Does Simple Login Log have any unpatched vulnerabilities?

No. All known vulnerabilities in Simple Login Log have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Simple Login Log compatible with WordPress 6.9.4?

According to WordPress.org data, Simple Login Log 2.0.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Simple Login Log compatible with PHP 8.2+?

Simple Login Log requires PHP 8.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Simple Login Log updated?

Simple Login Log was last updated on Dec 31, 2025. Frequent updates are generally a positive security signal.

What is Simple Login Log's security score?

Simple Login Log has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Simple Login Log Security & Risk Analysis

wordpress.org/plugins/simple-login-log

This plugin keeps a log of WordPress user logins. Offers user and date filtering, and export features.

5K active installs v2.0.0 PHP 8.2+ WP 6.5+ Updated Dec 31, 2025

logloginusers

A · Safe

CVEs total3

Unpatched0

Last CVEAug 17, 2025

Plugin page Download

Safety Verdict

Is Simple Login Log Safe to Use in 2026?

Generally Safe

Score 89/100

Simple Login Log has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Aug 17, 2025Updated 3mo ago

Risk Assessment

The "simple-login-log" v2.0.0 plugin presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries, ensuring a high percentage of properly escaped output, and limiting file operations and external HTTP requests. The static analysis also shows a limited attack surface with no unprotected entry points (AJAX, REST API, shortcodes). However, the presence of two 'unserialize' calls is a significant concern, as deserialization of untrusted data is a well-known attack vector, especially when not properly validated. This is further highlighted by the taint analysis revealing two high-severity flows, strongly suggesting potential vulnerabilities related to unsanitized data input that could be leveraged through deserialization.

The plugin's vulnerability history is alarming, with three known CVEs, two of which were rated critical. The types of past vulnerabilities, including Deserialization of Untrusted Data and SQL Injection, directly correlate with the risks identified in the static and taint analysis. While there are currently no unpatched vulnerabilities, the pattern of critical past issues, especially involving deserialization, indicates a recurring weakness that attackers may still find exploitable if not meticulously addressed. The last known vulnerability occurring in 2025 is unusual and may indicate an error in the data, but if accurate, suggests a recent history of critical flaws.

In conclusion, while the plugin implements some essential security measures like prepared statements and output escaping, the critical findings around deserialization and the historical pattern of severe vulnerabilities necessitate a cautious approach. The potential for deserialization vulnerabilities, coupled with past critical SQL injection issues, makes this plugin a moderate to high-risk component, especially if user-supplied data can influence the unserialization process. Further in-depth manual review focusing on the 'unserialize' functions and the data sources feeding them is strongly recommended.

Key Concerns

Dangerous function 'unserialize' found
High severity taint flow (2 instances)
Critical past CVEs (2 instances)
Medium past CVE (1 instance)
0 capability checks found

Vulnerabilities

Simple Login Log Security Vulnerabilities

CVEs by Year

2 CVEs in 2017

2017

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

3 total CVEs

CVE-2025-49438medium · 6.6Deserialization of Untrusted Data

Simple Login Log <= 1.1.3 - Authenticated (Administrator+) PHP Object Injection

Aug 17, 2025 Patched in 2.0.0 (143d)

CVE-2017-18514critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Simple Login Log < 1.1.2 - SQL Injection

Oct 10, 2017 Patched in 1.1.2 (2296d)

CVE-2017-18573critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Simple Login Log < 1.1.2 - SQL Injection

Oct 10, 2017 Patched in 1.1.2 (2296d)

Code Analysis

Analyzed Mar 16, 2026

Simple Login Log Code Analysis

Dangerous Functions

Raw SQL Queries

129 prepared

Unescaped Output

63 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$tmp = unserialize($row['data']);simple-login-log.php:1206

unserialize$data = unserialize($item[$column_name]);simple-login-log.php:1331

SQL Query Safety

100% prepared129 total queries

Output Escaping

91% escaped69 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

log_manager (simple-login-log.php:889)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Simple Login Log Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 12

actionadmin_menusimple-login-log.php:53

actionadmin_initsimple-login-log.php:54

actionadmin_headsimple-login-log.php:55

actionplugins_loadedsimple-login-log.php:57

actioninitsimple-login-log.php:59

actionadmin_initsimple-login-log.php:61

actionadmin_initsimple-login-log.php:62

actionadmin_enqueue_scriptssimple-login-log.php:64

actionwpsimple-login-log.php:66

actiontruncate_sllsimple-login-log.php:67

actionwp_loginsimple-login-log.php:139

actionwp_login_failedsimple-login-log.php:143

Scheduled Events 1

truncate_sll

Maintenance & Trust

Simple Login Log Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 31, 2025

PHP min version8.2

Downloads138K

Community Trust

Rating90/100

Number of ratings27

Active installs5K

Alternatives

Simple Login Log Alternatives

Disable User Login

disable-user-login

100

Provides the ability to disable user accounts and prevent them from logging in.

5K 1 CVE

Expire Users

expire-users

100

Set expiry dates for user logins.

4K No CVEs

Expire User Passwords

expire-user-passwords

100

Require certain users to change their passwords on a regular basis.

3K No CVEs

Disable Users

disable-users

This plugin gives you the ability to disable specific user accounts via a profile setting.

2K No CVEs

Prevent Concurrent Logins

prevent-concurrent-logins

Prevents users from staying logged into the same account from multiple places.

900 No CVEs

Developer Profile

Simple Login Log Developer Profile

Joris Le Blansch

2 plugins · 5K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1578 days

View full developer profile

Detection Fingerprints

How We Detect Simple Login Log

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/simple-login-log/css/styles.css/wp-content/plugins/simple-login-log/js/scripts.js

Script Paths

/wp-content/plugins/simple-login-log/js/scripts.js

Version Parameters

simple-login-log/css/styles.css?ver=simple-login-log/js/scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

sll-login-log-pagesll-form-containersll-table-containersll-delete-button

HTML Comments

Data Attributes

data-sll-iddata-sll-action

JS Globals

window.SLL_Ajaxvar SLL_Ajaxwindow.SLL_Settings

FAQ