Does SpoofProof have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is SpoofProof compatible with WordPress 4.6.30?

According to WordPress.org data, SpoofProof 1.0 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is SpoofProof updated?

SpoofProof was last updated on Sep 6, 2016. Frequent updates are generally a positive security signal.

What is SpoofProof's security score?

SpoofProof has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SpoofProof Security & Risk Analysis

wordpress.org/plugins/spoofproof

SpoofProof alters the WP login screen using a web service to verify that you are not being attacked by spoofing, phishing, or Man in the middle.

10 active installs v1.0 PHP + WP 4.3+ Updated Sep 6, 2016

anti-injectionanti-javascript-injectioninjectionsecurityspoofproof

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is SpoofProof Safe to Use in 2026?

Generally Safe

Score 85/100

SpoofProof has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The spoofproof plugin v1.0 exhibits a mixed security posture. While it demonstrates good practices in database interaction by using prepared statements exclusively and has no recorded vulnerability history, significant concerns arise from its attack surface and output handling. A substantial portion of its AJAX handlers, which are primary entry points, lack proper authentication checks, creating a direct pathway for unauthorized actions. Furthermore, the taint analysis reveals critical flaws with two high-severity flows involving unsanitized paths, indicating potential for injection vulnerabilities or other data manipulation attacks. The low percentage of properly escaped output suggests a risk of Cross-Site Scripting (XSS) vulnerabilities, especially when combined with the exposed AJAX handlers.

Despite the absence of known CVEs and the clean SQL query implementation, the combination of a large, unprotected attack surface, insecure taint flows, and insufficient output escaping presents a considerable risk. The plugin's static analysis reveals critical weaknesses that could be exploited if the unsanitized paths or exposed AJAX handlers are targeted. A strong recommendation would be to address the authentication and sanitization issues immediately, alongside improving output escaping practices to secure the plugin effectively.

Key Concerns

AJAX handlers without auth checks
High severity taint flows (unsanitized paths)
Low output escaping percentage
No nonce checks
Capability checks are minimal

Vulnerabilities

None known

SpoofProof Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

SpoofProof Release Timeline

v1.0.0.4

v1.0.0.3

Code Analysis

Analyzed Mar 17, 2026

SpoofProof Code Analysis

Dangerous Functions

Raw SQL Queries

25 prepared

Unescaped Output

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared25 total queries

Output Escaping

27% escaped22 total outputs

Data Flows · Security

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

<spoofproof-page-options> (spoofproof-page-options.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

SpoofProof Attack Surface

Entry Points6

Unprotected5

AJAX Handlers 5

authwp_ajax_SpoofProof_Save_Global_Settingsspoofproof.php:89

authwp_ajax_SpoofProof_Show_Imagesspoofproof.php:259

authwp_ajax_SpoofProof_Upload_Imagesspoofproof.php:280

noprivwp_ajax_SpoofProof_Nextspoofproof.php:592

authwp_ajax_SpoofProof_Nextspoofproof.php:593

Shortcodes 1

[spoofproof_login] spoofproof.php:602

WordPress Hooks 13

actionadmin_menuspoofproof.php:35

actionadmin_initspoofproof.php:61

actionpublish_postspoofproof.php:219

actionshow_user_profilespoofproof.php:363

actionedit_user_profilespoofproof.php:364

actionpersonal_options_updatespoofproof.php:382

actionedit_user_profile_updatespoofproof.php:383

actionregister_formspoofproof.php:390

filterregistration_errorsspoofproof.php:398

actionuser_registerspoofproof.php:415

actionlogin_headspoofproof.php:471

actionlogin_formspoofproof.php:497

actionadmin_initspoofproof.php:622

Maintenance & Trust

SpoofProof Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedSep 6, 2016

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

SpoofProof Alternatives

Injection Guard

injection-guard

This plugin blocks all unauthorized and irrelevant requests through query strings and provides extended session tracking and capability audit.

1K 6 CVEs

Host Header Injection Fix

host-header-injection-fix

100

Sets custom headers for WP notification emails. Also fixes a security issue with WP versions < 5.5.

500 No CVEs

Shieldfy Security Firewall and Anti Virus

shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from web attacks and malwares.

40 No CVEs

Cybershield Firewall

cybershield-waf

CyberShield, Your First Line of Defense Against Web Attacks.

10 No CVEs

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs

Developer Profile

SpoofProof Developer Profile

ciphertooth

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect SpoofProof

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/spoofproof/css/SpoofProof.css

Version Parameters

SpoofProof.css?ver=1.0

HTML / DOM Fingerprints

REST Endpoints

/wp-ajax-handle/SpoofProof_Save_Global_Settings

FAQ