Does Passwords Evolved have any unpatched vulnerabilities?

No. All known vulnerabilities in Passwords Evolved have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Passwords Evolved compatible with WordPress 6.8.0?

According to WordPress.org data, Passwords Evolved 1.4.0 has been tested up to WordPress 6.8.0. Check the plugin's changelog for the latest compatibility information.

Is Passwords Evolved compatible with PHP 5.6+?

Passwords Evolved requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Passwords Evolved updated?

Passwords Evolved was last updated on Mar 23, 2025. Frequent updates are generally a positive security signal.

What is Passwords Evolved's security score?

Passwords Evolved has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Passwords Evolved Security & Risk Analysis

wordpress.org/plugins/passwords-evolved

A reimagining of WordPress authentication using modern security practices.

2K active installs v1.4.0 PHP 5.6+ WP 5.2+ Updated Mar 23, 2025

authenticationhave-i-been-pwnedpasswordsecurity

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Passwords Evolved Safe to Use in 2026?

Generally Safe

Score 92/100

Passwords Evolved has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "passwords-evolved" plugin v1.4.0 exhibits a generally strong security posture based on the provided static analysis. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the potential attack surface. Furthermore, the code signals indicate a positive approach to SQL security with 100% of queries using prepared statements. The presence of a nonce check is also a good practice. However, a significant concern is the complete lack of output escaping, meaning all seven identified outputs are vulnerable to Cross-Site Scripting (XSS) attacks. The taint analysis showing zero flows is positive, but it might be limited by the lack of identified entry points. The vulnerability history is clean, with no recorded CVEs, suggesting a track record of security. Despite the lack of known vulnerabilities and a limited attack surface, the unescaped output presents a clear and actionable risk that needs immediate attention.

Key Concerns

Output escaping missing

Vulnerabilities

None known

Passwords Evolved Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Passwords Evolved Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped7 total outputs

Attack Surface

Passwords Evolved Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 1

actionafter_setup_themepasswords-evolved.php:35

Maintenance & Trust

Passwords Evolved Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.0

Last updatedMar 23, 2025

PHP min version5.6

Downloads26K

Community Trust

Rating100/100

Number of ratings2

Active installs2K

Alternatives

Passwords Evolved Alternatives

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs

Google Authenticator

google-authenticator

Google Authenticator for your WordPress blog.

20K 1 CVE

yubikey-plugin

woo-yubikey

Enhanced Login Security for Your Wordpress blog.

400 No CVEs

Biometric Authentication

biometric-authentication

Passkeys are a safer and easier alternative to passwords. Simply use your fingerprint or face ID to log in with ease.

100 No CVEs

Clear Logout

clear-logout

A tiny WordPress plugin to clear all browser data related to the site upon logout (With Clear-Site-Data header).

90 No CVEs

Developer Profile

Passwords Evolved Developer Profile

Carl Alexander

1 plugin · 2K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Passwords Evolved

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/passwords-evolved/resources/css/admin.css/wp-content/plugins/passwords-evolved/resources/css/frontend.css/wp-content/plugins/passwords-evolved/resources/js/admin.js/wp-content/plugins/passwords-evolved/resources/js/frontend.js

Script Paths

/wp-content/plugins/passwords-evolved/resources/js/admin.js/wp-content/plugins/passwords-evolved/resources/js/frontend.js

Version Parameters

passwords-evolved/resources/css/admin.css?ver=passwords-evolved/resources/css/frontend.css?ver=passwords-evolved/resources/js/admin.js?ver=passwords-evolved/resources/js/frontend.js?ver=

HTML / DOM Fingerprints

JS Globals

passwords_evolved

FAQ