Does Passwordless have any unpatched vulnerabilities?

No. All known vulnerabilities in Passwordless have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Passwordless compatible with WordPress 3.9.40?

According to WordPress.org data, Passwordless 1.0 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is Passwordless updated?

Passwordless was last updated on May 1, 2014. Frequent updates are generally a positive security signal.

What is Passwordless's security score?

Passwordless has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Passwordless Security & Risk Analysis

wordpress.org/plugins/passwordless

Passwordless allows users to sign up and log in using only email addresses, removing the need for them to remember yet another password.

10 active installs v1.0 PHP + WP 3.4+ Updated May 1, 2014

loginpasswordlesssignup

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Passwordless Safe to Use in 2026?

Generally Safe

Score 85/100

Passwordless has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The "passwordless" plugin v1.0 presents a generally positive security posture based on static analysis. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events with unprotected entry points, combined with zero dangerous functions and no external HTTP requests, significantly limits the plugin's attack surface. The use of prepared statements for all SQL queries and the presence of nonce checks are also strong indicators of good development practices. However, a notable concern arises from the taint analysis, which identified one flow with an unsanitized path. While not classified as critical or high severity in this analysis, unsanitized paths can still lead to vulnerabilities if user input is not properly validated and sanitized before being used in sensitive operations. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive sign. This, coupled with the limited attack surface, suggests a relatively safe plugin. The primary area for improvement lies in thoroughly investigating and sanitizing the identified unsanitized path flow to eliminate any potential risk.

Key Concerns

Flow with unsanitized path detected
67% of output escaping is not properly escaped

Vulnerabilities

None known

Passwordless Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Passwordless Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

67% escaped21 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

initialize (passwordless.php:69)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Passwordless Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 8

actionlogin_headlogin.php:12

actiontemplate_redirectpasswordless.php:89

actionsite_urlpasswordless.php:121

filtershow_password_fieldspasswordless.php:125

filterpre_user_display_namepasswordless.php:256

filterpre_user_nicknamepasswordless.php:257

filtersanitize_userpasswordless.php:258

filterauth_cookie_expirationpasswordless.php:333

Maintenance & Trust

Passwordless Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedMay 1, 2014

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

Passwordless Alternatives

Temporary Login Without Password

temporary-login-without-password

100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE

Login & Register Customizer – Popup | Slider | Inline | WooCommerce

easy-login-woocommerce

Replace your old login/registration form with an interactive popup & inline form design

40K 6 CVEs

Temporary Login

temporary-login

Create a secure, temporary URL for easy access to your WP admin.

40K No CVEs

User Verification by PickPlugins

user-verification

Email verification for user registration to protect spam.

5K 3 CVEs

Magic Login – Passwordless Authentication for WordPress – Login Without Password

magic-login

100

Passwordless login for WordPress. Streamline the login process by sending magic links to your users.

2K No CVEs

Developer Profile

Passwordless Developer Profile

Jafran Hasan

3 plugins · 50 total installs

trust score

Avg Security Score

90/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Passwordless

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/passwordless/css/login.css/wp-content/plugins/passwordless/js/login.js

Script Paths

/wp-content/plugins/passwordless/js/login.js

Version Parameters

passwordless/css/login.css?ver=passwordless/js/login.js?ver=

HTML / DOM Fingerprints

CSS Classes

passwordless-loginpasswordless-logopasswordless-field

HTML Comments

Data Attributes

data-plugin-name="passwordless"data-plugin-version="1.0"

JS Globals

passwordless_ajax_urlpasswordless_nonce

FAQ