WP-Safety

PasswordleSSI Security & Risk Analysis

wordpress.org/plugins/passwordlessi

This plugin allows passwordless login for Worpdress using SSI as a decentralized technology. Sideos has deployed a proxy service for you to use with y …

0 active installs v1.0.0 PHP 5.6+ WP 6.0+ Updated Mar 1, 2023
authenticationloginpasswordlessqrcode-loginssi
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is PasswordleSSI Safe to Use in 2026?

Generally Safe

Score 85/100

PasswordleSSI has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The "passwordlessi" v1.0.0 plugin exhibits a concerning security posture due to a significant portion of its entry points lacking proper authentication and authorization checks. All identified AJAX handlers and REST API routes are unprotected, exposing them to potential unauthorized access and manipulation. While the code signals indicate no dangerous functions or SQL injection vulnerabilities, and SQL queries are prepared, the lack of output escaping in a significant percentage of outputs (72%) is a weakness that could lead to cross-site scripting (XSS) vulnerabilities. The absence of nonce checks on AJAX handlers is a direct invitation for CSRF attacks. The plugin has no recorded vulnerability history, which is a positive indicator, suggesting a lack of past exploitable issues. However, this does not negate the immediate risks identified in the static analysis. The plugin's strengths lie in its use of prepared statements for SQL and the absence of dangerous functions. The major weaknesses are the unprotected attack surface and insufficient output escaping.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Low output escaping rate
  • No nonce checks on AJAX handlers
Vulnerabilities
None known

PasswordleSSI Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

PasswordleSSI Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
13
5 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

28% escaped18 total outputs
Attack Surface
4 unprotected

PasswordleSSI Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 3

authwp_ajax_username_loginclasses\loginaction.php:61
noprivwp_ajax_username_loginclasses\loginaction.php:62
authwp_ajax_send_credentialclasses\sendaction.php:46

REST API Routes 1

POST/wp-json/sideos-ssi/v1/enableclasses\restapi.php:21
WordPress Hooks 12
actionshow_user_profileclasses\adminui.php:27
actionedit_user_profileclasses\adminui.php:28
actionpersonal_options_updateclasses\adminui.php:29
actionedit_user_profile_updateclasses\adminui.php:30
actionlogin_formclasses\loginform.php:27
actionadmin_menuclasses\options.php:230
actionadmin_initclasses\options.php:231
actionrest_api_initclasses\restapi.php:20
actionadmin_enqueue_scriptsenqueue.php:44
actionwp_enqueue_scriptsenqueue.php:45
actionlogin_enqueue_scriptsenqueue.php:46
actionlogin_initsideoslogin.php:32
Maintenance & Trust

PasswordleSSI Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedMar 1, 2023
PHP min version5.6
Downloads630

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

PasswordleSSI Alternatives

Sessions

Sessions

sessions

A
99

Powerful sessions manager for WordPress with sessions limiter and full analytics reporting capabilities.

900 1 CVE
Keyless Auth – Login without Passwords

Keyless Auth – Login without Passwords

keyless-auth

A
100

Secure, passwordless authentication for WordPress. Your users login via magic email links – no passwords to remember or forget.

30 No CVEs
Login by Magic

Login by Magic

magiclabs

A
85

Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.

20 No CVEs
phpMyDirectory

phpMyDirectory

phpmydirectory

A
100

Allows wordpress users to automatically log into phpMyDirectory. The sessions are shared and accounts are created automatically if they do not exist.

10 No CVEs
SN Extend Authentication

SN Extend Authentication

sn-extend-authentication

A
100

This plugin allows admin to disable anonymous (non authenticated users) browsing of selective posts, pages, feeds or complete WordPress site.

10 No CVEs
Developer Profile

PasswordleSSI Developer Profile

sideosgmbh

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect PasswordleSSI

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/passwordlessi/scripts/utility.js/wp-content/plugins/passwordlessi/styles/ssilogin.css/wp-content/plugins/passwordlessi/scripts/qrcode.js/wp-content/plugins/passwordlessi/scripts/ssilogin.js
Script Paths
/wp-content/plugins/passwordlessi/scripts/utility.js/wp-content/plugins/passwordlessi/scripts/qrcode.js/wp-content/plugins/passwordlessi/scripts/ssilogin.js

HTML / DOM Fingerprints

CSS Classes
ssilogin-qrcode
HTML Comments
SSI Passwordless Login powered by SideosBEGIN ---DISABLE POST SUBMIT TO AVOID BRUTE FORCE ATTACKIf you selected the option to disable the username/password form, you can re-enable it by calling the rest API endpoint using the SSI token in the X-Token header parameter.END ---DISABLE POST SUBMIT TO AVOID BRUCE FORCE ATTACK+10 more
Data Attributes
data-sideos-urldata-challengedata-token
JS Globals
SIDEOS
REST Endpoints
/sideos-ssi/v1/enable
FAQ

Frequently Asked Questions about PasswordleSSI