Does WP OAuth Server (OAuth Authentication) have any unpatched vulnerabilities?

No. All known vulnerabilities in WP OAuth Server (OAuth Authentication) have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP OAuth Server (OAuth Authentication) compatible with WordPress 6.9.0?

According to WordPress.org data, WP OAuth Server (OAuth Authentication) 4.5.0 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

Is WP OAuth Server (OAuth Authentication) compatible with PHP 7.4+?

WP OAuth Server (OAuth Authentication) requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP OAuth Server (OAuth Authentication) updated?

WP OAuth Server (OAuth Authentication) was last updated on Jan 24, 2026. Frequent updates are generally a positive security signal.

What is WP OAuth Server (OAuth Authentication)'s security score?

WP OAuth Server (OAuth Authentication) has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP OAuth Server (OAuth Authentication) Security & Risk Analysis

wordpress.org/plugins/oauth2-provider

Adds Authentication through OAuth 2. Provides the ability for Single Sign On for websites & Mobile Applications.

3K active installs v4.5.0 PHP 7.4+ WP 4.7.2+ Updated Jan 24, 2026

oauthoauth-provideroauth2oauth2-serviceprovider

A · Safe

CVEs total7

Unpatched0

Last CVEApr 5, 2024

Plugin page Download

Safety Verdict

Is WP OAuth Server (OAuth Authentication) Safe to Use in 2026?

Generally Safe

Score 92/100

WP OAuth Server (OAuth Authentication) has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Apr 5, 2024Updated 2mo ago

Risk Assessment

The oauth2-provider v4.5.0 plugin exhibits a mixed security posture. While it demonstrates good practices in utilizing prepared statements for a high percentage of SQL queries and has a reasonable number of nonce and capability checks, significant concerns remain. The presence of unsanitized path flows in the taint analysis, even without critical or high severity findings, suggests potential for path traversal or other file-related vulnerabilities that require careful review. The plugin also makes external HTTP requests, which could be a vector for various attacks if not handled securely.

The vulnerability history is a significant red flag. With a total of 7 known CVEs, including one critical and one high severity vulnerability, the plugin has a history of introducing serious security flaws. The common vulnerability types listed (Open Redirect, Incorrect Authorization, CSRF, XSS, weak PRNG) indicate a pattern of issues related to input validation, authorization logic, and potentially cryptographic weaknesses. The fact that there are no currently unpatched vulnerabilities is positive, but the historical prevalence and severity of past issues suggest a need for ongoing vigilance and prompt patching when new vulnerabilities are discovered.

Overall, while the static analysis shows some good development practices like prepared statements, the plugin's past security record and the presence of unsanitized taint flows elevate the risk profile. Users should exercise caution and ensure they are on the latest secure version. The historical vulnerability data strongly suggests that this plugin is a target for security researchers and attackers, necessitating a proactive security approach.

Key Concerns

History of 7 known CVEs
1 critical CVE in history
1 high CVE in history
3 unsanitized path flows
1 external HTTP request
13% of SQL queries not prepared
32% of output not properly escaped
Bundled library: Select2

Vulnerabilities

WP OAuth Server (OAuth Authentication) Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

2 CVEs in 2022

2022

3 CVEs in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

7 total CVEs

CVE-2024-31253medium · 5.4URL Redirection to Untrusted Site ('Open Redirect')

OAuth Server <= 4.3.3 - Open Redirect

Apr 5, 2024 Patched in 4.4.0 (7d)

CVE-2022-4148medium · 4.3Incorrect Authorization

WP OAuth Server <= 4.2.5 - Authenticated (Subscriber+) Arbitrary Client Deletion (wo_ajax_remove_client)

Feb 21, 2023 Patched in 4.3.0 (336d)

CVE-2022-3894medium · 6.5Cross-Site Request Forgery (CSRF)

WP OAuth Server <= 4.2.3 - Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)

Feb 21, 2023 Patched in 4.2.5 (336d)

WF-9fdc9d20-a1cf-4a58-b250-4f3f56b77b69-oauth2-providermedium · 5.4Cross-Site Request Forgery (CSRF)

WP OAuth Server (OAuth Authentication) <= 4.2.5 -Cross-Site Request Forgery

Jan 26, 2023 Patched in 4.3.0 (362d)

CVE-2022-3926high · 8.8Cross-Site Request Forgery (CSRF)

WP OAuth Server (OAuth Authentication) <= 4.2.5 - Cross-Site Request Forgery

Nov 10, 2022 Patched in 4.3.0 (439d)

CVE-2022-3892medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP OAuth Server (OAuth Authentication) <= 4.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 8, 2022 Patched in 4.2.2 (441d)

CVE-2015-9435critical · 9.8Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

WP OAuth Server (OAuth Authentication) < 3.1.5 - Pseudorandom Number Generation

Aug 12, 2015 Patched in 3.1.5 (3086d)

Code Analysis

Analyzed Mar 16, 2026

WP OAuth Server (OAuth Authentication) Code Analysis

Dangerous Functions

Raw SQL Queries

101 prepared

Unescaped Output

60 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

87% prepared116 total queries

Output Escaping

68% escaped88 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths

wpoauth_method_destroy (includes\filters.php:158)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP OAuth Server (OAuth Authentication) Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 30

actionpassword_resetincludes\actions.php:25

actionprofile_updateincludes\actions.php:43

actionwo_set_access_tokenincludes\actions.php:75

actionlogin_initincludes\actions.php:81

actionadmin_post_wpoauth_regenerate_certificatesincludes\actions.php:103

actionshow_user_profileincludes\admin\profile.php:8

actionedit_user_profileincludes\admin\profile.php:9

actionuser_profile_update_errorsincludes\admin\profile.php:56

actionadmin_initincludes\admin-options.php:23

actionadmin_menuincludes\admin-options.php:24

actionwpo_global_cleanupincludes\cron.php:9

filterWO_API_Errorsincludes\filters.php:30

filterwo_endpointsincludes\filters.php:56

filterrest_indexincludes\filters.php:343

actioninitincludes\functions.php:24

actionwo_daily_tasks_hookincludes\functions.php:640

filterwo_developmentincludes\functions.php:646

filterwp_privacy_personal_data_erasersincludes\wo-personal-data-gpdr.php:16

filterrest_authentication_errorswp-oauth-main.php:78

filterdetermine_current_userwp-oauth-main.php:79

actioninitwp-oauth-main.php:81

actionadmin_initwp-oauth-main.php:84

actionplugins_loadedwp-oauth-server.php:25

actionadmin_enqueue_scriptswp-oauth-server.php:63

actionadmin_noticeswp-oauth-server.php:68

actionadmin_post_wpoauth_dismiss_permalink_noticewp-oauth-server.php:69

actionadmin_post_wpoauth_remind_permalink_noticewp-oauth-server.php:70

actionupdate_option_permalink_structurewp-oauth-server.php:71

actioninitwp-oauth-server.php:166

filtertemplate_includewp-oauth-server.php:201

Scheduled Events 1

wpo_global_cleanup

Maintenance & Trust

WP OAuth Server (OAuth Authentication) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedJan 24, 2026

PHP min version7.4

Downloads174K

Community Trust

Rating76/100

Number of ratings41

Active installs3K

Alternatives

WP OAuth Server (OAuth Authentication) Alternatives

WP OAuth Integration

wp-oauth-integration

Create and Manage an OAuth 2.0 Integration powered by WordPress.

10 No CVEs

WP OAuth Server ( Login with WordPress )

miniorange-oauth-20-server

Single Sign-On using WordPress - Login with WordPress to your application/sites using your WordPress account. [24/7 Support]

900 1 CVE

OpenID Connect Generic Client

daggerhart-openid-connect-generic

A simple client that provides SSO or opt-in authentication against a generic OAuth2 Server implementation.

10K 2 CVEs

OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )

oauth-client-for-user-authentication

WordPress OAuth client SSO ( OAuth 2.0 & OpenID SSO ) plugin allows login ( Single Sign On ) with your OAuth Servers like AWS Cognito, Amazon, Az …

200 2 CVEs

[凹凸曼]一键微信登录

apoyl-weixin

100

这是一款实现微信互联一键登录网站，让用户不在繁琐去注册用户，一键实现微信登录，可以让电脑版网站扫描登录和手机微信登录，多个公众号，甚至以后需要移动APP应用微信登录，统一用户账号的需求，极大的方便用户登录网站.

20 No CVEs

Developer Profile

WP OAuth Server (OAuth Authentication) Developer Profile

Jayson T Cote

1 plugin · 3K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

715 days

View full developer profile

Detection Fingerprints

How We Detect WP OAuth Server (OAuth Authentication)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/oauth2-provider/assets/css/admin.css/wp-content/plugins/oauth2-provider/assets/css/select2.min.css/wp-content/plugins/oauth2-provider/assets/js/admin.js/wp-content/plugins/oauth2-provider/assets/js/chosen.js/wp-content/plugins/oauth2-provider/assets/js/select2.min.js

Script Paths

/wp-content/plugins/oauth2-provider/assets/js/select2.min.js/wp-content/plugins/oauth2-provider/assets/js/chosen.js/wp-content/plugins/oauth2-provider/assets/js/admin.js

HTML / DOM Fingerprints

CSS Classes

wo-admin-css-class

HTML Comments

Data Attributes

data-wo-admin

JS Globals

window.wo_admin_select2window.wo_admin_chosenwindow.wo_admin

FAQ