[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo_FLR20MbOGIk0AUHVUvTPIMUv8rFmMIrvqmoElxBUs":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":37,"analysis":139,"fingerprints":177},"rest-api-for-relevanssi","REST API for Relevanssi","1.18","Sergiy Dzysyak","https:\u002F\u002Fprofiles.wordpress.org\u002Fdzysyak\u002F","\u003Cp>This plugin provides simple REST API for the popular search \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" title=\"Your favorite blogging software\" rel=\"ugc\">WordPress\u003C\u002Fa> search engine – \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Frelevanssi\u002F\" title=\"A Better Search\" rel=\"ugc\">Relevanssi\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>As far as this plugin provides API for the Relevanssi plugin, it should be installed.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Search through posts of a certain type. By default all types.\u003C\u002Fli>\n\u003Cli>Results in pagination and optional.\u003C\u002Fli>\n\u003Cli>Sets X-WP-Total header with a total number of records, the same way as the default search API does.\u003C\u002Fli>\n\u003Cli>Sets X-WP-TotalPages header with a total number of pages, the same way as the default search API does.\u003C\u002Fli>\n\u003Cli>Multilingual websites support. Both WPML and Polylang are supported, but not tested well, so let me know if you will find any problems.\u003C\u002Fli>\n\u003Cli>Taxonomy filters are supported now. Some features may be missed, so feel free to report them.\u003C\u002Fli>\n\u003Cli>Ordering option added. It is also possible to order by meta_key\u002Fmeta_value\u002Fmeta_value_num. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Brief usage examples\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=query\u003C\u002Fli>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=query&per_page=5\u003C\u002Fli>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=query&per_page=5&page=2\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Define post type:\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=query&per_page=5&page=2&type=post\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Filter by taxonomy\u002Ftaxonomies:\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3\u003C\u002Fli>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[relation]=AND&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3&tax_query[1][taxonomy]=category&tax_query[1][field]=id&tax_query[1][terms]=2\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Exclude category via taxonomies:\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3&tax_query[0][operator]=NOT IN\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>For multilingual websites (WPML & Polylang):\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=query&lng=en\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Results in order:\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=DESC\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=ASC\u003C\u002Fli>\n\u003Cli>https:\u002F\u002F[your domain]\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&meta_key=some_key&orderby=meta_value|meta_value_num&order=ASC\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Demo website\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You can try the plugin on our demo website http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002F. For example, you can try the following request:\u003C\u002Fp>\n\u003Cp>\u003Cem>Basic:\u003C\u002Fem>\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test\" rel=\"nofollow ugc\">http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cem>Order posts by modification time:\u003C\u002Fem>\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=DESC\" rel=\"nofollow ugc\">http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=DESC\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=ASC\" rel=\"nofollow ugc\">http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&type=post&orderby=modified&order=ASC\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cem>Filter posts by taxonomy (one single category):\u003C\u002Fem>\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3\" rel=\"nofollow ugc\">http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cem>Filter posts by taxonomy (exclude category):\u003C\u002Fem>\u003Cbr \u002F>\n[http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3&tax_query[0][operator]=NOT IN](http:\u002F\u002Fdemo.erlycoder.com\u002Fdemo1\u002Fwp-json\u002Frelevanssi\u002Fv1\u002Fsearch?keyword=test&tax_query[0][taxonomy]=category&tax_query[0][field]=id&tax_query[0][terms]=3&tax_query[0][operator]=NOT IN)\u003C\u002Fp>\n","The plugin provides a REST API endpoint for the Relevanssi search plugin.",200,6685,100,3,"2023-05-14T22:03:00.000Z","6.2.9","4.6","5.6",[20,21,22,23],"api","relevanssi","rest-api","search","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-for-relevanssi.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":11,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":34,"computed_at":36},"dzysyak",4,80,30,"2026-04-04T14:00:09.457Z",[38,56,76,96,118],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":13,"downloaded":46,"rating":13,"num_ratings":33,"last_updated":47,"tested_up_to":48,"requires_at_least":49,"requires_php":24,"tags":50,"homepage":54,"download_link":55,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"searchwp-api","SearchWP API","1.1.0","Josh Pollock","https:\u002F\u002Fprofiles.wordpress.org\u002Fshelob9\u002F","\u003Cp>Run advanced searches via the WordPress REST API and SearchWP.\u003C\u002Fp>\n\u003Cp>Adds an endpoint to the WordPress REST API for searching via \u003Ca href=\"https:\u002F\u002Fsearchwp.com\u002F\" rel=\"nofollow ugc\">SearchWP\u003C\u002Fa> — the best tool for improving the usefulness and performance of WordPress search.\u003C\u002Fp>\n\u003Cp>This plugin is a free plugin by \u003Ca href=\"https:\u002F\u002FCalderaWP.com\" rel=\"nofollow ugc\">CalderaWP\u003C\u002Fa>. It is not an official add-on for SearchWP.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Requires WordPress REST API (WP-API) 2.0-beta9 or later or WordPress 4.4 or later.\u003C\u002Fli>\n\u003Cli>Requires SearchWP Version 2.6 or later\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Technically will work without SearchWP, but queries will run through WP_Query.\u003C\u002Fp>\n\u003Ch3>Example Queries\u003C\u002Fh3>\n\u003Cp>For a complete list of possible queries, see: \u003Ca href=\"https:\u002F\u002Fcalderawp.com\u002Fdoc\u002Fsearchwp-api-queries\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fcalderawp.com\u002Fdoc\u002Fsearchwp-api-queries\u002F\u003C\u002Fa>\u003Cbr \u002F>\n* \u003Ccode>wp-json\u002Fswp_api\u002Fsearch?s=jedi&egnine=star-wars\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>wp-json\u002Fswp_api\u002Fsearch?&tax_query[field]=slug&tax_query[taxonomy]=categories&tax_query[terms]=1\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>wp-json\u002Fswp_api\u002Fsearch?meta_query[key]=jedi&meta_query[value]=luke&tax_query[compare]=IN\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>Does It Work With Version 1 of The REST API?\u003C\u002Fh3>\n\u003Cp>No, it does not.\u003C\u002Fp>\n\u003Ch3>I Installed It And Nothing Happened\u003C\u002Fh3>\n\u003Cp>You are probably using version 1 of the REST API, or have not updated SearchWP past 2.6.\u003C\u002Fp>\n\u003Ch3>How Shiny Is This Plugin?\u003C\u002Fh3>\n\u003Cp>Very shiny.\u003C\u002Fp>\n\u003Ch3>Version 1.1.0 – January, 2015\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Complex meta queries\u003C\u002Fli>\n\u003Cli>Fallback to WP_Query if not possible to use SearchWP\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Version 1.0.0 – July 6, 2015\u003C\u002Fh3>\n\u003Cp>Initial release\u003C\u002Fp>\n","Run advanced searches via the WordPress REST API and SearchWP.",14542,"2016-01-07T17:16:00.000Z","4.4.34","4.3.1",[51,22,23,52,53],"json","searchwp","wp-api","http:\u002F\u002FCalderaWP.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsearchwp-api.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":35,"num_ratings":66,"last_updated":67,"tested_up_to":24,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":73,"download_link":74,"security_score":75,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"woocommerce-legacy-rest-api","WooCommerce Legacy REST API","1.0.5","Automattic","https:\u002F\u002Fprofiles.wordpress.org\u002Fautomattic\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fdeveloper.woocommerce.com\u002F2023\u002F10\u002F03\u002Fthe-legacy-rest-api-will-move-to-a-dedicated-extension-in-woocommerce-9-0\u002F\" rel=\"nofollow ugc\">The Legacy REST API will no longer part of WooCommerce as of version 9.0\u003C\u002Fa>. This plugin restores the full functionality of the removed Legacy REST API code in WooCommerce 9.0 and later versions.\u003C\u002Fp>\n\u003Cp>For all intents and purposes, having this plugin installed and active in WooCommerce 9.0 and newer versions is equivalent to enabling the Legacy REST API in WooCommerce 8.9 and older versions (via WooCommerce – Settings – Advanced – Legacy API). All the endpoints work the same way, and existing user keys also continue working.\u003C\u002Fp>\n\u003Cp>On the other hand, installing this plugin together with WooCommerce 8.9 or an older version is safe: the plugin detects that the Legacy REST API is still part of WooCommerce and doesn’t initialize itself as to not interfere with the built-in code.\u003C\u002Fp>\n\u003Cp>Please note that \u003Cstrong>the Legacy REST API is not compatible with \u003Ca href=\"https:\u002F\u002Fwoocommerce.com\u002Fdocument\u002Fhigh-performance-order-storage\u002F\" rel=\"nofollow ugc\">High-Performance Order Storage\u003C\u002Fa>\u003C\u002Fstrong>. Upgrading the code that relies on the Legacy REST API to use the current WooCommerce REST API instead is highly recommended.\u003C\u002Fp>\n","The WooCommerce Legacy REST API, which is now part of WooCommerce itself but will be removed in WooCommerce 9.0.",400000,2304709,27,"2025-01-23T18:59:00.000Z","6.2","7.4",[22,71,72],"woo","woocommerce","https:\u002F\u002Fgithub.com\u002Fwoocommerce\u002Fwoocommerce-legacy-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-legacy-rest-api.1.0.5.zip",92,{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":86,"num_ratings":87,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":18,"tags":91,"homepage":94,"download_link":95,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"disable-json-api","Disable REST API","1.8","Dave McHale","https:\u002F\u002Fprofiles.wordpress.org\u002Fdmchale\u002F","\u003Cp>The most comprehensive plugin for controlling access to the WordPress REST API!\u003C\u002Fp>\n\u003Cp>Works as a “set it and forget it” install. Just upload and activate, and the entire REST API will be inaccessible to your general site visitors.\u003C\u002Fp>\n\u003Cp>But if you do need to grant access to some endpoints, you can do that too. Go to the Settings page and you can quickly whitelist individual endpoints (or entire branches of endpoints) in the REST API.\u003C\u002Fp>\n\u003Cp>You can even do this on a per-user-role basis, so your unauthenticated users have one set of rules while WooCommerce customers have another while Subscribers and Editors and Admins all have their own. NOTE: Out of the box, all defined user roles will still be granted full access to the REST API until you choose to manage those settings.\u003C\u002Fp>\n\u003Cp>For most versions of WordPress, this plugin will return an authentication error if a user is not allowed to access an endpoint. For legacy support, WordPress 4.4, 4.5, and 4.6 use the provided \u003Ccode>rest_enabled\u003C\u002Fcode> filter to disable the entire REST API.\u003C\u002Fp>\n","Disable the use of the REST API on your website to site users. Now with User Role support!",90000,753897,96,38,"2023-09-14T00:26:00.000Z","6.3.8","4.9",[92,20,51,93,22],"admin","rest","http:\u002F\u002Fwww.binarytemplar.com\u002Fdisable-json-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-json-api.zip",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":106,"num_ratings":107,"last_updated":108,"tested_up_to":109,"requires_at_least":110,"requires_php":111,"tags":112,"homepage":24,"download_link":115,"security_score":116,"vuln_count":14,"unpatched_count":27,"last_vuln_date":117,"fetched_at":29},"integromat-connector","Make Connector","1.6.6","Make","https:\u002F\u002Fprofiles.wordpress.org\u002Fintegromat\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Make\u003C\u002Fa> is a visual platform that lets you design, build, and automate anything – from simple tasks to complex workflows – in minutes. With Make, you can send information between WordPress and thousands of apps to drive traffic and improve sales potential. It’s fast and easy to use, visually intuitive and requires zero coding expertise.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Here are some of the ways to use WordPress with Make:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add new WordPress users to your CMR and marketing tools, like Salesforce, ActiveCampaign, or Mailchimp\u003C\u002Fli>\n\u003Cli>Create new WordPress posts from incoming webhook data, Google Forms responses, or FreeScout conversations\u003C\u002Fli>\n\u003Cli>Share your WordPress posts on Facebook, Pinterest, or other social media platforms\u003C\u002Fli>\n\u003Cli>Send a message about new WordPress posts to messaging apps, like Slack, Telegram, or Microsoft Teams\u003C\u002Fli>\n\u003Cli>Create database items from your WordPress posts in Notion, MySQL, or any other database app\u003C\u002Fli>\n\u003Cli>Or choose a \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Ftemplates?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">template\u003C\u002Fa> to help you get started. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How to get started:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fregister?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Sign up for Make\u003C\u002Fa>, and enjoy a free account forever. Or, choose a monthly or yearly plan with advanced features.\u003C\u002Fli>\n\u003Cli>Check \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fhelp\u002Fapps\u002Fwebsite-building\u002Fwordpress#connecting-wordpress-to-make-968742?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Make’s documentation on how to connect WordPress\u003C\u002Fa>. \u003C\u002Fli>\n\u003Cli>Install the plugin, and \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fintegrations\u002Fwordpress?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">start building WordPress integrations on Make\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Get help from \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fticket?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Make’s Support\u003C\u002Fa> team.\u003Cbr \u002F>\nMake’s \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fterms-and-conditions?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Terms of use\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fprivacy-notice?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Privacy policy\u003C\u002Fa>.\u003C\u002Fp>\n","Make Connector. Make lets you design, build, and automate by connecting with WordPress in just a few clicks.",80000,472783,54,25,"2026-02-09T10:29:00.000Z","6.9.4","5.0","7.2",[20,113,114,93,22],"integromat","make","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fintegromat-connector.1.6.6.zip",94,"2025-09-03 21:08:50",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":128,"num_ratings":129,"last_updated":130,"tested_up_to":109,"requires_at_least":131,"requires_php":132,"tags":133,"homepage":137,"download_link":138,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,88,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[134,135,136,22,53],"json-web-authentication","jwt","oauth","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"attackSurface":140,"codeSignals":161,"taintFlows":169,"riskAssessment":170,"analyzedAt":176},{"hooks":141,"ajaxHandlers":148,"restRoutes":149,"shortcodes":158,"cronEvents":159,"entryPointCount":160,"unprotectedCount":160},[142],{"type":143,"name":144,"callback":145,"file":146,"line":147},"action","rest_api_init","rest_api_for_relevanssi_filter_add_filters","rest-api-for-relevanssi.php",41,[],[150],{"namespace":151,"route":23,"methods":152,"callback":155,"permissionCallback":156,"file":146,"line":157},"relevanssi\u002Fv1",[153,154],"GET","POST","relevanssi_search_callback","__return_true",51,[],[],1,{"dangerousFunctions":162,"sqlUsage":163,"outputEscaping":165,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":160,"bundledLibraries":168},[],{"prepared":27,"raw":27,"locations":164},[],{"escaped":166,"rawEcho":27,"locations":167},11,[],[],[],{"summary":171,"deductions":172},"The \"rest-api-for-relevanssi\" plugin, version 1.18, exhibits a mixed security posture. On the positive side, the plugin demonstrates good coding practices by utilizing prepared statements for all SQL queries and properly escaping all identified output. There are no recorded vulnerabilities (CVEs) for this plugin, nor have there been any in its history, suggesting a generally well-maintained and secure codebase. However, a significant concern arises from the static analysis, which reveals one unprotected REST API route. This represents a potential entry point for attackers that lacks any form of authentication or capability check, making it susceptible to unauthorized access and manipulation.\n\nThe lack of any dangerous function usage and zero taint analysis findings are positive indicators of security. The single identified capability check is applied to the plugin's entry points in general, but it's critically missing for the specific REST API route identified as unprotected. The absence of AJAX handlers, shortcodes, cron events, file operations, external HTTP requests, and bundled libraries further reduces the overall attack surface. Despite the strong practices in other areas, the unprotected REST API route is a notable weakness that needs immediate attention, as it bypasses standard WordPress security measures.\n\nIn conclusion, while the plugin has a clean vulnerability history and employs good practices for SQL and output handling, the presence of an unprotected REST API route presents a clear and immediate security risk. This single vulnerability significantly undermines the plugin's overall security. Addressing this unprotected route is paramount to improving its security posture and mitigating potential exploitation.",[173],{"reason":174,"points":175},"Unprotected REST API route",10,"2026-03-16T20:10:57.773Z",{"wat":178,"direct":183},{"assetPaths":179,"generatorPatterns":180,"scriptPaths":181,"versionParams":182},[],[],[],[],{"cssClasses":184,"htmlComments":185,"htmlAttributes":186,"restEndpoints":187,"jsGlobals":189,"shortcodeOutput":190},[],[],[],[188],"\u002Frelevanssi\u002Fv1\u002Fsearch",[],[]]