[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP1IdOsOKpJqXCSKzv2xXtTBqH2-xD8uPLg2sPQWp5v8":3,"$fAeuCg1RwAm12A_XGWZnXjasRpmax5aDRxIDzghToYTs":218,"$fzMMNaIJpb68bNiWaqZZiRn6TYN54448t2UJGEsxGtoY":223},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":57,"crawl_stats":37,"alternatives":64,"analysis":161,"fingerprints":190},"magic-login-mail","Magic Login Mail or QR Code","2.06","Katsushi Kawamori","https:\u002F\u002Fprofiles.wordpress.org\u002Fkatsushi-kawamori\u002F","\u003Cp>Enter your email address, and send you an email with a magic link or QR Code to login without a password.\u003C\u002Fp>\n\u003Ch4>Login\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Login with email address only.\u003C\u002Fli>\n\u003Cli>Only registered users can login.\u003C\u002Fli>\n\u003Cli>Password-less login from the magic link or QR code notified in the email.\u003C\u002Fli>\n\u003Cli>shortcode : \u003Ccode>[magic_login]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>action hook : \u003Ccode>do_action( 'magic_email_send', $emails | array, true | bool )\u003C\u002Fcode> : To send the magic link simultaneously from the management account.\u003C\u002Fli>\n\u003Cli>QR code login on the user’s administration screen.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Thanks\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>This plugin is a modified version of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpasswordless-login\u002F\" rel=\"ugc\">Passwordless Login\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>The main changes are the addition of various filter hooks and the addition of the following action hooks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action hook\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>This is for sending bulk e-mails with a magic link for login to multiple accounts from the management screen.\u003C\u002Fli>\n\u003Cli>When using this action hook, the URL of the page where the shortcode [magic_login] is placed should be specified in the filter hook ‘magic_login_mail_url’.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * To send the magic link simultaneously from the management account.\n *\n * @param array  $emails  Multiple email addresses.\n * @param bool   true  Output notifications to the management screen immediately after sending.\n *\u002F\ndo_action( 'magic_email_send', $emails, true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Filter hooks\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for magic link url with mail.\n *\n *\u002F\nadd_filter( 'magic_login_mail_url', function(){ return 'url'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Currently logged in user link for Magic Login Mail\n *\n * @param string $url  URL.\n * @param int    $user_id  User ID.\n * @return $url\n *\u002F\nadd_filter( 'magic_login_mail_user_redirect', 'redirect_url_login_users', 10, 2 );\n\n\u002F** ==================================================\n * Login user after redirect for Magic Login Mail\n *\n * @param string $url  URL.\n * @param int    $user_id  User ID.\n * @return $url\n *\u002F\nadd_filter( 'magic_login_mail_after_login_redirect', 'redirect_url_login_users', 10, 2 );\n\nfunction redirect_url_login_users( $url, $user_id ){\n    \u002F* your code *\u002F\n    return $url;\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for message with shortcode form.\n *\n *\u002F\nadd_filter( 'magic_login_mail_success_link_msg', function(){ return 'Message for success.'; }, 10, 1 );\nadd_filter( 'magic_login_mail_success_login_msg', function(){ return 'Message for success with login.'; }, 10, 1 );\nadd_filter( 'magic_login_mail_valid_errors', function(){ return 'Message for mail validation error.'; }, 10, 1 );\nadd_filter( 'magic_login_mail_email_errors', function(){ return 'Message for sent mail error.'; }, 10, 1 );\nadd_filter( 'magic_login_mail_invalid_token_error', function(){ return 'Message for token error.'; }, 10, 1 );\nadd_filter( 'magic_login_mail_form_label', function(){ return 'Message for form label.'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for color with shortcode form.\n *\n *\u002F\nadd_filter( 'magic_login_mail_success_link_msg_back_color', function(){ return '#e7f7d3'; }, 10, 1 );\nadd_filter( 'magic_login_mail_success_login_msg_back_color', function(){ return '#e7f7d3'; }, 10, 1 );\nadd_filter( 'magic_login_mail_valid_errors_back_color', function(){ return '#ffebe8'; }, 10, 1 );\nadd_filter( 'magic_login_mail_email_errors_back_color', function(){ return '#ffebe8'; }, 10, 1 );\nadd_filter( 'magic_login_mail_invalid_token_error_back_color', function(){ return '#ffebe8'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for input text size.\n *\n *\u002F\nadd_filter( 'magic_login_mail_input_size', function(){ return 17; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for class name.\n *\n *\u002F\nadd_filter( 'magic_login_mail_notice_class_name', function(){ return 'mynotice'; }, 10, 1 );\nadd_filter( 'magic_login_mail_form_class_name', function(){ return 'myform'; }, 10, 1 );\nadd_filter( 'magic_login_mail_label_class_name', function(){ return 'mylabel'; }, 10, 1 );\nadd_filter( 'magic_login_mail_input_class_name', function(){ return 'myinput'; }, 10, 1 );\nadd_filter( 'magic_login_mail_submit_class_name', function(){ return 'mysubmit'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for message with mail subject.\n *\n *\u002F\nadd_filter( 'magic_login_mail_subject', function(){ return 'subject'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for message with mail.\n *\n * @param string $message  message.\n * @param string $url  url.\n * @param string $exp_date_time  expiration date and time.\n *\u002F\nadd_filter(\n    'magic_login_mail_message',\n    function( $message, $url, $exp_date_time ) {\n\n        $message .= '\u003Cbr>\u003Cbr>' . 'You may only log in once using the link above.';\n\n        return $message;\n    },\n    10,\n    3\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for login expiration.\n *\n *\u002F\nadd_filter( 'magic_login_mail_expiration', function(){ return 10; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enter your email address, and send you an email with a magic link or QR Code to login without a password.",100,6372,3,"2026-03-29T22:26:00.000Z","7.0","4.7","8.0",[19,20,21,22],"email","login","passwordless","users","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmagic-login-mail\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagic-login-mail.2.06.zip",97,1,0,"2026-02-13 16:21:07","2026-04-16T10:56:18.058Z","no_bundle",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":6,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":13,"patch_diff_files":46,"patch_trac_url":37,"research_status":47,"research_verified":48,"research_rounds_completed":13,"research_plan":49,"research_summary":50,"research_vulnerable_code":51,"research_fix_diff":52,"research_exploit_outline":53,"research_model_used":54,"research_started_at":55,"research_completed_at":56,"research_error":37,"poc_status":37,"poc_video_id":37,"poc_summary":37,"poc_steps":37,"poc_tested_at":37,"poc_wp_version":37,"poc_php_version":37,"poc_playwright_script":37,"poc_exploit_code":37,"poc_has_trace":48,"poc_model_used":37,"poc_verification_depth":37},"CVE-2026-2144","magic-login-mail-or-qr-code-unauthenticated-privilege-escalation-via-insecure-qr-code-file-storage","Magic Login Mail or QR Code \u003C= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage","The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.",null,"\u003C=2.05","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-02-16 22:01:53",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65066a17-653b-4444-9bd0-894ea8c1acb1?source=api-prod",[],"researched",false,"This research plan focuses on exploiting a race condition in the **Magic Login Mail or QR Code** plugin (\u003C= 2.05). The vulnerability stems from the use of a static filename for a sensitive QR code image in a public directory.\n\n---\n\n### 1. Vulnerability Summary\nThe \"Magic Login Mail or QR Code\" plugin allows users to log in via a link sent to their email or by scanning a QR code. When a magic login is requested, the plugin generates a QR code image containing a sensitive login token\u002FURL. \n\nThe plugin saves this image to a predictable path: `wp-content\u002Fuploads\u002FQR_Code.png`. Crucially, this file is created just before `wp_mail()` is called and is deleted immediately after `wp_mail()` returns. Because `wp_mail()` (especially when using SMTP or external handlers) is a relatively slow operation, a race condition window exists where an unauthenticated attacker can download the QR code, decode the login URL, and gain access to the targeted account.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The magic login request trigger. This is typically a `wp-admin\u002Fadmin-ajax.php` action or a `POST` request to the login page.\n*   **Vulnerable Action:** `magic_login_request` or similar (inferred).\n*   **Target User:** Typically an administrator (User ID 1).\n*   **Payload:** The username or email of the target user sent to the request endpoint.\n*   **Authentication:** Unauthenticated.\n*   **Preconditions:** \n    1.  The \"Magic Login\" and \"QR Code\" features must be enabled in plugin settings.\n    2.  The attacker knows the username or email of an administrator.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** `MagicLogin::trigger_magic_login()` (Action: `wp_ajax_nopriv_magic_login_request` or triggered via `login_form`).\n2.  **QR Generation:** The plugin calls a QR generation library.\n3.  **File Write:** The plugin calls `file_put_contents( $upload_dir['basedir'] . '\u002FQR_Code.png', $qr_data )`.\n4.  **Email Sending:** The plugin calls `wp_mail()`. **\u003C-- Race window starts here.**\n5.  **Cleanup:** The plugin calls `unlink( $upload_dir['basedir'] . '\u002FQR_Code.png' )`. **\u003C-- Race window ends here.**\n\n### 4. Nonce Acquisition Strategy\nLogin-related actions often require a nonce if triggered via AJAX.\n1.  **Locate Nonce:** Check the WordPress login page (`\u002Fwp-login.php`) for enqueued scripts from the plugin.\n2.  **Identify JS Variable:** Look for `wp_localize_script` output. \n    *   *Likely Variable:* `window.magic_login_vars` or `window.magic_login_data`.\n    *   *Likely Key:* `nonce` or `magic_nonce`.\n3.  **Extraction Command:**\n    ```javascript\n    \u002F\u002F Example extraction via browser_eval\n    browser_eval(\"window.magic_login_vars?.nonce\")\n    ```\n4.  **Creation of Test Page:** If the login page doesn't expose it, the plugin might use a shortcode like `[magic_login_form]`.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Login\" --post_content='[magic_login_form]'\n    ```\n\n### 5. Exploitation Strategy\n\n**Step 1: Preparation**\nIdentify the target admin username (defaulting to 'admin'). Determine the upload directory path (usually `\u002Fwp-content\u002Fuploads\u002F`).\n\n**Step 2: Trigger and Capture (The Race)**\nSince `wp_mail` is the bottleneck, we need to send the trigger and immediately poll the static file location.\n\n**Request A (Trigger):**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Fvulnerable-site.tld\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:** `action=magic_login_request&user_login=admin&nonce=[NONCE_OBTAINED_PREVIOUSLY]`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n\n**Request B (Capture - Concurrent):**\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002Fvulnerable-site.tld\u002Fwp-content\u002Fuploads\u002FQR_Code.png`\n\n**Execution Logic:**\n1.  Start a loop or multiple concurrent requests for Request B.\n2.  Fire Request A.\n3.  As soon as Request B returns `200 OK`, download the image.\n\n**Step 3: Decoding**\nThe captured `QR_Code.png` will contain a URL like:\n`http:\u002F\u002Fvulnerable-site.tld\u002F?magic-login=TOKEN_VALUE`\n\n**Step 4: Escalation**\nNavigate to the extracted URL in the browser to be automatically logged in as the administrator.\n\n### 6. Test Data Setup\n1.  **Plugin Config:** Ensure \"QR Code\" is enabled in Magic Login settings.\n2.  **User:** Ensure an admin user exists (e.g., username `admin`).\n3.  **Mail Lag (Optional):** To make the race condition easier to hit in a test environment, one could use a plugin like \"WP Mail Logging\" or configure a slow SMTP server, which increases the execution time of `wp_mail()`.\n\n### 7. Expected Results\n*   **Trigger Response:** A success message indicating a magic link was sent.\n*   **Capture Response:** A binary image file (`image\u002Fpng`) found at `\u002Fwp-content\u002Fuploads\u002FQR_Code.png`.\n*   **Final Result:** The decoded URL redirects the attacker to the WordPress Dashboard with administrator privileges.\n\n### 8. Verification Steps\n1.  **File Existence Check:** Use `ls -l \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002FQR_Code.png` during the request to prove the file is written.\n2.  **Session Verification:** After navigating to the magic link, use `wp-cli` to verify the session:\n    ```bash\n    wp user get admin --field=user_login\n    # Check if the browser session cookies correspond to the admin user\n    ```\n\n### 9. Alternative Approaches\n*   **Inferred Action Names:** If `magic_login_request` is incorrect, grep the plugin source for `wp_ajax_nopriv` to find the correct trigger:\n    ```bash\n    grep -r \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmagic-login-mail\u002F\n    ```\n*   **Filename Variations:** If `QR_Code.png` is not found, check if the plugin uses the user ID in the name (e.g., `QR_Code_1.png` - inferred). Grep the source for `.png`:\n    ```bash\n    grep -r \".png\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmagic-login-mail\u002F | grep \"uploads\"\n    ```\n*   **Direct Pathing:** If `\u002Fwp-content\u002Fuploads\u002F` is protected, check for `wp-content\u002Fuploads\u002Fmagic-login\u002FQR_Code.png` (inferred).","The Magic Login Mail or QR Code plugin (\u003C= 2.05) stores sensitive login QR codes in a publicly accessible directory using a static, predictable filename (QR_Code.png). Because these files exist for the duration of the wp_mail() function call, an unauthenticated attacker can exploit a race condition to download the QR code, decode the magic login URL, and gain administrative access.","\u002F\u002F magic-login-mail\u002Fincludes\u002Fclass-magic-login-request.php (Inferred location)\n\n$upload_dir = wp_upload_dir();\n$file_path = $upload_dir['basedir'] . '\u002FQR_Code.png';\n\n\u002F\u002F Generates the QR code and writes it to a predictable static path\n$renderer->render($qr_code)->save($file_path);\n\n$attachments = array($file_path);\n$sent = wp_mail($user_email, $subject, $message, $headers, $attachments);\n\n\u002F\u002F The file remains accessible until wp_mail completes, which can be delayed by SMTP or external APIs\nif (file_exists($file_path)) {\n    unlink($file_path);\n}","--- a\u002Fincludes\u002Fclass-magic-login-request.php\n+++ b\u002Fincludes\u002Fclass-magic-login-request.php\n@@ -1,6 +1,7 @@\n $upload_dir = wp_upload_dir();\n-$file_path = $upload_dir['basedir'] . '\u002FQR_Code.png';\n+$random_suffix = wp_generate_password(20, false);\n+$file_path = $upload_dir['basedir'] . '\u002FQR_Code_' . $random_suffix . '.png';\n \n $renderer->render($qr_code)->save($file_path);\n \n $attachments = array($file_path);","The exploit targets the predictable file path and the delay inherent in the WordPress mail-sending process. An attacker first determines the target username (e.g., 'admin') and begins a high-frequency polling loop of GET requests to the known path 'wp-content\u002Fuploads\u002FQR_Code.png'. While polling, the attacker triggers the plugin's magic login request for the target user (via wp-admin\u002Fadmin-ajax.php or the login form). If the attacker's GET request occurs after the file is written but before wp_mail() finishes and unlinks the file, the attacker successfully downloads the image. The image is then decoded using any QR reader to extract the unique login token URL, which provides immediate authenticated access to the target account.","gemini-3-flash-preview","2026-04-20 23:37:05","2026-04-20 23:37:26",{"slug":58,"display_name":7,"profile_url":8,"plugin_count":59,"total_installs":60,"avg_security_score":11,"avg_patch_time_days":61,"trust_score":62,"computed_at":63},"katsushi-kawamori",54,55940,178,79,"2026-05-20T01:11:39.937Z",[65,92,110,130,144],{"slug":66,"name":67,"version":68,"author":69,"author_profile":70,"description":71,"short_description":72,"active_installs":73,"downloaded":74,"rating":75,"num_ratings":76,"last_updated":77,"tested_up_to":78,"requires_at_least":79,"requires_php":80,"tags":81,"homepage":87,"download_link":88,"security_score":89,"vuln_count":90,"unpatched_count":27,"last_vuln_date":91,"fetched_at":29},"user-verification","User Verification by PickPlugins","2.0.46","PickPlugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fpickplugins\u002F","\u003Cp>User Verification – Complete WordPress User Authentication & Security Plugin\u003C\u002Fp>\n\u003Ch3>User Verification by \u003Ca href=\"http:\u002F\u002Fwww.pickplugins.com\" rel=\"nofollow ugc\">http:\u002F\u002Fwww.pickplugins.com\u003C\u002Fa>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.pickplugins.com\u002Fitem\u002Fuser-verification\u002F?ref=wordpress.org\" rel=\"nofollow ugc\">Donate\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.pickplugins.com\u002Fsupport\u002F?ref=wordpress.org\" rel=\"nofollow ugc\">Support\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpickplugins.com\u002Fdocumentation\u002Fuser-verification\u002F?ref=wordpress.org\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Secure Your WordPress Site with Advanced User Verification & Authentication\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>User Verification\u003C\u002Fstrong> is a comprehensive WordPress security plugin that provides multiple layers of user authentication and spam protection to safeguard your website from unauthorized access and malicious registrations.\u003C\u002Fp>\n\u003Ch3>🔐 Key Features\u003C\u002Fh3>\n\u003Ch4>\u003Cstrong>Email Verification System\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Mandatory Email Verification\u003C\u002Fstrong>: Ensure all new users verify their email addresses before accessing your site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Verification Pages\u003C\u002Fstrong>: Choose custom redirect pages for successful and failed verifications  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic Login\u003C\u002Fstrong>: Seamlessly log users in after successful email verification\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Control\u003C\u002Fstrong>: Exclude specific user roles (like Administrators) from verification requirements\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible Configuration\u003C\u002Fstrong>: Enable\u002Fdisable email verification with simple toggle controls\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>Magic Login (Passwordless Authentication)\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>🆕 NEW Feature\u003C\u002Fstrong>: Enable secure passwordless login for enhanced user experience\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email-Based Authentication\u003C\u002Fstrong>: Users receive login links directly in their inbox\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Key Length\u003C\u002Fstrong>: Set secure authentication key length (default: 6 characters)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Attempt Limits\u003C\u002Fstrong>: Configure maximum login attempts for security (default: 3 attempts)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Redirect Pages\u003C\u002Fstrong>: Set specific pages for successful logins, failures, and magic login forms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Verification Integration\u003C\u002Fstrong>: Require verified emails for magic login access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy Implementation\u003C\u002Fstrong>: Simple shortcode \u003Ccode>[user_verification_magic_login_form]\u003C\u002Fcode> for frontend display\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>OTP (One-Time Password) Login\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>SMS\u002FEmail OTP\u003C\u002Fstrong>: Secure one-time password authentication system\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable OTP Length\u003C\u002Fstrong>: Customize OTP length (default: 6 digits)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Character Flexibility\u003C\u002Fstrong>: Support for numbers, uppercase, lowercase, and special characters\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Success\u002FError Messages\u003C\u002Fstrong>: Personalized user feedback for OTP processes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Post-Login Redirects\u003C\u002Fstrong>: Direct users to specific pages after successful authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy Integration\u003C\u002Fstrong>: Simple shortcode \u003Ccode>[user_verification_otp_login_form]\u003C\u002Fcode> implementation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>Advanced Spam Protection\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Domain Blocking\u003C\u002Fstrong>: Block registrations from specific email domains\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Domain Allowlist\u003C\u002Fstrong>: Allow only approved email domains for registration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Username Protection\u003C\u002Fstrong>: Block specific usernames from registration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible Domain Management\u003C\u002Fstrong>: Easy-to-use interface for managing blocked\u002Fallowed domains\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>reCAPTCHA Integration\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Google reCAPTCHA v2\u003C\u002Fstrong>: Complete bot protection with checkbox verification\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Implementation Points\u003C\u002Fstrong>: Add reCAPTCHA to login, registration, password reset, and comment forms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WooCommerce Ready\u003C\u002Fstrong>: Full integration with WooCommerce forms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy Configuration\u003C\u002Fstrong>: Simple setup with site key and secret key\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>User Management Tools\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Unverified User Cleanup\u003C\u002Fstrong>: Automatically delete unverified user accounts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Existing User Verification\u003C\u002Fstrong>: Mark existing users as verified with customizable intervals\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Status Monitoring\u003C\u002Fstrong>: Track verification status across your user base\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>Email Customization\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom Email Templates\u003C\u002Fstrong>: Personalize verification and notification emails\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPAutoP Support\u003C\u002Fstrong>: Enable\u002Fdisable automatic paragraph formatting in emails\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Branded Communications\u003C\u002Fstrong>: Add your logo and customize email appearance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Email Types\u003C\u002Fstrong>: Templates for registration, verification, OTP, magic login, and activation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>\u003Cstrong>WooCommerce Compatibility\u003C\u002Fstrong>\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>E-commerce Ready\u003C\u002Fstrong>: Full integration with WooCommerce login, registration, and password reset forms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customer Protection\u003C\u002Fstrong>: Prevent fake customer registrations and protect customer data\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Seamless Experience\u003C\u002Fstrong>: Maintain smooth checkout process while ensuring security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🎯 Perfect For:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Membership Sites\u003C\u002Fstrong>: Protect exclusive content with verified users only\u003C\u002Fli>\n\u003Cli>\u003Cstrong>E-commerce Stores\u003C\u002Fstrong>: Prevent fake customer accounts and fraudulent orders  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Corporate Websites\u003C\u002Fstrong>: Ensure legitimate user registrations for business platforms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Community Forums\u003C\u002Fstrong>: Maintain quality user base with verified members\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Educational Platforms\u003C\u002Fstrong>: Secure student and instructor account creation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Any WordPress Site\u003C\u002Fstrong>: Enhance security for blogs, portfolios, and business websites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>⚡ Easy Setup & Management\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>User-Friendly Interface\u003C\u002Fstrong>: Intuitive admin dashboard for all configurations\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcode Ready\u003C\u002Fstrong>: Simple shortcodes for frontend form implementation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-Click Configuration\u003C\u002Fstrong>: Enable\u002Fdisable features with simple toggle switches\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Documentation\u003C\u002Fstrong>: Detailed setup guides and troubleshooting support\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔧 Technical Specifications\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>WordPress Compatibility\u003C\u002Fstrong>: Works with latest WordPress versions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>PHP 7.4+ Support\u003C\u002Fstrong>: Modern PHP compatibility for optimal performance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Mobile Responsive\u003C\u002Fstrong>: All forms and interfaces work perfectly on mobile devices\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Translation Ready\u003C\u002Fstrong>: Multi-language support for global websites\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Clean code structure with hooks and filters for customization\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📧 Default Email Configuration\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Professional Setup\u003C\u002Fstrong>: Comes with pre-configured professional email settings\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom From Address\u003C\u002Fstrong>: Set your preferred sender email (e.g., public.nurhasan@gmail.com)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Branded Sender Name\u003C\u002Fstrong>: Customize sender name (default: wordpress)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Template Variety\u003C\u002Fstrong>: Multiple email templates for different verification scenarios\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚀 Why Choose User Verification?\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Complete Security Solution\u003C\u002Fstrong>: Multiple authentication methods in one plugin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero Spam Guarantee\u003C\u002Fstrong>: Advanced filtering eliminates fake registrations\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Experience Focused\u003C\u002Fstrong>: Smooth verification process that doesn’t frustrate legitimate users\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Highly Customizable\u003C\u002Fstrong>: Adapt every aspect to match your site’s needs\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Regular Updates\u003C\u002Fstrong>: Continuously updated with new features and security improvements\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Professional Support\u003C\u002Fstrong>: Dedicated support for setup and troubleshooting\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Installation & Usage\u003C\u002Fh3>\n\u003Cp>Simply install the plugin, configure your preferred verification methods, and add the provided shortcodes to your pages. The plugin integrates seamlessly with WordPress default forms and popular plugins like WooCommerce.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Transform your WordPress site security today with User Verification – the most comprehensive user authentication plugin available.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Ch3>Spam Protection by [https:\u002F\u002Fisspammy.com](http:\u002F\u002Fisspammy.com)\u003C\u002Fh3>\n\u003Cp>isspammy.com is owned by PickPlugins and it’s used to protect spam users from login in, registering, commenting, posting reviews and etc. Once you mark a comment as spam it will send a request to isspammy.com and it will create a record for this mail and marked as spam, so later when the same email is used to post a comment it will block them as a spammer. isspammy.com is commited to keep user email private and only accessible when requested.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fisspammy.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">isspammy.com\u002Fprivacy-policy\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fisspammy.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">isspammy.com\u002FAbout Us\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Email verification for user registration to protect spam.",5000,332451,90,63,"2026-02-14T03:45:00.000Z","6.9.4","4.1","",[82,83,84,85,86],"email-otp","email-validation","email-verification","hide-login","passwordless-login","http:\u002F\u002Fpickplugins.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-verification.zip",87,4,"2026-05-01 15:46:35",{"slug":93,"name":94,"version":95,"author":96,"author_profile":97,"description":98,"short_description":99,"active_installs":11,"downloaded":100,"rating":11,"num_ratings":101,"last_updated":102,"tested_up_to":15,"requires_at_least":80,"requires_php":103,"tags":104,"homepage":108,"download_link":109,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":37,"fetched_at":29},"email-otp-authenticator","Email OTP Authenticator – Login, Register, 2FA & Session Lock","6.3.5","cs7.in","https:\u002F\u002Fprofiles.wordpress.org\u002Filvchandan\u002F","\u003Cp>\u003Cstrong>Email OTP Authenticator\u003C\u002Fstrong> is an Authentication & Security plugin designed to simplify WordPress login while strengthening user protection. It replaces traditional passwords with secure OTP verification and adds advanced session protection for better control over user access.\u003C\u002Fp>\n\u003Cp>Built as a modular security system, the plugin operates through three dedicated protection engines while maintaining a fully self-contained architecture without external service dependency.\u003C\u002Fp>\n\u003Ch3>Delivering these key benefits:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Reduce login friction\u003C\u002Fli>\n\u003Cli>Increase signup conversions\u003C\u002Fli>\n\u003Cli>Reduce password reset requests\u003C\u002Fli>\n\u003Cli>Strengthen multi-layered website security\u003C\u002Fli>\n\u003Cli>Enhance user trust with secure authentication\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Designed to make WordPress authentication faster, smarter and more secure.\u003C\u002Fp>\n\u003Ch3>Core Security Architecture\u003C\u002Fh3>\n\u003Cp>The plugin is engineered around three dedicated security engines:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Access Engine\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Handles secure user entry through passwordless authentication.\u003C\u002Fp>\n\u003Cp>Features:\u003Cbr \u002F>\n* OTP Login\u003Cbr \u002F>\n* OTP Registration\u003Cbr \u002F>\n* Guest Verification\u003Cbr \u002F>\n* Email authorization\u003Cbr \u002F>\n* Fast Authentication Flow\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Validation Engine\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Adds identity confirmation and verification controls.\u003C\u002Fp>\n\u003Cp>Features:\u003Cbr \u002F>\n* New Device detection\u003Cbr \u002F>\n* Auto-popup with UI lock\u003Cbr \u002F>\n* Parallel login validation\u003Cbr \u002F>\n* Two-Factor Authentication\u003Cbr \u002F>\n* Login Validity Enforcement\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Engine\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Protects active sessions and detects abnormal activity.\u003C\u002Fp>\n\u003Cp>Features:\u003Cbr \u002F>\n* Dynamic Session Shield\u003Cbr \u002F>\n* Session Validity Check\u003Cbr \u002F>\n* Session Inactivity Lock\u003Cbr \u002F>\n* Adaptive 2FA Enforcement\u003Cbr \u002F>\n* Suspicious Activity Guard\u003C\u002Fp>\n\u003Ch3>Key Highlights\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Quick Login & Signup\u003C\u002Fstrong> – Instant, easy, and password-free; Login & signup with OTP.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in Two-Factor Authentication\u003C\u002Fstrong> – Additional identity protection layer.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Verified Access Control\u003C\u002Fstrong> – Verify users without login for access to restricted pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dynamic Session Shield\u003C\u002Fstrong> – Intelligent session protection engine.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero External Dependency\u003C\u002Fstrong> – Works without third-party services.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Vanilla JavaScript Engine\u003C\u002Fstrong> – No jQuery dependency.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible Integration Options\u003C\u002Fstrong> – Add authentication anywhere.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Complete Admin Control\u003C\u002Fstrong> – Fine-tune authentication behavior.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in Interface System\u003C\u002Fstrong> – Attractive ready-to-use templates.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lightweight & Fast\u003C\u002Fstrong> – Optimized for performance.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Flexible Integration Options\u003C\u002Fh3>\n\u003Cp>Add authentication forms anywhere on your website using simple integration methods.\u003C\u002Fp>\n\u003Cp>Integration methods include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Shortcode integration (auto-popup, popup or inline forms)\u003C\u002Fli>\n\u003Cli>Menu trigger integration (popup forms)\u003C\u002Fli>\n\u003Cli>Redirect support for auto-popup & inline form pages\u003C\u002Fli>\n\u003Cli>Multiple forms on the same page\u003C\u002Fli>\n\u003Cli>Easy setup without coding complexity\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Built-in Templates\u003C\u002Fh3>\n\u003Cp>Attractive 27 ready-to-use templates with auto-popup, popup and inline support.\u003C\u002Fp>\n\u003Cp>Easy-to-apply modern designs that match your website style, with options to customize pre-built templates or create your own.\u003C\u002Fp>\n\u003Ch3>Complete Admin Control\u003C\u002Fh3>\n\u003Cp>Customize authentication behavior, layout options, security restrictions and verification rules with ease. Admins gain complete control over user access and interaction across the website.\u003C\u002Fp>\n\u003Ch3>Zero External Dependency\u003C\u002Fh3>\n\u003Cp>Run a complete authentication system without relying on any third-party services.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Full data control\u003C\u002Fli>\n\u003Cli>Standalone operation\u003C\u002Fli>\n\u003Cli>No external APIs required\u003C\u002Fli>\n\u003Cli>Self-hosted OTP processing\u003C\u002Fli>\n\u003Cli>Reliable authentication flow\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Modern Architecture\u003C\u002Fh3>\n\u003Cp>Built using modern development practices:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Vanilla JavaScript implementation (no jQuery)\u003C\u002Fli>\n\u003Cli>Optimized settings storage\u003C\u002Fli>\n\u003Cli>Secure token validation\u003C\u002Fli>\n\u003Cli>Lightweight execution flow\u003C\u002Fli>\n\u003Cli>Improved performance structure\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Ideal Use Cases\u003C\u002Fh3>\n\u003Cp>This plugin is ideal for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Membership websites\u003C\u002Fli>\n\u003Cli>WooCommerce stores\u003C\u002Fli>\n\u003Cli>SaaS dashboards\u003C\u002Fli>\n\u003Cli>Community platforms\u003C\u002Fli>\n\u003Cli>Agencies managing client websites\u003C\u002Fli>\n\u003Cli>Developers needing flexible authentication\u003C\u002Fli>\n\u003Cli>Beginners and small websites needing simple security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Designed to scale from beginner websites to enterprise environments.\u003C\u002Fp>\n\u003Ch3>Compatibility\u003C\u002Fh3>\n\u003Cp>Works smoothly with popular WordPress tools:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WooCommerce\u003C\u002Fli>\n\u003Cli>Ultimate Member\u003C\u002Fli>\n\u003Cli>MemberPress\u003C\u002Fli>\n\u003Cli>BuddyPress\u003C\u002Fli>\n\u003Cli>ProfileGrid\u003C\u002Fli>\n\u003Cli>ProfilePress\u003C\u002Fli>\n\u003Cli>User Registration\u003C\u002Fli>\n\u003Cli>WP User Manager\u003C\u002Fli>\n\u003Cli>Paid Memberships Pro\u003C\u002Fli>\n\u003Cli>RegistrationMagic\u003C\u002Fli>\n\u003Cli>Forminator\u003C\u002Fli>\n\u003Cli>Login\u002FSignup Popup plugins\u003C\u002Fli>\n\u003Cli>And many more\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Why Choose This Plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FAST – Quick OTP authentication process\u003C\u002Fli>\n\u003Cli>FRIENDLY – Simple user experience\u003C\u002Fli>\n\u003Cli>SMART – Intelligent access handling\u003C\u002Fli>\n\u003Cli>SMOOTH – Clean UI integration\u003C\u002Fli>\n\u003Cli>SECURED – Strong authentication protection\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>Feedback helps improve this plugin.\u003Cbr \u002F>\nSend suggestions or issues to:\u003Cbr \u002F>\n\u003Ca href=\"mailto:Mr.Chandan.Shrivastava@gmail.com\" rel=\"nofollow ugc\">Mr.Chandan.Shrivastava@gmail.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Notes\u003C\u002Fh3>\n\u003Cp>This is the Lite version with advanced features included for exploration.\u003C\u002Fp>\n","An advanced OTP-powered plugin for Login, Registration, 2FA Protection and Dynamic Session Security. It is FAST, FRIENDLY, SMART, SMOOTH & SECURE.",9086,11,"2026-03-27T19:47:00.000Z","7.3",[82,105,86,106,107],"otp-login","session-security","wordpress-2fa","https:\u002F\u002Feotpa.cs7.in\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-otp-authenticator.6.3.5.zip",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":118,"downloaded":119,"rating":27,"num_ratings":27,"last_updated":120,"tested_up_to":121,"requires_at_least":122,"requires_php":123,"tags":124,"homepage":127,"download_link":128,"security_score":129,"vuln_count":27,"unpatched_count":27,"last_vuln_date":37,"fetched_at":29},"bh-wp-autologin-urls","Magic Emails & Autologin URLs","2.4.2","Brian Henry","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrianhenryie\u002F","\u003Cp>A new “Email Magic Link” button is added to the standard WordPress and WooCommerce login screens. If there is a user\u003Cbr \u002F>\naccount for the username filled out, they will receive an email with a link to log them in without a password.\u003C\u002Fp>\n\u003Cp>All emails sent from WordPress will contain login codes in links pointing back to the website:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Comment reply emails\u003C\u002Fli>\n\u003Cli>Abandoned cart emails\u003C\u002Fli>\n\u003Cli>Membership reminder emails\u003C\u002Fli>\n\u003Cli>etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No configuration is required, by default:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Autologin URLs work for one week\u003C\u002Fli>\n\u003Cli>Emails to administrators are excluded\u003C\u002Fli>\n\u003Cli>Emails on exclusion shortlist are not modified\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>An API is available for developers to use autologin codes elsewhere in WordPress, e.g. push notifications, and to conditionally disable the plugin’s use. Code is published on GitHub, uses WordPress Plugin Boilerplate, conforms (mostly) to WordPress Coding Standards, and is unit & integration tested.\u003C\u002Fp>\n","Adds magic email link to login screen. Adds single-use passwords to WordPress emails' URLs for frictionless login.",80,5181,"2024-05-26T20:43:00.000Z","6.4.8","4.5.0","7.4",[19,125,20,126,22],"links","newsletter","https:\u002F\u002Fwordpress.org\u002FBrianHenryIE\u002Fbh-wp-autologin-urls","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbh-wp-autologin-urls.zip",92,{"slug":131,"name":132,"version":133,"author":7,"author_profile":8,"description":134,"short_description":135,"active_installs":136,"downloaded":137,"rating":27,"num_ratings":27,"last_updated":138,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":139,"homepage":142,"download_link":143,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":37,"fetched_at":29},"user-mail-only-register","Multibyte CAPTCHA login and Mail only register","4.03","\u003Ch4>Login form with Multibyte CAPTCHA\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Anti-Bot measures with original CAPTCHA.\u003C\u002Fli>\n\u003Cli>WordPress : \u003Ccode>wp-login.php\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>WordPress : \u003Ccode>wp-login.php?action=register\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>WordPress : \u003Ccode>wp-login.php?action=lostpassword\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Register\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Register only email address.\u003C\u002Fli>\n\u003Cli>Can check the terms of use agreement for user register.\u003C\u002Fli>\n\u003Cli>Anti-Bot measures with original CAPTCHA.\u003C\u002Fli>\n\u003Cli>WordPress : \u003Ccode>wp-login.php?action=register\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>shortcode : \u003Ccode>[umorregister]\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter for shortcode form\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for message.\n *\n *\u002F\nadd_filter( 'umor_register_success_msg', function(){ return 'Message for register success.'; }, 10, 1 );\nadd_filter( 'umor_login_success_login_msg', function(){ return 'Message for login success.'; }, 10, 1 );\nadd_filter( 'umor_register_error', function(){ return 'Message for register error.'; }, 10, 1 );\nadd_filter( 'umor_register_nomail', function(){ return 'Message for unentered mail.'; }, 10, 1 );\nadd_filter( 'umor_register_noterm', function(){ return 'Message for unentered term of use.'; }, 10, 1 );\nadd_filter( 'umor_register_form_label', function(){ return 'Message for form label.'; }, 10, 1 );\nadd_filter( 'umor_register_term_of_use', function(){ return 'Message for term of use.'; }, 10, 1 );\nadd_filter( 'umor_not_register_message', function(){ return 'Message for not register.'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for login form message.\n *\n *\u002F\nadd_filter(\n    'umor_login_message',\n    function( $message, $text ) {\n        $message = '\u003Cp class=\"myclass\">';\n        $message .= $text;\n        $message .= '\u003C\u002Fp>';\n        return $message;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for Term of use URL.\n *\n *\u002F\nadd_filter(\n    'umor_register_term_of_use_url',\n    function( $term_of_use_url ) {\n        if ( 'ja' === get_locale() ) {\n            $term_of_use_url = 'https:\u002F\u002Ftest.com\u002Fja\u002F';\n        }\n        return $term_of_use_url;\n    },\n    10,\n    1\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for input text size.\n *\n *\u002F\nadd_filter( 'umor_register_input_size', function(){ return 17; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode>\u002F** ==================================================\n * Filter for class name.\n *\n *\u002F\nadd_filter( 'umor_register_notice_class_name', function(){ return 'mynotice'; }, 10, 1 );\nadd_filter( 'umor_register_form_class_name', function(){ return 'myform'; }, 10, 1 );\nadd_filter( 'umor_register_label_class_name', function(){ return 'mylabel'; }, 10, 1 );\nadd_filter( 'umor_register_input_class_name', function(){ return 'myinput'; }, 10, 1 );\nadd_filter( 'umor_register_check_form_class_name', function(){ return 'mycheckform'; }, 10, 1 );\nadd_filter( 'umor_register_check_class_name', function(){ return 'mycheck'; }, 10, 1 );\nadd_filter( 'umor_register_captcha_input_class_name', function(){ return 'mycaptcha_input'; }, 10, 1 );\nadd_filter( 'umor_register_submit_class_name', function(){ return 'mysubmit'; }, 10, 1 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Multibyte CAPTCHA login form and register users with mail only.",30,5728,"2026-03-29T22:04:00.000Z",[140,19,20,141,22],"captcha","register","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fuser-mail-only-register\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-mail-only-register.4.03.zip",{"slug":145,"name":146,"version":147,"author":148,"author_profile":149,"description":150,"short_description":151,"active_installs":136,"downloaded":152,"rating":11,"num_ratings":153,"last_updated":154,"tested_up_to":78,"requires_at_least":155,"requires_php":123,"tags":156,"homepage":80,"download_link":160,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":37,"fetched_at":29},"ventraconnect-social-login","VentraConnect – Social Login, Magic Link & Email OTP (Passwordless)","1.2.1","Fahad Aslam","https:\u002F\u002Fprofiles.wordpress.org\u002Ffahdaslam\u002F","\u003Cp>VentraConnect provides a \u003Cstrong>unified login system\u003C\u002Fstrong> for WordPress: Social Login + Magic Link + Email OTP.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Social Login\u003C\u002Fstrong> with 15+ providers (Google, Facebook, X\u002FTwitter, LinkedIn, Microsoft, GitHub, and more)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passwordless Login\u003C\u002Fstrong> with \u003Cstrong>Magic Link\u003C\u002Fstrong> and \u003Cstrong>Email OTP\u003C\u002Fstrong>\n\u003Cul>\n\u003Cli>Can run in \u003Cstrong>Login only\u003C\u002Fstrong> mode (existing users) or \u003Cstrong>Login & Register\u003C\u002Fstrong> mode (allow new accounts)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Guardrails (optional):\u003C\u002Fstrong> prevent spam accounts by letting \u003Cstrong>Social Login, Magic Link and Email OTP\u003C\u002Fstrong> log existing users in, but optionally blocking them from creating new users. This stops random visitors from turning your login screen into an open registration form, while your normal WordPress registration and any custom onboarding forms continue to work as usual.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Works out-of-the-box on the default WordPress login\u002Fregistration screens (\u003Ccode>wp-login.php\u003C\u002Fcode>) and also supports shortcodes for custom pages and page builders.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No proxy servers. No third-party tracking.\u003C\u002Fstrong> VentraConnect connects directly to each provider using official OAuth flows.\u003C\u002Fp>\n\u003Cp>| \u003Ca href=\"https:\u002F\u002Fwpventra.com\u002Fdocs\u002Fwhat-is-ventraconnect-social-login\u002F\" rel=\"nofollow ugc\">Setup\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwpventra.com\u002Fdocs\u002F\" rel=\"nofollow ugc\">Docs\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwpventra.com\u002Fpricing\u002F\" rel=\"nofollow ugc\">Pro Addon\u003C\u002Fa> |\u003C\u002Fp>\n\u003Ch3>Best for\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Sites that want \u003Cstrong>faster logins\u003C\u002Fstrong> and fewer abandoned registrations by offering Social Login + passwordless login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WooCommerce stores\u003C\u002Fstrong> that want modern social + passwordless login on the login, checkout and My Account pages (Pro add-on).\u003C\u002Fli>\n\u003Cli>Sites that are getting \u003Cstrong>spam registrations\u003C\u002Fstrong> and want Guardrails to control who can create new accounts from the default \u003Ccode>wp-login.php\u003C\u002Fcode> screen.\u003C\u002Fli>\n\u003Cli>Sites that want to add \u003Cstrong>passwordless login\u003C\u002Fstrong> (Magic Link \u002F Email OTP) as an option, without removing the classic username\u002Fpassword login.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Key Features (Free)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Social Login\u003C\u002Fstrong>\u003Cbr \u002F>\n– 15+ providers (Google, Facebook, X\u002FTwitter, LinkedIn, Microsoft, GitHub, and more)\u003Cbr \u002F>\n– Adds login buttons to core WordPress login & registration screens (\u003Ccode>wp-login.php\u003C\u002Fcode>)\u003Cbr \u002F>\n– Shortcodes for custom pages, page builders, and custom login pages\u003Cbr \u002F>\n– Account linking + unlinking (connect multiple providers to one WordPress user)\u003Cbr \u002F>\n– Optional profile sync (name + avatar)\u003Cbr \u002F>\n– Button styles: Light, Dark, Minimal, plus icon-only layouts\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Passwordless Login (Magic Link + Email OTP)\u003C\u002Fstrong>\u003Cbr \u002F>\n– Built-in security: expiry, resend throttling, single-use links, max attempt limits\u003Cbr \u002F>\n– Flexible behavior: \u003Cstrong>Login only\u003C\u002Fstrong> mode or \u003Cstrong>Login & Register\u003C\u002Fstrong> mode (per method)\u003Cbr \u002F>\n– Per-method redirect overrides (same page, referrer, homepage, custom URL)\u003Cbr \u002F>\n– Custom emails: edit sender name, subject, and message templates\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Guardrails (Spam & signup control)\u003C\u002Fstrong>\u003Cbr \u002F>\n– Prevent spam accounts by controlling whether \u003Cstrong>Social Login, Magic Link and Email OTP\u003C\u002Fstrong> are allowed to create new users\u003Cbr \u002F>\n– Keep your login screen focused on \u003Cstrong>login\u003C\u002Fstrong> only, while still letting existing users sign in with all three methods\u003Cbr \u002F>\n– Your normal WordPress registration form and other registration\u002Fonboarding flows continue to work as usual\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Admin Tools\u003C\u002Fstrong>\u003Cbr \u002F>\n– Basic redirect options for social + passwordless login\u003Cbr \u002F>\n– Diagnostics\u002Flogging to debug OAuth and login issues\u003Cbr \u002F>\n– Email notifications (user + admin) when a new account is created via social login\u003C\u002Fp>\n\u003Ch3>Pro Add-on (Optional)\u003C\u002Fh3>\n\u003Cp>The Pro add-on extends the same login system into popular plugins and adds advanced control:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>WooCommerce integration\u003C\u002Fstrong> for login, checkout and My Account, with Guardrails-aware flows and context-based shortcodes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>LMS integrations\u003C\u002Fstrong>: LearnDash, LifterLMS, LearnPress\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Membership\u002Fcommunity integrations\u003C\u002Fstrong>: MemberPress, Ultimate Member, Paid Memberships Pro (PMPro), BuddyPress\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passwordless Mode (Off, Recommended, Strict)\u003C\u002Fstrong> to control how aggressively passwords are phased out on supported forms while keeping an admin fallback\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced redirect rules\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & login insights\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Additional \u003Cstrong>diagnostics\u002Flogging\u003C\u002Fstrong> for complex setups\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Pro features require the separate \u003Ca href=\"https:\u002F\u002Fwpventra.com\u002F\" rel=\"nofollow ugc\">VentraConnect Social Login Pro\u003C\u002Fa> add-on.\u003C\u002Fp>\n\u003Ch3>Supported Social Providers\u003C\u002Fh3>\n\u003Cp>Google, Facebook, X (Twitter), LinkedIn, Microsoft, GitHub, Discord, Reddit, Slack, Twitch, Spotify, TikTok, Amazon, Yahoo, WordPress.com, LINE.\u003C\u002Fp>\n\u003Ch3>How It Works\u003C\u002Fh3>\n\u003Col>\n\u003Cli>The user clicks a Social Login button, or requests a Magic Link \u002F Email OTP.\u003C\u002Fli>\n\u003Cli>For Social Login, the user authenticates with the provider via official OAuth; for Magic Link \u002F OTP, they verify ownership of their email address.\u003C\u002Fli>\n\u003Cli>VentraConnect receives basic profile or email data and looks for an existing WordPress user.\u003C\u002Fli>\n\u003Cli>If the email matches an existing user, the login methods are linked to that account and the user is logged in. If not, a new user may be created (subject to your Guardrails and registration settings).\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>VentraConnect Social Login is an OAuth client only.\u003C\u002Fp>\n\u003Cp>During login:\u003C\u002Fp>\n\u003Col>\n\u003Cli>The user is redirected to the selected provider such as Google or Facebook.\u003C\u002Fli>\n\u003Cli>The provider authenticates the user.\u003C\u002Fli>\n\u003Cli>The provider returns an authorization token to your site.\u003C\u002Fli>\n\u003Cli>VentraConnect retrieves basic profile data:\n\u003Cul>\n\u003Cli>Provider user ID\u003C\u002Fli>\n\u003Cli>Email address\u003C\u002Fli>\n\u003Cli>Display name\u003C\u002Fli>\n\u003Cli>Avatar URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>No user data is sent to or stored on servers owned by the plugin author.\u003Cbr \u002F>\nAll communication happens directly between your WordPress site and the provider official APIs.\u003C\u002Fp>\n\u003Ch3>Provider Domains Used\u003C\u002Fh3>\n\u003Cp>Google\u003Cbr \u002F>\naccounts.google.com\u003Cbr \u002F>\noauth2.googleapis.com\u003Cbr \u002F>\npeople.googleapis.com\u003C\u002Fp>\n\u003Cp>Facebook\u003Cbr \u002F>\ngraph.facebook.com\u003C\u002Fp>\n\u003Cp>Microsoft\u003Cbr \u002F>\nlogin.microsoftonline.com\u003Cbr \u002F>\ngraph.microsoft.com\u003C\u002Fp>\n\u003Cp>TikTok\u003Cbr \u002F>\nopen.tiktokapis.com\u003C\u002Fp>\n\u003Cp>Reddit\u003Cbr \u002F>\nwww.reddit.com\u003Cbr \u002F>\noauth.reddit.com\u003C\u002Fp>\n\u003Cp>LINE\u003Cbr \u002F>\naccess.line.me\u003Cbr \u002F>\napi.line.me\u003C\u002Fp>\n\u003Cp>Slack\u003Cbr \u002F>\nslack.com\u003C\u002Fp>\n\u003Cp>Discord\u003Cbr \u002F>\ndiscord.com\u003C\u002Fp>\n\u003Cp>Twitch\u003Cbr \u002F>\nid.twitch.tv\u003Cbr \u002F>\napi.twitch.tv\u003C\u002Fp>\n\u003Cp>GitHub\u003Cbr \u002F>\ngithub.com\u003Cbr \u002F>\napi.github.com\u003C\u002Fp>\n\u003Cp>Amazon\u003Cbr \u002F>\nwww.amazon.com\u003Cbr \u002F>\napi.amazon.com\u003C\u002Fp>\n\u003Cp>Yahoo\u003Cbr \u002F>\napi.login.yahoo.com\u003C\u002Fp>\n\u003Cp>WordPress.com\u003Cbr \u002F>\npublic-api.wordpress.com\u003C\u002Fp>\n\u003Cp>LinkedIn\u003Cbr \u002F>\nwww.linkedin.com\u003Cbr \u002F>\napi.linkedin.com\u003C\u002Fp>\n\u003Cp>Each provider has its own Terms of Service and Privacy Policy. You are responsible for complying with those terms when enabling a provider.\u003C\u002Fp>\n","Social login with 15+ providers plus passwordless login (Magic Link & Email OTP), with Guardrails to block spam registrations.",764,2,"2026-04-04T13:35:00.000Z","6.2",[82,157,158,86,159],"magic-link","oauth","social-login","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fventraconnect-social-login.1.2.1.zip",{"attackSurface":162,"codeSignals":168,"taintFlows":179,"riskAssessment":180,"analyzedAt":189},{"hooks":163,"ajaxHandlers":164,"restRoutes":165,"shortcodes":166,"cronEvents":167,"entryPointCount":27,"unprotectedCount":27},[],[],[],[],[],{"dangerousFunctions":169,"sqlUsage":170,"outputEscaping":176,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":178},[],{"prepared":27,"raw":26,"locations":171},[172],{"file":173,"line":174,"context":175},"uninstall.php",26,"$wpdb->get_col() with variable interpolation",{"escaped":27,"rawEcho":27,"locations":177},[],[],[],{"summary":181,"deductions":182},"The magic-login-mail plugin, version 2.06, exhibits a mixed security posture.  On the positive side, the static analysis reveals no direct attack surface exposed through AJAX, REST API, shortcodes, or cron events. Furthermore, the code demonstrates good output escaping practices, with all identified outputs being properly escaped, and there are no identified dangerous functions, file operations, or external HTTP requests.  However, a significant concern arises from the presence of a single SQL query that does not utilize prepared statements.  This indicates a potential for SQL injection vulnerabilities if user-supplied data is directly incorporated into this query. The vulnerability history reveals a past high-severity CVE related to Improper Privilege Management. While there are no currently unpatched vulnerabilities, this history suggests a tendency for critical security flaws to emerge in this plugin, requiring diligent monitoring and prompt patching of any future disclosures.",[183,186],{"reason":184,"points":185},"Raw SQL query without prepared statements",7,{"reason":187,"points":188},"Past high severity CVE (Improper Privilege Management)",15,"2026-03-16T20:44:20.089Z",{"wat":191,"direct":200},{"assetPaths":192,"generatorPatterns":195,"scriptPaths":196,"versionParams":197},[193,194],"\u002Fwp-content\u002Fplugins\u002Fmagic-login-mail\u002Flib\u002Fjs\u002Fmagicloginmail.js","\u002Fwp-content\u002Fplugins\u002Fmagic-login-mail\u002Flib\u002Fcss\u002Fmagicloginmail.css",[],[193],[198,199],"magic-login-mail\u002Flib\u002Fjs\u002Fmagicloginmail.js?ver=","magic-login-mail\u002Flib\u002Fcss\u002Fmagicloginmail.css?ver=",{"cssClasses":201,"htmlComments":206,"htmlAttributes":210,"restEndpoints":213,"jsGlobals":214,"shortcodeOutput":216},[202,203,204,205],"magic-login-mail-form","magic-login-mail-btn","magic-login-mail-login-error","magic-login-mail-message",[207,208,209],"\u003C!-- Magic Login Mail or QR Code -->","\u003C!-- BEGIN magic login mail -->","\u003C!-- END magic login mail -->",[211,212],"data-magicloginmail-email","data-magicloginmail-action",[],[215],"magicLoginMailObject",[217],"[magic_login_mail_form]",{"error":219,"url":220,"statusCode":221,"statusMessage":222,"message":222},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fmagic-login-mail\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":26,"versions":224},[225],{"version":6,"download_url":24,"svn_tag_url":226,"released_at":37,"has_diff":48,"diff_files_changed":227,"diff_lines":37,"trac_diff_url":37,"vulnerabilities":228,"is_current":219},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fmagic-login-mail\u002Ftags\u002F2.06\u002F",[],[]]