Does Stormpath have any unpatched vulnerabilities?

No. All known vulnerabilities in Stormpath have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Stormpath compatible with WordPress 4.6.30?

According to WordPress.org data, Stormpath 0.1.6 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is Stormpath updated?

Stormpath was last updated on Oct 26, 2016. Frequent updates are generally a positive security signal.

What is Stormpath's security score?

Stormpath has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Stormpath Security & Risk Analysis

wordpress.org/plugins/stormpath

Give your WordPress website the power of Stormpath Authentication.

10 active installs v0.1.6 PHP + WP 4.5.0+ Updated Oct 26, 2016

authauthenticationauthorizationstormpathuser

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Stormpath Safe to Use in 2026?

Generally Safe

Score 85/100

Stormpath has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

Based on the static analysis and vulnerability history, the "stormpath" plugin v0.1.6 appears to have a strong security posture. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the potential attack surface. Furthermore, the code demonstrates good development practices with 100% of SQL queries using prepared statements and all output being properly escaped. The presence of nonce checks and a complete lack of recorded vulnerabilities further bolsters this positive assessment.

However, a few areas warrant consideration. The static analysis indicates zero capability checks were found. While the attack surface is currently zero, any future additions of entry points without proper capability checks would introduce significant risk. Additionally, the plugin bundles Guzzle v1.1, which, depending on its specific version, could be outdated and potentially contain known vulnerabilities. While no CVEs are currently recorded for this plugin, this absence doesn't guarantee future safety and relies on the developer's ongoing vigilance.

Overall, this plugin exhibits a high level of security for its current version and feature set. The developer has implemented several key security best practices. The primary areas for potential future risk lie in ensuring proper capability checks are implemented for any new entry points, and maintaining awareness of the security status of bundled libraries. Without any detected vulnerabilities or exploitable code patterns, the current risk is assessed as very low.

Key Concerns

No capability checks implemented
Bundled library Guzzle v1.1 may be outdated

Vulnerabilities

None known

Stormpath Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Stormpath Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle1.1

Output Escaping

100% escaped15 total outputs

Attack Surface

Stormpath Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 13

actionadmin_noticesincludes\notices\notices.php:67

actionadmin_noticesincludes\resources\client.php:97

actionadmin_initincludes\stormpath.php:91

actionstormpath_admin_errorincludes\stormpath.php:92

actionstormpath_admin_warningincludes\stormpath.php:93

actionstormpath_admin_successincludes\stormpath.php:94

actionadmin_menuincludes\stormpath.php:95

actionuser_registerincludes\stormpath.php:109

actionprofile_updateincludes\stormpath.php:110

actionafter_password_resetincludes\stormpath.php:111

filterauthenticateincludes\stormpath.php:112

filterlogin_errorsincludes\stormpath.php:113

actioninitstormpath.php:36

Maintenance & Trust

Stormpath Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedOct 26, 2016

PHP min version

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Stormpath Alternatives

Duo Two-Factor Authentication

duo-wordpress

100

Easily add Duo Security two-factor authentication to your WordPress website. Enable two-factor authentication for your admins and/or users.

3K No CVEs

JSON API User

json-api-user

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K 1 CVE

Keyring

keyring

An authentication framework that handles authorization/communication with most popular web services.

1K 1 CVE

JSON API Auth

json-api-auth

100

Extends the JSON API Plugin for RESTful user authentication

800 No CVEs

Logged-in-only

wp-logged-in-only

100

A Plugin to lock down the whole site to prevent public access.

700 No CVEs

Developer Profile

Stormpath Developer Profile

bretterer

2 plugins · 20 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Stormpath

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/stormpath/assets/css/admin.css/wp-content/plugins/stormpath/assets/css/frontend.css/wp-content/plugins/stormpath/assets/js/admin.js/wp-content/plugins/stormpath/assets/js/frontend.js

Script Paths

/wp-content/plugins/stormpath/assets/js/admin.js/wp-content/plugins/stormpath/assets/js/frontend.js

Version Parameters

stormpath/assets/css/admin.css?ver=stormpath/assets/css/frontend.css?ver=stormpath/assets/js/admin.js?ver=stormpath/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

stormpath-admin-settings

JS Globals

StormpathAdmin

FAQ