WP-Safety

Passwordless Login Security & Risk Analysis

wordpress.org/plugins/passwordless-login

Passwordless login form via a simple to use shortcode: [passwordless-login]

1K active installs v1.1.4 PHP + WP 3.9+ Updated Feb 2, 2026
custom-login-formfront-end-loginlogin-shortcodepasswordlesspasswordless-login
100
A · Safe
CVEs total1
Unpatched0
Last CVEMar 18, 2024
Plugin page Download
Safety Verdict

Is Passwordless Login Safe to Use in 2026?

Generally Safe

Score 100/100

Passwordless Login has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 18, 2024Updated 2mo ago
Risk Assessment

The "passwordless-login" v1.1.4 plugin exhibits a generally good security posture, with no unprotected entry points identified in the static analysis and all SQL queries utilizing prepared statements. The code demonstrates a focus on security by implementing nonce and capability checks. However, a significant concern arises from the taint analysis, which reveals one flow with an unsanitized path. While the severity of this specific flow is not classified as critical or high, it represents a potential avenue for malicious input to be processed without adequate sanitization, which could lead to unexpected behavior or security vulnerabilities.

The plugin's vulnerability history shows one known CVE, classified as medium severity, related to Cross-Site Scripting. The fact that this vulnerability is no longer present in the analyzed version is positive, but the existence of past XSS issues suggests a potential area of weakness that may require ongoing vigilance. While the plugin demonstrates strengths in its secure handling of database queries and entry points, the presence of an unsanitized path in the taint analysis and a history of XSS vulnerabilities warrant careful consideration. The overall risk is moderate, with the unsanitized path being the primary current concern that needs further investigation.

Key Concerns

  • Flow with unsanitized path detected
  • Past medium severity XSS vulnerability
Vulnerabilities
1

Passwordless Login Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-29143medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Passwordless Login <= 1.1.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Mar 18, 2024 Patched in 1.1.3 (5d)
Code Analysis
Analyzed Mar 16, 2026

Passwordless Login Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
25 escaped
Nonce Checks
3
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

83% escaped30 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
wpa_front_end_login (passwordless_login.php:146)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Passwordless Login Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[passwordless-login] passwordless_login.php:215
WordPress Hooks 11
actionadmin_noticesinc\wpa.class.notices.php:27
actionadmin_initinc\wpa.class.notices.php:28
actioninitpasswordless_login.php:51
actionadmin_menupasswordless_login.php:64
actionadmin_enqueue_scriptspasswordless_login.php:122
actionwp_print_stylespasswordless_login.php:137
filterwidget_textpasswordless_login.php:217
actioninitpasswordless_login.php:264
filterwp_mail_content_typepasswordless_login.php:294
actioninitpasswordless_login.php:347
actionadmin_initpasswordless_login.php:475
Maintenance & Trust

Passwordless Login Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version
Downloads31K

Community Trust

Rating100/100
Number of ratings10
Active installs1K
Alternatives

Passwordless Login Alternatives

Login Links – Passwordless Login, Temporary Access Links & Custom Login Form

Login Links – Passwordless Login, Temporary Access Links & Custom Login Form

login-links

A
100

Create secure self-expiring login links for temporary access and guest users, and enable passwordless login for registered ones.

40 No CVEs
Temporary Login Without Password

Temporary Login Without Password

temporary-login-without-password

A
100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE
Temporary Login

Temporary Login

temporary-login

A
92

Create a secure, temporary URL for easy access to your WP admin.

40K No CVEs
User Verification by PickPlugins

User Verification by PickPlugins

user-verification

A
88

Email verification for user registration to protect spam.

5K 2 CVEs
Magic Login – Passwordless Authentication for WordPress – Login Without Password

Magic Login – Passwordless Authentication for WordPress – Login Without Password

magic-login

A
100

Passwordless login for WordPress. Streamline the login process by sending magic links to your users.

2K No CVEs
Developer Profile

Passwordless Login Developer Profile

madalin.ungureanu

3 plugins · 14K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
269 days
View full developer profile
Detection Fingerprints

How We Detect Passwordless Login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/passwordless-login/assets/style-back-end.css/wp-content/plugins/passwordless-login/assets/style-front-end.css
Version Parameters
passwordless-login/assets/style-back-end.css?ver=passwordless-login/assets/style-front-end.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpa-wrapwpa-info-wrapwpa-badgewpa-info-textwpa-rowwpa-2-colwpa-calloutwpa-3-col+4 more
Data Attributes
data-target
JS Globals
PASSWORDLESS_LOGIN_VERSION
Shortcode Output
[passwordless-login]
FAQ

Frequently Asked Questions about Passwordless Login