WP-Safety

Shibboleth Security & Risk Analysis

wordpress.org/plugins/shibboleth

Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider.

3K active installs v2.5.3 PHP 5.6+ WP 4.0+ Updated Feb 26, 2026
authenticationloginsamlshibboleth
100
A · Safe
CVEs total1
Unpatched0
Last CVEMar 2, 2016
Plugin page Download
Safety Verdict

Is Shibboleth Safe to Use in 2026?

Generally Safe

Score 100/100

Shibboleth has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 2, 2016Updated 1mo ago
Risk Assessment

The shibboleth plugin version 2.5.3 demonstrates a generally strong security posture based on the provided static analysis. It exhibits excellent practices by having no identified dangerous functions, no raw SQL queries, and a very high percentage of properly escaped output. The absence of file operations and external HTTP requests further reduces potential attack vectors. The presence of nonce and capability checks, though limited, indicates an awareness of security fundamentals. However, the total lack of entry points identified in the static analysis is somewhat unusual for a functional plugin, which could imply either a very limited scope or a potential blind spot in the analysis itself. The vulnerability history shows a single medium-severity vulnerability from 2016 related to Cross-site Scripting. While this is old and currently unpatched CVEs are zero, it serves as a reminder that past vulnerabilities can recur if not meticulously addressed in subsequent development.

Key Concerns

  • One medium vulnerability in history
  • Limited capability checks (1)
  • Limited nonce checks (7)
Vulnerabilities
1

Shibboleth Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2017-14313medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shibboleth <= 1.6 - Reflected Cross-Site Scripting

Mar 2, 2016 Patched in 1.7 (2883d)
Code Analysis
Analyzed Mar 16, 2026

Shibboleth Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
149 escaped
Nonce Checks
7
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

99% escaped151 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<shibboleth> (shibboleth.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Shibboleth Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 35
actionadmin_menuoptions-admin.php:43
actionnetwork_admin_menuoptions-admin.php:55
filtershow_password_fieldsoptions-user.php:25
actionadmin_footer-user-edit.phpoptions-user.php:27
actionadmin_footer-profile.phpoptions-user.php:29
actionpersonal_optionsoptions-user.php:32
actionshow_user_profileoptions-user.php:118
actionpersonal_options_updateoptions-user.php:156
actionedit_user_profile_updateoptions-user.php:157
actionshow_user_profileoptions-user.php:190
actionedit_user_profileoptions-user.php:191
actioncurrent_screenoptions-user.php:289
filtershow_password_fieldsoptions-user.php:303
actioncurrent_screenoptions-user.php:307
actionadmin_noticesoptions-user.php:333
actionadmin_initshibboleth.php:33
actioninitshibboleth.php:174
actioninitshibboleth.php:416
filterallowed_redirect_hostsshibboleth.php:485
filterauthenticateshibboleth.php:570
filterallowed_redirect_hostsshibboleth.php:573
actionlogin_form_shibbolethshibboleth.php:576
actionretrieve_passwordshibboleth.php:630
filterlogin_urlshibboleth.php:655
actionwp_logoutshibboleth.php:673
filtersend_email_change_emailshibboleth.php:1084
filtershibboleth_user_nicenameshibboleth.php:1096
actionadmin_enqueue_scriptsshibboleth.php:1110
actionlogin_enqueue_scriptsshibboleth.php:1126
filterallow_password_resetshibboleth.php:1141
actionlogin_initshibboleth.php:1150
actionlogin_enqueue_scriptsshibboleth.php:1178
filterlostpassword_urlshibboleth.php:1195
actionlogin_formshibboleth.php:1248
actionplugins_loadedshibboleth.php:1289
Maintenance & Trust

Shibboleth Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version5.6
Downloads59K

Community Trust

Rating86/100
Number of ratings7
Active installs3K
Alternatives

Shibboleth Alternatives

Shibboleth With LDAP Authorization

Shibboleth With LDAP Authorization

ugrm

A
85

This plugin extends the Shibboleth plugin to work with UFAD & Shibboleth at the University of Florida. Developed at the Florida Museum of Natural &hellip;

10 No CVEs
Frontegg SAML SSO

Frontegg SAML SSO

frontegg-saml-sso

A
100

Replace the WordPress login and logout flows with secure SAML-based authentication via Frontegg. Easily configure your SSO app from the admin panel.

0 No CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Limit Login Attempts

Limit Login Attempts

limit-login-attempts

B
82

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

300K 3 CVEs
WPS Limit Login

WPS Limit Login

wps-limit-login

A
96

WPS Limit login limit connection attempts by IP address

100K 3 CVEs
Developer Profile

Shibboleth Developer Profile

michaelryanmcneill

2 plugins · 3K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
2883 days
View full developer profile
Detection Fingerprints

How We Detect Shibboleth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Shibboleth