WP-Safety

Intranet and Extranet with O365 Login Security & Risk Analysis

wordpress.org/plugins/o365-wp-restrict

Intranet and Extranet Portal for Office 365,Dynamics CRM and Other Third Party Identity Providers.

50 active installs v1.7 PHP 5.6.36+ WP 3.5.2+ Updated Sep 8, 2025
intranet-extranetlimited-accessoffice-365protectrestriction
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Intranet and Extranet with O365 Login Safe to Use in 2026?

Generally Safe

Score 100/100

Intranet and Extranet with O365 Login has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago
Risk Assessment

The security posture of the o365-wp-restrict plugin v1.7 shows a mix of good practices and significant concerns. The plugin demonstrates strengths in its handling of SQL queries, utilizing prepared statements exclusively, and avoiding file operations and external HTTP requests. The absence of known CVEs and a clean vulnerability history is also a positive indicator. However, the static analysis reveals critical weaknesses that elevate the risk profile.

The plugin utilizes the `unserialize` function ten times, a known attack vector for Remote Code Execution (RCE) vulnerabilities, especially when processing user-supplied data without proper sanitization or validation. While the taint analysis found no critical or high-severity flows, the presence of six flows with unsanitized paths is concerning and strongly correlated with the dangerous use of `unserialize`. The plugin also has a low percentage of properly escaped output (54%), suggesting potential Cross-Site Scripting (XSS) vulnerabilities.

Overall, while the plugin avoids common pitfalls like unauthenticated entry points and raw SQL queries, the heavy reliance on `unserialize` and unsanitized flows presents a tangible risk. The vulnerability history is a positive, but it cannot fully mitigate the risks identified in the code analysis. A balanced conclusion is that the plugin has some solid security foundations but requires immediate attention to address the `unserialize` usage and output escaping to reduce its attack surface and potential for compromise.

Key Concerns

  • Dangerous function: unserialize used 10 times
  • Taint analysis: 6 flows with unsanitized paths
  • Output escaping: only 54% properly escaped
  • Capability checks: missing on entry points
Vulnerabilities
None known

Intranet and Extranet with O365 Login Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Intranet and Extranet with O365 Login Release Timeline

v1.7Current
v1.6
Code Analysis
Analyzed Apr 16, 2026

Intranet and Extranet with O365 Login Code Analysis

Dangerous Functions
10
Raw SQL Queries
0
0 prepared
Unescaped Output
13
15 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);function/o365_wp_restrict_menu_func.php:122
unserialize$existing_role_data= unserialize($o365_wp_restrict_settings['wp_role_mapping']);function/o365_wp_restrict_menu_func.php:204
unserialize$existing_role_redirect_data= unserialize($o365_wp_restrict_settings['wp_role_redirect']);function/o365_wp_restrict_menu_func.php:205
unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);inc/class-o365-wp-restrict.php:43
unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);inc/class-o365-wp-restrict.php:62
unserialize$existing_role_data= unserialize($o365_wp_restrict_settings['wp_role_mapping']);inc/class-o365-wp-restrict.php:64
unserialize$existing_role_redirect_data= unserialize($o365_wp_restrict_settings['wp_role_redirect']);inc/class-o365-wp-restrict.php:65
unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);inc/class-o365-wp-restrict.php:139
unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);inc/class-o365-wp-restrict.php:505
unserialize$o365_wp_restrict_settings = unserialize($o365_wp_restrict_settings);inc/class-o365-wp-restrict.php:526

Output Escaping

54% escaped28 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths
o365_wp_restrict_action_wp_ajax_o365_wp_restrict_wp_roles (action/wp_ajax_o365_wp_restrict_wp_roles.php:6)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Intranet and Extranet with O365 Login Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 8
actiono365_restrict_autologoutinc/class-o365-wp-restrict.php:19
actiono365_wp_restrict_wp_logininc/class-o365-wp-restrict.php:20
actiontemplate_redirectinc/class-o365-wp-restrict.php:21
actionwp_logininc/class-o365-wp-restrict.php:22
filtero365_wp_restrict_auth_methodinc/class-o365-wp-restrict.php:23
actionadmin_heado365-wp-restrict.php:36
actionadmin_menuo365-wp-restrict.php:44
actioninito365-wp-restrict.php:51
Maintenance & Trust

Intranet and Extranet with O365 Login Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 8, 2025
PHP min version5.6.36
Downloads5K

Community Trust

Rating100/100
Number of ratings5
Active installs50
Alternatives

Intranet and Extranet with O365 Login Alternatives

Prevent files / folders access

Prevent files / folders access

prevent-file-access

A
97

Prevent public access to WordPress files and folders. Protect downloads from public access, Role-based folder access, and User base folder access.

1K 2 CVEs
BruteFort

BruteFort

brutefort

A
100

BruteFort – Complete WordPress login security with custom login URLs, geo blocking, brute force protection, and IP restrictions in one plugin.

0 No CVEs
Karma Protected Content

Karma Protected Content

karma-contenuto-protetto

A
100

Protect parts of your post content with a simple shortcode, visible only to registered users.

0 No CVEs
Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

disable-comments

A
99

Allows administrators to globally disable comments on their site. Comments can be disabled according to post type. Multisite friendly.

1.0M 1 CVE
Antispam Bee

Antispam Bee

antispam-bee

A
100

Sophisticated antispam plugin for effective daily comment and trackback spam-fighting. Built with data protection and privacy in mind.

700K 1 CVE
Developer Profile

Intranet and Extranet with O365 Login Developer Profile

Wordpress Integration Services

2 plugins · 70 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Intranet and Extranet with O365 Login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/o365-wp-restrict/css/o365_wp_restrict_menu_icon.css/wp-content/plugins/o365-wp-restrict/css/o365_wp_restrict.css/wp-content/plugins/o365-wp-restrict/js/o365-wp-restrict.js/wp-content/plugins/o365-wp-restrict/js/SpryTabbedPanels.js/wp-content/plugins/o365-wp-restrict/img/help-picture.png
Script Paths
/wp-content/plugins/o365-wp-restrict/js/o365-wp-restrict.js/wp-content/plugins/o365-wp-restrict/js/SpryTabbedPanels.js

HTML / DOM Fingerprints

CSS Classes
office-365-add-onsoffice-365-add-ons-wp-list-tablehead-office-365-add-onsan_left_columnan_right_columnhead-right-office-365-add-onsan_display_cellan_display_cell_inner+10 more
Data Attributes
data-tabbedpanels-region
JS Globals
SpryTabbedPanels
FAQ

Frequently Asked Questions about Intranet and Extranet with O365 Login