WP-Safety

Nextend Social Login and Register Security & Risk Analysis

wordpress.org/plugins/nextend-facebook-connect

One click registration & login plugin for Facebook, Google, X (formerly Twitter) and more. Quick setup and easy configuration.

200K active installs v3.1.23 PHP 7.4+ WP 4.9+ Updated Feb 23, 2026
facebookgooglesocial-logintwitterx
89
A · Safe
CVEs total6
Unpatched0
Last CVENov 27, 2025
Plugin page Download
Safety Verdict

Is Nextend Social Login and Register Safe to Use in 2026?

Generally Safe

Score 89/100

Nextend Social Login and Register has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Nov 27, 2025Updated 1mo ago
Risk Assessment

The "nextend-facebook-connect" plugin v3.1.23 presents a mixed security posture. While the static analysis indicates a relatively low number of dangerous functions and a good percentage of SQL queries using prepared statements, there are significant concerns regarding its attack surface and output escaping. The presence of 3 unprotected entry points, including AJAX handlers and a REST API route, creates potential vectors for attackers. The taint analysis also revealed 4 flows with unsanitized paths, which, while not classified as critical or high severity in this scan, warrant close attention as they could lead to various vulnerabilities if exploited.

The plugin's vulnerability history is a considerable red flag. With 6 known CVEs, including 2 high severity and 4 medium severity vulnerabilities, the plugin has a past of introducing security flaws. The common vulnerability types, CSRF and XSS, are often associated with improper input handling and insufficient output escaping, which aligns with the findings of the static analysis. The fact that all previously discovered vulnerabilities are patched is a positive, but the recurring nature of these issues suggests a persistent need for rigorous security auditing and development practices.

In conclusion, while the plugin demonstrates some good practices like prepared SQL statements and a decent number of nonces and capability checks, the unprotected entry points, unsanitized taint flows, and the historical pattern of XSS and CSRF vulnerabilities indicate a moderate to high risk. Users should exercise caution and ensure the plugin is kept up-to-date with any future patches.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API route
  • Flows with unsanitized paths (taint analysis)
  • Low percentage of properly escaped output
  • High number of known CVEs (historical)
  • High severity CVEs in history
  • Medium severity CVEs in history
Vulnerabilities
6

Nextend Social Login and Register Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2015
2015
1 CVE in 2016
2016
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2025-13737medium · 4.3Cross-Site Request Forgery (CSRF)

Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login

Nov 27, 2025 Patched in 3.1.22 (1d)
CVE-2025-58031medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nextend Facebook Connect <= 3.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 3.1.20 (53d)
CVE-2024-1775medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nextend Social Login and Register <= 3.1.12 - Reflected Self-Based Cross-Site Scripting via error_description

Mar 1, 2024 Patched in 3.1.13 (1d)
WF-7b834a3c-6af0-48fd-aa13-985d226b546d-nextend-facebook-connecthigh · 8.8Cross-Site Request Forgery (CSRF)

Nextend Facebook Connect <= 1.5.8 - Cross-Site Request Forgery

Mar 15, 2016 Patched in 1.5.9 (2870d)
CVE-2015-4413medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nextend Social Login and Register <= 1.5.5 - Reflected Cross-Site Scripting

Jun 24, 2015 Patched in 1.5.6 (3135d)
CVE-2014-8800high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nextend Social Login and Register <= 1.5.0 - Cross-Site Scripting

Feb 12, 2014 Patched in 1.5.1 (3632d)
Code Analysis
Analyzed Mar 16, 2026

Nextend Social Login and Register Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
12 prepared
Unescaped Output
638
181 escaped
Nonce Checks
10
Capability Checks
8
File Operations
20
External Requests
8
Bundled Libraries
0

SQL Query Safety

80% prepared15 total queries

Output Escaping

22% escaped819 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

9 flows4 with unsanitized paths
authenticate (includes\oauth2.php:119)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Nextend Social Login and Register Attack Surface

Entry Points6
Unprotected3

AJAX Handlers 2

authwp_ajax_nsl_save_review_stateadmin\admin.php:19
authwp_ajax_nextend-social-loginadmin\admin.php:197

REST API Routes 1

GET/wp-json/nextend-social-login/v1/(?P<provider>\w[\w\s\-]*)/get_userNSL\REST.php:24

Shortcodes 3

[nextend_social_login_register_flow] includes\userData.php:101
[theme-my-login] includes\userData.php:145
[nextend_social_login] nextend-social-login.php:454
WordPress Hooks 105
actionadmin_menuadmin\admin.php:12
actionadmin_initadmin\admin.php:13
filterplugin_action_linksadmin\admin.php:15
filternsl_update_settings_validate_nextend_social_loginadmin\admin.php:17
actionadmin_noticesadmin\admin.php:120
actionadmin_noticesadmin\admin.php:124
actionadmin_noticesadmin\admin.php:129
actionadmin_post_nextend-social-loginadmin\admin.php:196
actionadmin_enqueue_scriptsadmin\admin.php:200
actionshow_user_profileadmin\admin.php:206
actionedit_user_profileadmin\admin.php:210
filterdisplay_post_statesadmin\admin.php:215
actionnsl_getting_started_warningsadmin\admin.php:221
filternsl_redirect_uri_overrideadmin\admin.php:225
filterwpml_get_language_from_urladmin\admin.php:1006
filterplugins_apiadmin\upgrader.php:9
filterupgrader_pre_downloadadmin\upgrader.php:11
filterpre_set_site_transient_update_pluginsadmin\upgrader.php:13
filterhttp_responseadmin\upgrader.php:32
actionafter_setup_themecompat.php:7
actionwp_headcompat.php:12
actionnsl_update_avatarincludes\avatar.php:20
filterpre_get_avatar_dataincludes\avatar.php:29
filterpost_mime_typesincludes\avatar.php:35
filterajax_query_attachments_argsincludes\avatar.php:40
actionnsl_unlink_userincludes\avatar.php:46
filterwp_robotsincludes\compat-wp-login.php:26
actionlogin_headincludes\compat-wp-login.php:32
actionlogin_headincludes\compat-wp-login.php:34
actionlogin_headincludes\compat-wp-login.php:39
actionlogin_footerincludes\compat-wp-login.php:65
actionrest_api_initincludes\provider-oauth.php:17
filternsl_registration_require_extra_inputincludes\user.php:269
actionuser_registerincludes\user.php:303
actionum_registration_after_auto_loginincludes\user.php:328
actionuser_registerincludes\user.php:356
actionuser_registerincludes\user.php:362
filterum_get_current_page_urlincludes\user.php:502
filterwp_redirectincludes\user.php:609
filterwishlistmember_login_redirect_overrideincludes\user.php:618
actionnsl_registration_form_endincludes\user.php:767
actionbp_before_register_pageincludes\userData.php:133
actionbp_after_register_pageincludes\userData.php:138
actionadmin_noticesnextend-facebook-connect.php:37
actionadmin_noticesnextend-facebook-connect.php:39
actioninitnextend-social-login.php:39
actioninitnextend-social-login.php:48
actionplugins_loadednextend-social-login.php:151
actiondelete_usernextend-social-login.php:155
actionitsec_initializednextend-social-login.php:157
filternsl_is_register_allowednextend-social-login.php:351
actionlogin_form_loginnextend-social-login.php:354
actionlogin_form_registernextend-social-login.php:359
actionlogin_form_linknextend-social-login.php:360
actionbp_core_screen_signupnextend-social-login.php:361
actionlogin_form_unlinknextend-social-login.php:363
actiontemplate_redirectnextend-social-login.php:366
actionparse_requestnextend-social-login.php:368
actionwp_print_scriptsnextend-social-login.php:371
actionlogin_form_loginnextend-social-login.php:376
actionlogin_formnextend-social-login.php:378
actionlogin_form_registernextend-social-login.php:382
actionregister_formnextend-social-login.php:384
filterlogin_form_bottomnextend-social-login.php:388
actionbp_sidebar_login_formnextend-social-login.php:394
actionbp_settings_setup_navnextend-social-login.php:400
actionprofile_personal_optionsnextend-social-login.php:404
actionwoocommerce_login_form_startnextend-social-login.php:410
actionwoocommerce_login_form_endnextend-social-login.php:411
actionwoocommerce_register_form_startnextend-social-login.php:413
actionwoocommerce_register_form_endnextend-social-login.php:414
actionwp_headnextend-social-login.php:418
actionamp_post_template_cssnextend-social-login.php:433
actionwpnextend-social-login.php:438
actionadmin_headnextend-social-login.php:446
actionlogin_headnextend-social-login.php:447
actionwp_print_footer_scriptsnextend-social-login.php:449
actionlogin_footernextend-social-login.php:450
actionadmin_print_footer_scriptsnextend-social-login.php:457
actioninitnextend-social-login.php:494
filterjetpack_sso_bypass_login_forward_wpcomnextend-social-login.php:503
filternsl_autologin_prioritynextend-social-login.php:512
filterjetpack_boost_should_defer_jsnextend-social-login.php:523
filterwp_2fa_skip_2fa_login_formnextend-social-login.php:537
filterwp_2fa_skip_2fa_login_formnextend-social-login.php:548
actionnsl_before_wp_loginnextend-social-login.php:564
filteritsec_two_factor_interstitial_show_to_usernextend-social-login.php:565
filterwp_login_errorsnextend-social-login.php:904
actionlogin_formnextend-social-login.php:1009
actionregister_formnextend-social-login.php:1010
actionbp_template_titlenextend-social-login.php:1463
actionbp_template_contentnextend-social-login.php:1464
actionadmin_initNSL\GDPR.php:10
filterwp_privacy_personal_data_exportersNSL\GDPR.php:15
actioninitNSL\Notices.php:22
actionadmin_noticesNSL\Notices.php:28
actionadmin_print_footer_scriptsNSL\Notices.php:34
actionwp_print_footer_scriptsNSL\Notices.php:38
actioninitNSL\Persistent\Persistent.php:23
actionnsl_before_wp_loginNSL\Persistent\Persistent.php:28
actionwp_loginNSL\Persistent\Persistent.php:29
actionshutdownNSL\Persistent\Storage\Session.php:41
actionrest_api_initNSL\REST.php:17
filternsl_getting_started_guide_urlproviders\twitter\admin\getting-started.php:10
actionwidgets_initwidget.php:124
Maintenance & Trust

Nextend Social Login and Register Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.4
Downloads7.6M

Community Trust

Rating98/100
Number of ratings441
Active installs200K
Alternatives

Nextend Social Login and Register Alternatives

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

miniorange-login-openid

C
56

Social Login with Discord, Facebook, Google, Twitter, LinkedIn and 40+ apps. Social login with social share and comments. Free, fast & easy! WooCo &hellip;

10K 1 unpatched
UsersWP – Social Login

UsersWP – Social Login

userswp-social-login

A
100

Social Login addon for UsersWP.

2K No CVEs
OPAL SOCIAL LOGIN

OPAL SOCIAL LOGIN

opal-social-login

A
85

It's fundamental factor to attract more and more customers for any business site these days by supporting Social Login function as users prefer t &hellip;

10 No CVEs
Stitchz Social Login

Stitchz Social Login

stitchz-social-login

A
85

The Stitchz Social Login plugin adds the option to authenticate with one or more of the 22+ social identities providers supported by Stitchz.

10 No CVEs
Insert Headers And Footers

Insert Headers And Footers

wp-headers-and-footers

A
98

Include inline javascript, stylesheets, CSS code or anything you want in Header and Footer areas of your WordPress with ease.

300K 1 CVE
Developer Profile

Nextend Social Login and Register Developer Profile

Nextendweb

2 plugins · 1.0M total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
947 days
View full developer profile
Detection Fingerprints

How We Detect Nextend Social Login and Register

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nextend-facebook-connect/admin/templates/header.php/wp-content/plugins/nextend-facebook-connect/admin/templates/menu.php/wp-content/plugins/nextend-facebook-connect/admin/templates/footer.php/wp-content/plugins/nextend-facebook-connect/admin/templates/providers.php/wp-content/plugins/nextend-facebook-connect/admin/templates/global-settings.php/wp-content/plugins/nextend-facebook-connect/admin/templates/debug.php/wp-content/plugins/nextend-facebook-connect/admin/templates/test-connection.php/wp-content/plugins/nextend-facebook-connect/admin/templates/fix-redirect-uri.php+7 more
Version Parameters
nextend-facebook-connect/admin/style.css?nsl-ver=

HTML / DOM Fingerprints

CSS Classes
nsl-admin-stylesheet
HTML Comments
<!----------------------------------------------------------------------------- Header -----------------------------------------------------------------------------><!----------------------------------------------------------------------------- Menu -----------------------------------------------------------------------------><!----------------------------------------------------------------------------- Notice -----------------------------------------------------------------------------><!----------------------------------------------------------------------------- Footer ----------------------------------------------------------------------------->+2 more
Data Attributes
data-page="nextend-social-login"
JS Globals
NextendSocialLoginNextendSocialLoginAdminNSL_PATH_FILENSL_PATHNSL_PLUGIN_BASENAMENSL_MIN_PHP_VERSION+1 more
FAQ

Frequently Asked Questions about Nextend Social Login and Register