Simple JWT Login – Allows you to use JWT on REST endpoints. Security & Risk Analysis

The plugin 'simple-jwt-login' v3.6.5 exhibits a mixed security posture. While it demonstrates good practices in areas like the absence of directly exploitable entry points (no unprotected AJAX or REST API routes) and the exclusive use of prepared statements for SQL queries, significant concerns remain. The static analysis reveals a moderate level of output escaping issues, with only 41% of outputs being properly escaped, indicating a potential for cross-site scripting vulnerabilities. The presence of file operations and external HTTP requests, though not inherently insecure, adds to the potential attack surface that requires careful scrutiny.

The vulnerability history is a substantial red flag. With three known CVEs, including one that is currently unpatched, and a history of high and medium severity vulnerabilities such as Cross-Site Scripting, CSRF, and Inadequate Encryption Strength, there's a clear pattern of past security weaknesses. The recent unpatched vulnerability from September 2025 is particularly concerning, as it suggests ongoing risks that have not been addressed. The absence of any critical severity taint flows is positive, but it does not negate the risks posed by the historical vulnerabilities and the identified output escaping issues.

In conclusion, while 'simple-jwt-login' has some positive security attributes, the unpatched vulnerability and the history of significant security flaws strongly suggest a plugin that has struggled with consistent security maintenance. Users should exercise extreme caution and prioritize updating to a version that addresses the outstanding CVE. The output escaping issues also warrant attention from the developers to mitigate potential XSS risks.