Does Magic Login Link have any unpatched vulnerabilities?

No. All known vulnerabilities in Magic Login Link have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Magic Login Link compatible with WordPress 4.9.29?

According to WordPress.org data, Magic Login Link 1.1.0 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

Is Magic Login Link compatible with PHP 5.6+?

Magic Login Link requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Magic Login Link updated?

Magic Login Link was last updated on Mar 28, 2018. Frequent updates are generally a positive security signal.

What is Magic Login Link's security score?

Magic Login Link has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Magic Login Link Security & Risk Analysis

wordpress.org/plugins/magic-link-login

Enables the user to login without entering a password. Instead a mail with a login is sent.

80 active installs v1.1.0 PHP 5.6+ WP 4.6+ Updated Mar 28, 2018

loginmagicmagic-loginpasswordless-login

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Magic Login Link Safe to Use in 2026?

Generally Safe

Score 85/100

Magic Login Link has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago

Risk Assessment

The magic-link-login plugin, version 1.1.0, exhibits a mixed security posture. On the positive side, it utilizes prepared statements for all SQL queries and has no recorded vulnerability history, suggesting a generally stable codebase. However, significant concerns arise from the static analysis. The plugin exposes one AJAX handler without any authentication or capability checks, creating a direct entry point for potential unauthenticated actions. Furthermore, all observed output operations lack proper escaping, meaning user-supplied data displayed on the frontend could be vulnerable to cross-site scripting (XSS) attacks. The taint analysis also identified two flows with unsanitized paths, which, while not categorized as critical or high, are still concerning as they could lead to unexpected behavior or compromise if exploited in conjunction with other weaknesses.

Key Concerns

AJAX handler without auth checks
Output escaping missing
Unsanitized paths in taint flows

Vulnerabilities

None known

Magic Login Link Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Magic Login Link Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped3 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

maybe_redirect (classes\AMC_Main.php:112)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Magic Login Link Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 1

noprivwp_ajax_amc_send_magic_mailclasses\AMC_Main.php:68

Shortcodes 1

[amc_spark_magic_login] classes\AMC_Shortcodes.php:25

WordPress Hooks 5

actionplugins_loadedamc-spark.php:28

actionlogin_formclasses\AMC_Login_Form.php:32

actionlogin_enqueue_scriptsclasses\AMC_Login_Form.php:33

actionplugins_loadedclasses\AMC_Main.php:70

actioninitclasses\AMC_Main.php:104

Maintenance & Trust

Magic Login Link Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedMar 28, 2018

PHP min version5.6

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs80

Alternatives

Magic Login Link Alternatives

Magic Login – Passwordless Authentication for WordPress – Login Without Password

magic-login

100

Passwordless login for WordPress. Streamline the login process by sending magic links to your users.

2K No CVEs

Magic Link – Secure one click passwordless login

magic-link

100

Secure one click passwordless login

10 No CVEs

Temporary Login Without Password

temporary-login-without-password

100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE

VentraConnect – Social Login, Magic Link & Email OTP (Passwordless)

ventraconnect-social-login

100

Social login with 15+ providers plus passwordless login (Magic Link & Email OTP), with Guardrails to block spam registrations.

20 No CVEs

Temporary Login

temporary-login

Create a secure, temporary URL for easy access to your WP admin.

40K No CVEs

Developer Profile

Magic Login Link Developer Profile

Tim Sippel

1 plugin · 80 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Magic Login Link

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/magic-link-login/css/login.css/wp-content/plugins/magic-link-login/js/login.js

Script Paths

/wp-content/plugins/magic-link-login/js/login.js

Version Parameters

magic-link-login/css/login.css?ver=magic-link-login/js/login.js?ver=

HTML / DOM Fingerprints

CSS Classes

amc-magic-login-buttonamc-spark-oramc-spark-mail-input-wrapper

Data Attributes

id="amc-spark-mail-input"

Shortcode Output

<a href="#">Magic Login</a>

FAQ