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-capture.css?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-schema.css?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fcss\u002Fkeys-master-feature-wpcli.css?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-capture.js?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-schema.js?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-wpcli.js?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-passwords.js?ver=","keys-master\u002Fincludes\u002Ffeatures\u002Fassets\u002Fjs\u002Fkeys-master-feature-logs.js?ver=",{"cssClasses":437,"htmlComments":439,"htmlAttributes":440,"restEndpoints":442,"jsGlobals":443,"shortcodeOutput":448},[438],"pokm-about-logo",[],[441],"data-nonce",[],[444,445,446,447],"POKM_ASSETS_ID","POKM_SLUG","POKM_PRODUCT_NAME","POKM_VERSION",[449,450,451],"[pokm-libraries]","[pokm-changelog]","[pokm-wpcli]"]