WP-Safety

QQWorld通行证 / QQWorld Passport Security & Risk Analysis

wordpress.org/plugins/qqworld-passport

QQWorld通行证,支持多种第三方登录,目前支持QQ,微信和微博。尤其是支持多个网站使用同一个微信服务号oauth2登录。

10 active installs v1.2.1 PHP + WP 3.5+ Updated Oct 10, 2020
loginoauth2qq
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is QQWorld通行证 / QQWorld Passport Safe to Use in 2026?

Generally Safe

Score 85/100

QQWorld通行证 / QQWorld Passport has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "qqworld-passport" plugin, version 1.2.1, exhibits a mixed security posture. On the surface, the plugin presents a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, there are no reported historical vulnerabilities (CVEs) associated with this plugin, which is generally a positive indicator. However, the static analysis reveals significant underlying code quality concerns that overshadow the apparent lack of external entry points.

The plugin's code signals are alarming. A single SQL query is present, and it is not using prepared statements, posing a risk of SQL injection if user-controlled data is incorporated into this query. More critically, only 3% of the 144 output operations are properly escaped, indicating a widespread Cross-Site Scripting (XSS) vulnerability risk across multiple output points. The taint analysis identified two flows with unsanitized paths, further reinforcing the XSS concerns. The complete absence of nonce and capability checks on any identified entry points (even if the count is zero) means that if any were to be introduced or discovered in the future, they would be inherently insecure.

While the lack of historical vulnerabilities is good, it could also simply mean the plugin hasn't been extensively audited or exploited yet. The significant number of unescaped outputs and the raw SQL query represent substantial, readily exploitable weaknesses that require immediate attention. The absence of any detected entry points does not negate the risks posed by the insecure coding practices within the plugin itself.

Key Concerns

  • Raw SQL queries without prepared statements
  • Low percentage of properly escaped output
  • Taint flows with unsanitized paths
  • No nonce checks detected
  • No capability checks detected
Vulnerabilities
None known

QQWorld通行证 / QQWorld Passport Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

QQWorld通行证 / QQWorld Passport Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
140
4 escaped
Nonce Checks
0
Capability Checks
0
File Operations
5
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

3% escaped144 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
profile_form (modules\alipay\init.php:40)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

QQWorld通行证 / QQWorld Passport Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 61
actionadmin_menumodules\alipay\init.php:16
actionqqworld_passport_login_form_buttonsmodules\alipay\init.php:18
actionqqworld_passport_social_media_account_profile_formmodules\alipay\init.php:19
actionadmin_menumodules\baidu\init.php:14
actionqqworld_passport_login_form_buttonsmodules\baidu\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\baidu\init.php:17
filterqqworld-passport-openidsmodules\baidu\init.php:20
actionadmin_menumodules\facebook\init.php:14
actionqqworld_passport_login_form_buttonsmodules\facebook\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\facebook\init.php:17
filterqqworld-passport-openidsmodules\facebook\init.php:20
actionadmin_menumodules\google\init.php:14
actionqqworld_passport_login_form_buttonsmodules\google\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\google\init.php:17
filterqqworld-passport-openidsmodules\google\init.php:20
actionadmin_menumodules\line\init.php:14
actionqqworld_passport_login_form_buttonsmodules\line\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\line\init.php:17
actionadmin_menumodules\qq\init.php:14
actionqqworld_passport_login_form_buttonsmodules\qq\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\qq\init.php:17
filterqqworld-passport-openidsmodules\qq\init.php:20
actionadmin_menumodules\taobao\init.php:14
actionqqworld_passport_login_form_buttonsmodules\taobao\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\taobao\init.php:17
actionadmin_menumodules\twitter\init.php:14
actionqqworld_passport_login_form_buttonsmodules\twitter\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\twitter\init.php:17
filterqqworld-passport-openidsmodules\twitter\init.php:20
actionadmin_menumodules\wechat\init.php:106
actionqqworld_passport_login_form_buttonsmodules\wechat\init.php:108
actionqqworld_passport_social_media_account_profile_formmodules\wechat\init.php:109
filterqqworld-passport-openidsmodules\wechat\init.php:112
actionadmin_menumodules\weibo\init.php:14
actionqqworld_passport_login_form_buttonsmodules\weibo\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\weibo\init.php:17
filterqqworld-passport-openidsmodules\weibo\init.php:20
actionadmin_menumodules\xiaomi\init.php:14
actionqqworld_passport_login_form_buttonsmodules\xiaomi\init.php:16
actionqqworld_passport_social_media_account_profile_formmodules\xiaomi\init.php:17
filterqqworld-passport-openidsmodules\xiaomi\init.php:20
actionplugins_loadedqqworld-passport.php:55
actionadmin_menuqqworld-passport.php:56
filterplugin_action_linksqqworld-passport.php:57
actionadmin_enqueue_scriptsqqworld-passport.php:58
actionadmin_initqqworld-passport.php:59
actionplugins_loadedqqworld-passport.php:61
actionum_after_formqqworld-passport.php:64
actionlogin_formqqworld-passport.php:65
actionwoocommerce_login_form_endqqworld-passport.php:66
filterlogin_form_middleqqworld-passport.php:67
actionrest_api_initqqworld-passport.php:68
actionafter_setup_themeqqworld-passport.php:69
filterget_avatarqqworld-passport.php:70
actionshow_user_profileqqworld-passport.php:72
filtermanage_users_columnsqqworld-passport.php:75
filtermanage_users_custom_columnqqworld-passport.php:76
actionqqworld_passport_additional_form_settingsqqworld-passport.php:78
actionqqworld_passport_additional_form_settingsqqworld-passport.php:79
actionqqworld-passportqqworld-passport.php:81
actionbinding_social_media_accountqqworld-passport.php:82
Maintenance & Trust

QQWorld通行证 / QQWorld Passport Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedOct 10, 2020
PHP min version
Downloads11K

Community Trust

Rating94/100
Number of ratings3
Active installs10
Alternatives

QQWorld通行证 / QQWorld Passport Alternatives

[凹凸曼]一键QQ登录

[凹凸曼]一键QQ登录

apoyl-qq

A
100

这是一款实现QQ互联一键登录网站,让用户不在繁琐去注册用户,一键实现QQ登录,极大的方便用户登录网站.

10 No CVEs
OpenID Connect Generic Client

OpenID Connect Generic Client

daggerhart-openid-connect-generic

A
98

A simple client that provides SSO or opt-in authentication against a generic OAuth2 Server implementation.

10K 2 CVEs
WP OAuth Server ( Login with WordPress )

WP OAuth Server ( Login with WordPress )

miniorange-oauth-20-server

A
98

Single Sign-On using WordPress - Login with WordPress to your application/sites using your WordPress account. [24/7 Support]

900 1 CVE
Lana Single Sign On

Lana Single Sign On

lana-sso

A
100

Creates the ability to login using Single Sign On via OAuth 2.0

20 No CVEs
Hellō Login

Hellō Login

hello-login

A
85

Free and simple to setup plugin provides registration and login with the Hellō Wallet. Users choose from popular social login, email, or phone.

10 No CVEs
Developer Profile

QQWorld通行证 / QQWorld Passport Developer Profile

Michael Wang

8 plugins · 660 total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect QQWorld通行证 / QQWorld Passport

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/qqworld-passport/asset/css/qqworld-passport.css/wp-content/plugins/qqworld-passport/asset/js/qqworld-passport.js/wp-content/plugins/qqworld-passport/asset/js/wxshare.js/wp-content/plugins/qqworld-passport/asset/js/qqlogin.js
Script Paths
/wp-content/plugins/qqworld-passport/asset/js/qqworld-passport.js/wp-content/plugins/qqworld-passport/asset/js/wxshare.js/wp-content/plugins/qqworld-passport/asset/js/qqlogin.js
Version Parameters
qqworld-passport/asset/css/qqworld-passport.css?ver=qqworld-passport/asset/js/qqworld-passport.js?ver=qqworld-passport/asset/js/wxshare.js?ver=qqworld-passport/asset/js/qqlogin.js?ver=

HTML / DOM Fingerprints

CSS Classes
qqworld-passport-login-error
HTML Comments
<!-- QQWorld Passport for Wordpress, Many Oauth 2.0 log in methods. --><!-- QQWorld Synchronizer is a component for QQWorld Passport. --><!-- QQWorld Mobile is a component for QQWorld Passport, The featured such as Phone Nubmber Register and Sms Group Sends. -->
Data Attributes
id="qqworld-synchronizer-container"id="qqworld-mobile-container"class="extension commercial"class="attr pay"class="extension-image"class="extension-label"+2 more
JS Globals
qqworld_passport_login_errorqqworld_passport_redirect
REST Endpoints
/wp-json/qqworld-passport/v1/oauth2
FAQ

Frequently Asked Questions about QQWorld通行证 / QQWorld Passport