[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGaUqM1WESGac_e2BUQe1OEPG1zxXPwk97DEjUhTXzPc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":33,"analysis":34,"fingerprints":75},"second-factor","Second Factor","1.0","apokalyptik","https:\u002F\u002Fprofiles.wordpress.org\u002Fapokalyptik\u002F","\u003Cp>This plugin prevents logged in users from doing anything on your wordpress.org blog until they have verified their second factor of authentication.  The process goes like this:\u003C\u002Fp>\n\u003Col>\n\u003Cli>A user logs into your blog.\n\u003Cul>\n\u003Cli>Behind the scenes a bunch of cryptographic stuff happens and a key is generated and attached to that user. The key is overwritten with a new one every single time they log in. This key is emailed to that user (via the email address the user is registered under.)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>The user gets the email with the code.\u003C\u002Fli>\n\u003Cli>The user then enters the code at the page which is now presented to them when they are trying to access your blog\n\u003Cul>\n\u003Cli>Behind the scenes the token is checked for validity, and a cookie is added to the users session.  They are now allowed access to your blog.  If the key changes (the user logs out, or is required to log in again) the cookie that they may have been using will no longer be valid and they will be asked to enter the new one that they get via email.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n","Require secondary authentication for registered user access",10,1996,0,"2010-11-18T22:29:00.000Z","3.1.4","3.0.1","",[19],"authentication-security-email-login-notification-factor","http:\u002F\u002Fwordpress.org\u002F#","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecond-factor.1.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":29,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},2,40,93,30,89,"2026-04-04T07:23:46.491Z",[],{"attackSurface":35,"codeSignals":55,"taintFlows":67,"riskAssessment":68,"analyzedAt":74},{"hooks":36,"ajaxHandlers":51,"restRoutes":52,"shortcodes":53,"cronEvents":54,"entryPointCount":13,"unprotectedCount":13},[37,43,47],{"type":38,"name":39,"callback":40,"priority":13,"file":41,"line":42},"action","wp_loaded","second_factor_enforce_security","second-factor.php",82,{"type":38,"name":44,"callback":45,"file":41,"line":46},"wp_login","second_factor_regenerate_token",83,{"type":38,"name":48,"callback":49,"file":41,"line":50},"wp_logout","second_factor_logout_regen_token",84,[],[],[],[],{"dangerousFunctions":56,"sqlUsage":57,"outputEscaping":59,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":66},[],{"prepared":13,"raw":13,"locations":58},[],{"escaped":13,"rawEcho":27,"locations":60},[61,64],{"file":41,"line":62,"context":63},71,"raw output",{"file":41,"line":65,"context":63},75,[],[],{"summary":69,"deductions":70},"The 'second-factor' v1.0 plugin exhibits a strong security posture based on the provided static analysis. The complete absence of known vulnerabilities and CVEs, coupled with a clean vulnerability history, suggests a well-maintained and secure codebase. The static analysis further reinforces this impression, showing zero AJAX handlers, REST API routes, shortcodes, or cron events, significantly limiting the attack surface. Importantly, all observed SQL queries utilize prepared statements, a critical security best practice.  However, a notable concern arises from the output escaping. With 100% of outputs unescaped, there is a high risk of Cross-Site Scripting (XSS) vulnerabilities. Any user-supplied data displayed on the frontend without proper sanitization could be exploited by attackers. While the plugin demonstrates strengths in preventing code execution and SQL injection, this oversight in output escaping presents a significant potential weakness that requires immediate attention.",[71],{"reason":72,"points":73},"Output escaping is not performed on any outputs",6,"2026-03-17T00:23:13.655Z",{"wat":76,"direct":81},{"assetPaths":77,"generatorPatterns":78,"scriptPaths":79,"versionParams":80},[],[],[],[],{"cssClasses":82,"htmlComments":83,"htmlAttributes":84,"restEndpoints":85,"jsGlobals":86,"shortcodeOutput":87},[],[],[],[],[],[88,89,90,91,92,93,94],"\u003Cp>An email message has been sent to you with the following subject line:\u003C\u002Fp>","\u003Cp style=\"text-align: center;\">\u003Cstrong>&#8216;","&#8217;\u003C\u002Fstrong>\u003C\u002Fp>","\u003Cp>This email contains a token, which you need to enter, below, to complete your login.  ","Logging out and back in will cause a new message with a new token to be sent to you, and the old token will no longer be valid.\u003C\u002Fp>","\u003Cform method=\"POST\">\u003Cp style=\"text-align: center;\">Second Factor Token: \u003Cinput name=\"second_factor\" type=\"password\">\u003Cinput type=\"submit\"> ","or \u003Ca href=\""]