Does Secure Passkeys have any unpatched vulnerabilities?

No. All known vulnerabilities in Secure Passkeys have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Secure Passkeys compatible with WordPress 6.9.4?

According to WordPress.org data, Secure Passkeys 1.2.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Secure Passkeys compatible with PHP 7.4+?

Secure Passkeys requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Secure Passkeys updated?

Secure Passkeys was last updated on Jan 30, 2026. Frequent updates are generally a positive security signal.

What is Secure Passkeys's security score?

Secure Passkeys has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Secure Passkeys Security & Risk Analysis

wordpress.org/plugins/secure-passkeys

Secure Passkeys is a powerful WordPress plugin that enables passwordless authentication using WebAuthn technology.

1K active installs v1.2.4 PHP 7.4+ WP 6.0+ Updated Jan 30, 2026

loginpasskeyspasswordlesssecurewebauthn

A · Safe

CVEs total1

Unpatched0

Last CVESep 19, 2025

Plugin page Download

Safety Verdict

Is Secure Passkeys Safe to Use in 2026?

Generally Safe

Score 99/100

Secure Passkeys has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 19, 2025Updated 2mo ago

Risk Assessment

The secure-passkeys plugin v1.2.4 exhibits a mixed security posture. On the positive side, it demonstrates strong practices in SQL query preparation (89%) and output escaping (97%), with no identified dangerous functions or external HTTP requests. The low number of file operations and the presence of a nonce check and some capability checks are also encouraging signs. However, a significant concern is the large attack surface exposed through AJAX handlers, with 100% of the 13 identified AJAX handlers lacking authentication checks. Furthermore, the taint analysis revealed 6 high-severity flows with unsanitized paths, indicating potential vulnerabilities where untrusted data could lead to unintended consequences.

Key Concerns

AJAX handlers without auth checks
High severity taint flows (unsanitized paths)
Nonce checks present, but limited
Capability checks present, but limited

Vulnerabilities

Secure Passkeys Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-10305medium · 5.3Missing Authorization

Secure Passkeys <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Passkey Exposure and Deletion

Sep 19, 2025 Patched in 1.2.2 (1d)

Code Analysis

Analyzed Mar 16, 2026

Secure Passkeys Code Analysis

Dangerous Functions

Raw SQL Queries

41 prepared

Unescaped Output

101 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

89% prepared46 total queries

Output Escaping

97% escaped104 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths

delete_passkey (src\ajax\secure-passkeys-adminarea-ajax.php:101)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

13 unprotected

Secure Passkeys Attack Surface

Entry Points15

Unprotected13

AJAX Handlers 13

authwp_ajax_secure_passkeys_adminarea_overviewsrc\ajax\secure-passkeys-adminarea-ajax.php:18

authwp_ajax_secure_passkeys_adminarea_filter_userssrc\ajax\secure-passkeys-adminarea-ajax.php:19

authwp_ajax_secure_passkeys_adminarea_passkeys_listsrc\ajax\secure-passkeys-adminarea-ajax.php:20

authwp_ajax_secure_passkeys_adminarea_delete_passkeysrc\ajax\secure-passkeys-adminarea-ajax.php:21

authwp_ajax_secure_passkeys_adminarea_activate_deactivate_passkeysrc\ajax\secure-passkeys-adminarea-ajax.php:22

authwp_ajax_secure_passkeys_adminarea_get_profile_registered_passkeys_listsrc\ajax\secure-passkeys-adminarea-ajax.php:23

authwp_ajax_secure_passkeys_adminarea_activity_listsrc\ajax\secure-passkeys-adminarea-ajax.php:24

noprivwp_ajax_secure_passkeys_frontend_get_login_optionssrc\ajax\secure-passkeys-frontend-ajax.php:28

noprivwp_ajax_secure_passkeys_frontend_loginsrc\ajax\secure-passkeys-frontend-ajax.php:29

authwp_ajax_secure_passkeys_frontend_get_registered_passkeys_listsrc\ajax\secure-passkeys-frontend-ajax.php:30

authwp_ajax_secure_passkeys_frontend_get_register_optionssrc\ajax\secure-passkeys-frontend-ajax.php:31

authwp_ajax_secure_passkeys_frontend_register_passkeysrc\ajax\secure-passkeys-frontend-ajax.php:32

authwp_ajax_secure_passkeys_frontend_remove_passkeysrc\ajax\secure-passkeys-frontend-ajax.php:33

Shortcodes 2

[secure_passkeys_login_form] src\includes\secure-passkeys-frontend.php:22

[secure_passkeys_register_form] src\includes\secure-passkeys-frontend.php:31

WordPress Hooks 22

actionactivated_pluginsrc\core\secure-passkeys-application.php:23

filterplugin_action_linkssrc\core\secure-passkeys-application.php:25

actioninitsrc\core\secure-passkeys-application.php:33

actioninitsrc\core\secure-passkeys-application.php:35

filtercron_schedulessrc\core\secure-passkeys-scheduler.php:66

actiondeleted_usersrc\hooks\secure-passkeys-general.php:15

filtermanage_users_columnssrc\hooks\secure-passkeys-general.php:16

actionmanage_users_custom_columnsrc\hooks\secure-passkeys-general.php:17

actionadmin_noticessrc\hooks\secure-passkeys-general.php:18

actionadmin_menusrc\includes\secure-passkeys-adminarea.php:15

actionadmin_enqueue_scriptssrc\includes\secure-passkeys-adminarea.php:16

actionadmin_enqueue_scriptssrc\includes\secure-passkeys-adminarea.php:17

actionshow_user_profilesrc\includes\secure-passkeys-adminarea.php:18

actionedit_user_profilesrc\includes\secure-passkeys-adminarea.php:19

actionlogin_enqueue_scriptssrc\includes\secure-passkeys-frontend.php:19

actionwp_enqueue_scriptssrc\includes\secure-passkeys-frontend.php:20

actionlogin_formsrc\includes\secure-passkeys-frontend.php:24

actionwoocommerce_login_form_endsrc\includes\secure-passkeys-frontend.php:25

actionedd_login_fields_aftersrc\includes\secure-passkeys-frontend.php:26

actionmepr-login-form-after-submitsrc\includes\secure-passkeys-frontend.php:27

actionum_after_login_fieldssrc\includes\secure-passkeys-frontend.php:28

actionwp_enqueue_scriptssrc\includes\secure-passkeys-frontend.php:30

Maintenance & Trust

Secure Passkeys Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 30, 2026

PHP min version7.4

Downloads5K

Community Trust

Rating96/100

Number of ratings18

Active installs1K

Alternatives

Secure Passkeys Alternatives

Temporary Login Without Password

temporary-login-without-password

100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE

Login Links – Passwordless Login, Temporary Access Links & Custom Login Form

100

Create secure self-expiring login links for temporary access and guest users, and enable passwordless login for registered ones.

40 No CVEs

Keyless Auth – Login without Passwords

keyless-auth

100

Secure, passwordless authentication for WordPress. Your users login via magic email links – no passwords to remember or forget.

30 No CVEs

Bye Bye Passwords

bye-bye-passwords

100

Enable passwordless authentication for WordPress using WebAuthn/Passkeys. More secure, more convenient.

0 No CVEs

Password Less Login

password-less-login

100

A powerful and easy-to-use WordPress plugin for passwordless and OTP-based login.

0 No CVEs

Developer Profile

Secure Passkeys Developer Profile

Mohamed Endisha

6 plugins · 1K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Secure Passkeys

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/secure-passkeys/assets/frontend/css/login.css/wp-content/plugins/secure-passkeys/assets/frontend/js/webauthn.login.js/wp-content/plugins/secure-passkeys/assets/frontend/js/vue.js/wp-content/plugins/secure-passkeys/assets/frontend/js/webauthn.register.js/wp-content/plugins/secure-passkeys/assets/frontend/css/register.css

Script Paths

webauthn.login.jsvue.jswebauthn.register.js

Version Parameters

secure-passkeys/assets/frontend/css/login.css?ver=secure-passkeys/assets/frontend/js/webauthn.login.js?ver=secure-passkeys/assets/frontend/js/vue.js?ver=secure-passkeys/assets/frontend/js/webauthn.register.js?ver=secure-passkeys/assets/frontend/css/register.css?ver=

HTML / DOM Fingerprints

CSS Classes

secure-passkeys-login-formsecure-passkeys-register-form

Data Attributes

data-nonce

JS Globals

secure_passkeys_objectsecure_passkeys_registration_object

REST Endpoints

/wp-json/secure-passkeys/v1/login/wp-json/secure-passkeys/v1/register/wp-json/secure-passkeys/v1/options

Shortcode Output

[secure_passkeys_login_form][secure_passkeys_register_form]

FAQ