[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNsUvcUQsyWHmwV_FYBmYYg5OlE0_uBaKK7ZONyAQ_TY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":21,"download_link":22,"security_score":23,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":27,"crawl_stats":24,"alternatives":33,"analysis":126,"fingerprints":203},"mb-challenge-response-authentication","MB Challenge response authentication","1.0.0","Yeora","https:\u002F\u002Fprofiles.wordpress.org\u002Fmabipress\u002F","\u003Cp>The “MB Challenge response authentication” plugin extends the\u003Cbr \u002F>\ndefault WordPress authentication with a challenge response authentication.\u003Cbr \u002F>\nThis ensures that passwords during login are no longer stored in the\u003Cbr \u002F>\nclear text during the login process.\u003C\u002Fp>\n\u003Cp>Via a menu item in the administration you can also set whether the challenge response authentication should be enforced or not. If challenge response authentication is not enforced\u003Cbr \u002F>\nthe default WordPress authentication is allowed as fallback.\u003Cbr \u002F>\nThis is the case if a user cannot hash on the client side.\u003C\u002Fp>\n\u003Cp>Furthermore, the default WordPress hasher is overridden and PHP native functions like password_hash and password_verify are used.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Special thanks to the developers of the\u003Cbr \u002F>\nbcrypt.js library https:\u002F\u002Fgithub.com\u002FdcodeIO\u002Fbcrypt.js.\u003Cbr \u002F>\nThe library is used for client-side hashing.\u003C\u002Fp>\n","This plugin implements challenge response authentication. In addition, the WordPress hasher is replaced by native PHP libraries.",0,839,"2022-01-23T13:39:00.000Z","5.9.0","5.7.0","",[18,19,20],"challenge-response","hash","security","http:\u002F\u002Fmb-challenge-response-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmb-challenge-response-authentication.1.0.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":28,"display_name":7,"profile_url":8,"plugin_count":29,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},"mabipress",1,30,84,"2026-04-05T22:10:00.406Z",[34,58,76,95,109],{"slug":35,"name":36,"version":37,"author":38,"author_profile":39,"description":40,"short_description":41,"active_installs":42,"downloaded":43,"rating":44,"num_ratings":45,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":56,"download_link":57,"security_score":42,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":25},"csp-antsst","CSP Friendly Security","1.5.2","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Adds a CSP header compatible with most WP plugins without breaking styles.\u003C\u002Fp>\n","Adds a CSP header compatible with most WP plugins without breaking styles.",100,2755,70,4,"2026-01-01T13:42:00.000Z","6.9.4","5.9","7.3",[51,52,53,54,55],"content-security-policy","csp","nonces","security-headers","sha256-hashes","https:\u002F\u002Ftsw.ovh\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-antsst.1.5.2.zip",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":42,"num_ratings":68,"last_updated":16,"tested_up_to":69,"requires_at_least":70,"requires_php":16,"tags":71,"homepage":73,"download_link":74,"security_score":42,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":75},"hashcash","Hashcash","1.0.14","pkaroukin","https:\u002F\u002Fprofiles.wordpress.org\u002Fpkaroukin\u002F","\u003Cp>This plugin will integrate jQuery plugin Hashcash.IO (https:\u002F\u002Fgithub.com\u002Fhashcash\u002Fjquery.hashcash.io) to be used in combination with https:\u002F\u002Fhashcash.io\u002F service.\u003C\u002Fp>\n\u003Cp>Active development happens in GitHub repository – https:\u002F\u002Fgithub.com\u002Fhashcash\u002Fwordpress-hashcash\u003C\u002Fp>\n\u003Cp>Please report all issues at https:\u002F\u002Fgithub.com\u002Fhashcash\u002Fwordpress-hashcash\u002Fissues\u003C\u002Fp>\n\u003Cp>Because of the way plugins work, problem might arrise from specific combination of WP version, plugins, themes.\u003Cbr \u002F>\nTherefore for the best result everytime you submit a bug report or just seeking an advice please include following:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Version of WordPress you are using\u003C\u002Fli>\n\u003Cli>Brand and version of Browser you are using to test it\u003C\u002Fli>\n\u003Cli>List of third-party plugins and their versions activated on your website\u003C\u002Fli>\n\u003Cli>What theme and version you are using\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Protect Against Web Spam\u003C\u002Fh3>\n\u003Cp>Typically various “Internet SEO Companies” try to leverage poor forum software protection against mass submission and create many worthless posts with links to a website they are promoting.\u003C\u002Fp>\n\u003Cp>Some forum and blog software implement various CAPTCHA solutions but these have two negative aspects:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>They annoy your visitors.\u003C\u002Fli>\n\u003Cli>They provide a fake sense of security.\u003C\u002Fli>\n\u003Cli>Today it is possible to buy access to API which solves any kind of CAPTCHA for just $0.70 per 1000 CAPTCHA images solved by a real human being. And do you really think your customer will be happy to try to solve one of these ridiculous CAPTCHAs?\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Secure Against Brute Force Attacks\u003C\u002Fh3>\n\u003Cp>Many modern applications are susceptible to brute force attacks. Take a typical login form, for example. Hackers can compromise account security by trying every possible password combination. They can also leverage a large network of proxy servers to paralelize this attack. Forcing their browser to work hard makes it too expensive and slow for hackers to perform a brute force attack.\u003C\u002Fp>\n\u003Ch3>Based On Open Technologies\u003C\u002Fh3>\n\u003Cp>We leverage the following features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Asm.js\u003C\u002Fli>\n\u003Cli>HTML5\u003C\u002Fli>\n\u003Cli>Web Workers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Browsers supported:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Google Chrome 28+\u003C\u002Fli>\n\u003Cli>Mozilla Firefox 22+\u003C\u002Fli>\n\u003Cli>Internet Explorer 10+\u003C\u002Fli>\n\u003Cli>Opera 18+\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Fully translatable\u003C\u002Fh3>\n\u003Cp>All strings are available for translation\u003C\u002Fp>\n\u003Ch3>Fully accessible\u003C\u002Fh3>\n\u003Cp>We follow both common sense and accessibility guidelines to make this\u003Cbr \u002F>\nwidget accessible to people with limited abilities. We make it focusable\u003Cbr \u002F>\nand actionable via Tab-Enter keys, as well as we have WAI-ARIA live region\u003Cbr \u002F>\nwhich updates blind user via screen reader about progress.\u003C\u002Fp>\n","Integrates Hashcash.IO proof-of-work widget with login\u002Fregistration\u002Fcomment forms.",20,5371,5,"4.9.29","3.0.0",[59,20,72],"spam","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhashcash\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhashcash.zip","2026-03-15T10:48:56.248Z",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":11,"num_ratings":11,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":16,"tags":89,"homepage":93,"download_link":94,"security_score":23,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":25},"ballast-security-securing-hashing","Ballast Security Hashing","1.2.1","BallastSecurity","https:\u002F\u002Fprofiles.wordpress.org\u002Fballastsecurity\u002F","\u003Cp>This plugin seamlessly changes your stored password hash to a far stronger one. The hash that it is changed to is\u003Cbr \u002F>\ngenerated with a variety of variations on PBKDF2, including my own ARC4PBKDF2 which adds custom ARC4 encryption\u003Cbr \u002F>\nduring the hashing processs, then a SHA-1 to meet size constraints. This plugin exponentially increases the strength\u003Cbr \u002F>\nof your stored password.\u003C\u002Fp>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n","This plugin drastically increases the security of the hash used to store passwords",10,2651,"2012-09-06T22:17:00.000Z","3.4.2","2.0.2",[90,19,91,92,20],"ballast-security","password","pbkdf2","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fballast-security-securing-hashing\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fballast-security-securing-hashing.zip",{"slug":96,"name":97,"version":6,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":84,"downloaded":102,"rating":11,"num_ratings":11,"last_updated":16,"tested_up_to":69,"requires_at_least":103,"requires_php":104,"tags":105,"homepage":16,"download_link":108,"security_score":42,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":75},"wp-argon2-password-hashing","WP Argon2 Password Hashing","mfsoftworks","https:\u002F\u002Fprofiles.wordpress.org\u002Fmfsoftworks\u002F","\u003Cp>Existing user accounts will have their password hash updated with Argon2i on the next successful sign in.\u003C\u002Fp>\n","Existing user accounts will have their password hash updated with Argon2i on the next successful sign in.",1636,"3.0","7.2",[106,19,107,91,20],"argon","hashing","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-argon2-password-hashing.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":84,"downloaded":117,"rating":42,"num_ratings":29,"last_updated":118,"tested_up_to":119,"requires_at_least":120,"requires_php":16,"tags":121,"homepage":124,"download_link":125,"security_score":23,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":25},"wpcrypt","WpCrypt","0.1","bruno.sousa","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrunosousa-1\u002F","\u003Cp>Allow users to change password encryption method to SHA1, SHA2, AES Rijndael and more…\u003C\u002Fp>\n","Allow users to change password encryption method to SHA1, SHA2, AES Rijndael and more...",2587,"2015-04-16T03:22:00.000Z","3.5.2","3.3",[122,19,123,91,20],"encryption","hashes","http:\u002F\u002Femancipa.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcrypt.zip",{"attackSurface":127,"codeSignals":177,"taintFlows":191,"riskAssessment":192,"analyzedAt":202},{"hooks":128,"ajaxHandlers":165,"restRoutes":166,"shortcodes":175,"cronEvents":176,"entryPointCount":29,"unprotectedCount":29},[129,135,138,140,143,146,149,151,154,157,162],{"type":130,"name":131,"callback":132,"file":133,"line":134},"action","plugins_loaded","anonymous","includes\\class-mb-challenge-response-authentication.php",162,{"type":130,"name":136,"callback":132,"file":133,"line":137},"admin_enqueue_scripts",176,{"type":130,"name":136,"callback":132,"file":133,"line":139},177,{"type":130,"name":141,"callback":132,"file":133,"line":142},"admin_init",180,{"type":130,"name":144,"callback":132,"file":133,"line":145},"admin_menu",181,{"type":130,"name":147,"callback":132,"file":133,"line":148},"wp_enqueue_scripts",195,{"type":130,"name":147,"callback":132,"file":133,"line":150},196,{"type":130,"name":152,"callback":132,"file":133,"line":153},"rest_api_init",199,{"type":130,"name":155,"callback":132,"file":133,"line":156},"login_enqueue_scripts",202,{"type":130,"name":158,"callback":159,"file":160,"line":161},"admin_notices","closure","includes\\custom\\class-mb-password-hasher.php",22,{"type":130,"name":158,"callback":159,"file":163,"line":164},"includes\\custom\\mb-password-hasher.php",25,[],[167],{"namespace":168,"route":169,"methods":170,"callback":172,"permissionCallback":24,"file":173,"line":174},"mb-challenge","\u002Fget-user-salt-and-challenge\u002F(?P\u003Cuser>[\\w\\-_]+)",[171],"GET","mb_get_user_salt_and_challenge","includes\\custom\\class-mb-rest-endpoint.php",79,[],[],{"dangerousFunctions":178,"sqlUsage":179,"outputEscaping":181,"fileOperations":11,"externalRequests":11,"nonceChecks":11,"capabilityChecks":29,"bundledLibraries":190},[],{"prepared":11,"raw":11,"locations":180},[],{"escaped":182,"rawEcho":183,"locations":184},8,2,[185,188],{"file":160,"line":186,"context":187},23,"raw output",{"file":163,"line":189,"context":187},26,[],[],{"summary":193,"deductions":194},"The \"mb-challenge-response-authentication\" plugin version 1.0.0 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by avoiding dangerous functions, file operations, external HTTP requests, and utilizes prepared statements for all SQL queries. The absence of known CVEs and a clean vulnerability history further suggests a generally secure development approach.\n\nHowever, a significant concern arises from the static analysis, specifically the presence of one unprotected REST API route. This unprotected entry point represents a direct attack vector that could be exploited by unauthenticated users, potentially leading to unauthorized actions or data exposure depending on the route's functionality. The lack of nonce checks and a single capability check on the limited entry points also highlight potential areas for improvement in hardening the plugin's security.\n\nIn conclusion, while the plugin has a solid foundation in secure coding practices and a clean vulnerability record, the single unprotected REST API route is a notable weakness that requires immediate attention. Addressing this will significantly improve the overall security posture of the plugin. The plugin's strengths lie in its careful handling of sensitive operations like SQL, but its weakness lies in a singular, yet critical, exposure.",[195,198,200],{"reason":196,"points":197},"Unprotected REST API route",15,{"reason":199,"points":68},"No nonce checks on entry points",{"reason":201,"points":68},"Limited capability checks","2026-03-17T06:55:44.068Z",{"wat":204,"direct":217},{"assetPaths":205,"generatorPatterns":209,"scriptPaths":210,"versionParams":212},[206,207,208],"\u002Fwp-content\u002Fplugins\u002Fmb-challenge-response-authentication\u002Fpublic\u002Fcss\u002Fmb-challenge-response-authentication-public.css","\u002Fwp-content\u002Fplugins\u002Fmb-challenge-response-authentication\u002Fadmin\u002Fcss\u002Fmb-challenge-response-authentication-admin.css","\u002Fwp-content\u002Fplugins\u002Fmb-challenge-response-authentication\u002Fpublic\u002Fjs\u002Fmb-challenge-response-authentication-public.js",[],[208,211],"\u002Fwp-content\u002Fplugins\u002Fmb-challenge-response-authentication\u002Fadmin\u002Fjs\u002Fmb-challenge-response-authentication-admin.js",[213,214,215,216],"mb-challenge-response-authentication\u002Fpublic\u002Fcss\u002Fmb-challenge-response-authentication-public.css?ver=","mb-challenge-response-authentication\u002Fadmin\u002Fcss\u002Fmb-challenge-response-authentication-admin.css?ver=","mb-challenge-response-authentication\u002Fpublic\u002Fjs\u002Fmb-challenge-response-authentication-public.js?ver=","mb-challenge-response-authentication\u002Fadmin\u002Fjs\u002Fmb-challenge-response-authentication-admin.js?ver=",{"cssClasses":218,"htmlComments":219,"htmlAttributes":240,"restEndpoints":241,"jsGlobals":243,"shortcodeOutput":246},[],[220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239],"\u003C!-- This file is part of the plugin MB Challenge Response Authentication. -->","\u003C!-- The core plugin class that is used to define internationalization, -->","\u003C!-- admin-specific hooks, and public-facing site hooks. -->","\u003C!-- The class responsible for orchestrating the actions and filters of the -->","\u003C!-- core plugin. -->","\u003C!-- The class responsible for defining internationalization functionality -->","\u003C!-- of the plugin. -->","\u003C!-- The class responsible for defining all actions that occur in the admin area. -->","\u003C!-- The class responsible for defining all actions that occur in the public-facing -->","\u003C!-- side of the site. -->","\u003C!-- The class responsible for the Rest Endpoint for the challenge response authentication -->","\u003C!-- The class responsible for the new Password Hasher -->","\u003C!-- Overwrites the WordPress Password Hasher -->","\u003C!-- The class responsible for the Login Helper -->","\u003C!-- Registers all of the hooks related to the admin area functionality -->","\u003C!-- Registers all of the hooks related to the public-facing functionality -->","\u003C!-- This file defines the loader for the plugin -->","\u003C!-- This file defines the i18n functionality -->","\u003C!-- This file defines the public-facing functionality -->","\u003C!-- This file defines the admin functionality -->",[],[242],"\u002Fwp-json\u002Fmb-challenge-response-authentication\u002Fv1\u002Fauth",[244,245],"wpmbchallenge","wp_mb_challenge_response_authentication_public_params",[]]