WP-Safety

Login as User Security & Risk Analysis

wordpress.org/plugins/login-as-user

Login as User is a free WordPress plugin that helps admins switch user accounts instantly to check data.

30K active installs v1.6.8 PHP 7.4+ WP 5.3+ Updated Feb 3, 2026
adminloginlogin-as-useruserweb357
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Login as User Safe to Use in 2026?

Generally Safe

Score 100/100

Login as User has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "login-as-user" plugin v1.6.8 exhibits a generally strong security posture based on the static analysis. The absence of direct AJAX or REST API endpoints that bypass authentication is a significant positive. The code also demonstrates good practices by exclusively using prepared statements for SQL queries and incorporating both nonce and capability checks, indicating an awareness of common WordPress security vulnerabilities. The plugin also has no recorded vulnerability history, which is a strong indicator of stable and secure development over time.

However, there are minor areas for improvement. The taint analysis reveals one flow with unsanitized paths, which, while not classified as critical or high severity in this specific analysis, represents a potential avenue for unexpected behavior or vulnerabilities if input is not handled meticulously. Furthermore, the output escaping is only properly done in 72% of cases. While this might not lead to immediate critical issues, it leaves room for potential cross-site scripting (XSS) vulnerabilities if user-controlled data is rendered without proper sanitization in the remaining 28% of outputs.

Overall, the plugin is well-developed from a security perspective, with a minimal attack surface and a history free of known vulnerabilities. The primary concerns are the single unsanitized path flow and the imperfect output escaping, which are minor but should be addressed to achieve a truly robust security profile.

Key Concerns

  • Flows with unsanitized paths
  • Output escaping not fully proper
Vulnerabilities
None known

Login as User Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Login as User Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
42
110 escaped
Nonce Checks
2
Capability Checks
7
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

72% escaped152 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
add_login_message (includes\class-w357-login-as-user.php:503)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Login as User Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[login_as_user] includes\class-w357-login-as-user.php:55
WordPress Hooks 63
actionplugins_loadedincludes\class-main.php:138
actionadmin_enqueue_scriptsincludes\class-main.php:152
actionadmin_enqueue_scriptsincludes\class-main.php:153
actionadmin_menuincludes\class-main.php:157
actionadmin_initincludes\class-main.php:158
actionwp_enqueue_scriptsincludes\class-main.php:174
actionwp_enqueue_scriptsincludes\class-main.php:175
filteruser_has_capincludes\class-w357-login-as-user.php:41
filtermap_meta_capincludes\class-w357-login-as-user.php:42
actioninitincludes\class-w357-login-as-user.php:43
actionwp_logoutincludes\class-w357-login-as-user.php:44
actionwp_loginincludes\class-w357-login-as-user.php:45
filterwp_headincludes\class-w357-login-as-user.php:46
filterwp_footerincludes\class-w357-login-as-user.php:47
actionadmin_bar_menuincludes\class-w357-login-as-user.php:48
filterremovable_query_argsincludes\class-w357-login-as-user.php:49
actionpersonal_optionsincludes\class-w357-login-as-user.php:50
actionwp_enqueue_scriptsincludes\class-w357-login-as-user.php:51
filterusin_user_db_dataincludes\class-w357-login-as-user.php:52
filterusin_single_user_db_dataincludes\class-w357-login-as-user.php:53
filterusin_fieldsincludes\class-w357-login-as-user.php:54
actionadmin_noticesincludes\class-w357-login-as-user.php:58
filterwoocommerce_clear_cart_on_logoutincludes\class-w357-login-as-user.php:217
filterwoocommerce_clear_cart_on_loginincludes\class-w357-login-as-user.php:218
filterwoocommerce_clear_cart_on_new_loginincludes\class-w357-login-as-user.php:219
filterwoocommerce_clear_cart_on_logoutincludes\class-w357-login-as-user.php:221
filterwoocommerce_clear_cart_on_logoutincludes\class-w357-login-as-user.php:293
filterwoocommerce_clear_cart_on_loginincludes\class-w357-login-as-user.php:294
filterwoocommerce_clear_cart_on_new_loginincludes\class-w357-login-as-user.php:295
filterwoocommerce_clear_cart_on_logoutincludes\class-w357-login-as-user.php:297
filterbody_classincludes\class-w357-login-as-user.php:495
filterattach_session_informationincludes\class-w357-login-as-user.php:1097
filterwoocommerce_clear_cart_on_logoutincludes\class-w357-login-as-user.php:1231
filterwoocommerce_clear_cart_on_loginincludes\class-w357-login-as-user.php:1232
filterwoocommerce_clear_cart_on_new_loginincludes\class-w357-login-as-user.php:1233
filterwoocommerce_persistent_cart_enabledincludes\class-w357-login-as-user.php:1236
actionwp_loginincludes\class-w357-login-as-user.php:1239
actionwoocommerce_cart_updatedincludes\class-w357-login-as-user.php:1242
actiontemplate_redirectincludes\class-w357-login-as-user.php:1245
actioninitincludes\class-w357-login-as-user.php:1330
filtermepr-admin-members-colsincludes\integrations\class-memberpress.php:11
filtermepr_members_list_table_rowincludes\integrations\class-memberpress.php:12
filtermepr-admin-subscriptions-colsincludes\integrations\class-memberpress.php:15
filtermepr-admin-subscriptions-cellincludes\integrations\class-memberpress.php:16
filtermepr-admin-transactions-colsincludes\integrations\class-memberpress.php:19
filtermepr-admin-transactions-cellincludes\integrations\class-memberpress.php:20
filtermanage_sc-orders_columnsincludes\integrations\class-surecart.php:13
filtermanage_sc-orders_custom_columnincludes\integrations\class-surecart.php:14
filtermanage_sc-customers_columnsincludes\integrations\class-surecart.php:17
filtermanage_sc-customers_custom_columnincludes\integrations\class-surecart.php:18
filterwoocommerce_shop_subscription_list_table_columnsincludes\integrations\class-woocommerce-subscriptions.php:13
actionwoocommerce_shop_subscription_list_table_custom_columnincludes\integrations\class-woocommerce-subscriptions.php:14
filtermanage_edit-shop_subscription_columnsincludes\integrations\class-woocommerce-subscriptions.php:17
actionmanage_shop_subscription_posts_custom_columnincludes\integrations\class-woocommerce-subscriptions.php:18
actionadd_meta_boxesincludes\integrations\class-woocommerce-subscriptions.php:21
filtermanage_woocommerce_page_wc-orders_columnsincludes\integrations\class-woocommerce.php:13
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\integrations\class-woocommerce.php:14
filtermanage_edit-shop_order_columnsincludes\integrations\class-woocommerce.php:17
actionmanage_shop_order_posts_custom_columnincludes\integrations\class-woocommerce.php:18
actionadd_meta_boxesincludes\integrations\class-woocommerce.php:21
filtermanage_users_columnsincludes\integrations\class-wp-userlist.php:12
filtermanage_users_custom_columnincludes\integrations\class-wp-userlist.php:13
actionplugins_loadedlogin-as-user.php:66
Maintenance & Trust

Login as User Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 3, 2026
PHP min version7.4
Downloads514K

Community Trust

Rating96/100
Number of ratings40
Active installs30K
Alternatives

Login as User Alternatives

Masquerade

Masquerade

masquerade

A
85

Adds a link to users.php that allows an administrator to login as that user without knowing the password.

70 No CVEs
WP Last Login

WP Last Login

wp-last-login

A
100

Make the last login for each user visible in the user overview.

10K No CVEs
WP Approve User

WP Approve User

wp-approve-user

A
85

Adds action links to user table to approve or unapprove user registrations.

3K No CVEs
User Login Notifier for WordPress

User Login Notifier for WordPress

wp-user-login-notifier

A
100

User Login Notifier plugin notifies WordPress site admin and users of the successful and failed login attempts via email.

1K No CVEs
Chap Secure Password Login

Chap Secure Password Login

chap-secure-login

A
85

Do not show password, during login, on an insecure channel (without SSL). Use a SHA-256 hash algorithm.

700 No CVEs
Developer Profile

Login as User Developer Profile

Yiannis Christodoulou

4 plugins · 30K total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
19 days
View full developer profile
Detection Fingerprints

How We Detect Login as User

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/login-as-user/admin/css/admin.min.css/wp-content/plugins/login-as-user/admin/js/admin.min.js
Script Paths
/wp-content/plugins/login-as-user/admin/js/admin.min.js
Version Parameters
login-as-user/admin/css/admin.min.css?ver=login-as-user/admin/js/admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
column-loginasuser_col
HTML Comments
Login as User for WordPress - v1.6.8 (free version) Author: Web357 Copyright © 2014-2024 Web357. All rights reserved. License: GNU/GPLv3, http://www.gnu.org/licenses/gpl-3.0.html +4 more
Data Attributes
data-loginasuser_id
JS Globals
loginasuserAjax
FAQ

Frequently Asked Questions about Login as User