WP-Safety

Theme My Login Security & Risk Analysis

wordpress.org/plugins/theme-my-login

The ultimate login branding solution! Theme My Login offers matchless customization of your WordPress user experience!

60K active installs v7.1.14 PHP + WP 5.4+ Updated Sep 30, 2025
brandingcustomizeloginpasswordregister
95
A · Safe
CVEs total4
Unpatched0
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is Theme My Login Safe to Use in 2026?

Generally Safe

Score 95/100

Theme My Login has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Sep 26, 2025Updated 7mo ago
Risk Assessment

The plugin "theme-my-login" v7.1.14 presents a mixed security posture. While it demonstrates good practices such as 100% use of prepared statements for SQL queries and a substantial percentage of properly escaped output, significant concerns arise from its attack surface and taint analysis. The presence of 3 unprotected AJAX handlers, out of a total of 4 entry points, represents a substantial risk of unauthorized actions being performed. Furthermore, the taint analysis reveals 1 high severity flow with unsanitized paths, indicating a potential for attackers to manipulate data in a dangerous way. The vulnerability history, with 4 known CVEs including high and medium severity issues like CSRF, Missing Authorization, and PHP Remote File Inclusion, suggests a pattern of historical security weaknesses that, despite no currently unpatched vulnerabilities, warrants caution. The plugin's strengths lie in its database security and output sanitization, but the unprotected entry points and past vulnerability types highlight areas requiring immediate attention to mitigate potential risks.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
  • Unescaped output
Vulnerabilities
4 published

Theme My Login Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-60098medium · 5.3Missing Authorization

Theme My Login <= 7.1.12 - Missing Authorization

Sep 26, 2025 Patched in 7.1.13 (7d)
CVE-2024-7422medium · 4.3Cross-Site Request Forgery (CSRF)

Theme My Login <= 7.1.7 - Cross-Site Request Forgery to Settings Update

Aug 15, 2024 Patched in 7.1.8 (1d)
CVE-2024-32525medium · 4.3Missing Authorization

Theme My Login <= 7.1.6 - Missing Authorization to Notice Dismissal

Apr 15, 2024 Patched in 7.1.7 (9d)
CVE-2014-5155high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Theme My Login <= 6.3.9 - Local File Inclusion

Jun 30, 2014 Patched in 6.3.10 (3494d)
Version History

Theme My Login Release Timeline

v7.1.14Current
v7.1.13
v7.1.121 CVE
CVE-2025-60098
v7.1.111 CVE
CVE-2025-60098
v7.1.101 CVE
CVE-2025-60098
v7.1.91 CVE
CVE-2025-60098
v7.1.81 CVE
CVE-2025-60098
v7.1.72 CVEs
CVE-2024-7422 CVE-2025-60098
v7.1.63 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.1.53 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.1.43 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.1.33 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.1.23 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.1.13 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.13 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.0.153 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.0.143 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.0.133 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.0.123 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
v7.0.113 CVEs
CVE-2024-7422 CVE-2024-32525 CVE-2025-60098
Code Analysis
Analyzed Mar 16, 2026

Theme My Login Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
28
90 escaped
Nonce Checks
4
Capability Checks
8
File Operations
1
External Requests
2
Bundled Libraries
0

Output Escaping

76% escaped118 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
tml_dashboard_handler (includes\actions.php:382)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Theme My Login Attack Surface

Entry Points4
Unprotected3

AJAX Handlers 3

authwp_ajax_tml-dismiss-noticeadmin\hooks.php:19
authwp_ajax_tml-activate-extension-licenseadmin\hooks.php:44
authwp_ajax_tml-deactivate-extension-licenseadmin\hooks.php:45

Shortcodes 1

[theme-my-login] includes\shortcodes.php:116
WordPress Hooks 66
actionadmin_enqueue_scriptsadmin\hooks.php:15
actionadmin_noticesadmin\hooks.php:18
actionadmin_initadmin\hooks.php:22
actionadmin_initadmin\hooks.php:23
actionadmin_initadmin\hooks.php:24
actionnetwork_admin_menuadmin\hooks.php:28
actionadmin_initadmin\hooks.php:29
actionnetwork_admin_edit_theme-my-loginadmin\hooks.php:30
actionadmin_menuadmin\hooks.php:32
actionadmin_initadmin\hooks.php:33
actioncurrent_screenadmin\hooks.php:35
actionadmin_initadmin\hooks.php:38
actionadmin_head-nav-menus.phpadmin\hooks.php:41
filterplugin_action_linksadmin\hooks.php:52
filterwp_robotsincludes\functions.php:308
actionlogin_headincludes\functions.php:309
actionlogin_headincludes\functions.php:311
actioninitincludes\hooks.php:15
actioninitincludes\hooks.php:16
actioninitincludes\hooks.php:19
actioninitincludes\hooks.php:20
actionwidgets_initincludes\hooks.php:23
actionparse_requestincludes\hooks.php:26
actionparse_queryincludes\hooks.php:29
actionwpincludes\hooks.php:32
actiontemplate_redirectincludes\hooks.php:35
actionwp_enqueue_scriptsincludes\hooks.php:36
actionwp_enqueue_scriptsincludes\hooks.php:37
actionwp_headincludes\hooks.php:38
actionwp_footerincludes\hooks.php:39
actionpre_user_loginincludes\hooks.php:42
actionregister_new_userincludes\hooks.php:43
actionregister_new_userincludes\hooks.php:44
actionregister_new_userincludes\hooks.php:46
actionedit_user_created_userincludes\hooks.php:47
actiontml_activateincludes\hooks.php:53
actiontml_deactivateincludes\hooks.php:56
filterthe_postsincludes\hooks.php:63
filterpage_templateincludes\hooks.php:64
filterbody_classincludes\hooks.php:65
filterget_edit_post_linkincludes\hooks.php:66
filtercomments_arrayincludes\hooks.php:67
filtersite_urlincludes\hooks.php:70
filternetwork_site_urlincludes\hooks.php:71
filterlogout_urlincludes\hooks.php:72
filterlostpassword_urlincludes\hooks.php:73
filterauthenticateincludes\hooks.php:76
filterregistration_errorsincludes\hooks.php:85
filtertml_registration_redirectincludes\hooks.php:87
filterwp_new_user_notification_emailincludes\hooks.php:90
filtercustomize_nav_menu_available_item_typesincludes\hooks.php:93
filtercustomize_nav_menu_available_itemsincludes\hooks.php:94
filterwp_setup_nav_menu_itemincludes\hooks.php:97
filternav_menu_css_classincludes\hooks.php:98
filterplugins_apiincludes\hooks.php:101
filterpre_set_site_transient_update_pluginsincludes\hooks.php:102
actioninitincludes\ms-hooks.php:15
actioninitincludes\ms-hooks.php:16
actionwpmu_activate_userincludes\ms-hooks.php:19
actionwpmu_activate_blogincludes\ms-hooks.php:20
filtertml_shortcodeincludes\ms-hooks.php:27
filtertml_shortcodeincludes\ms-hooks.php:28
filternetwork_site_urlincludes\ms-hooks.php:31
filterwp_pre_insert_user_dataincludes\ms-hooks.php:34
filterupdate_welcome_emailincludes\ms-hooks.php:35
filterupdate_welcome_user_emailincludes\ms-hooks.php:36
Maintenance & Trust

Theme My Login Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 30, 2025
PHP min version
Downloads4.3M

Community Trust

Rating74/100
Number of ratings460
Active installs60K
Alternatives

Theme My Login Alternatives

Super Light Login

Super Light Login

super-light-login

A
85

This plugin adds lightweight customizations to your WordPress login screen to make it look neat and professional.

0 No CVEs
Branda – White Label & Branding, Free Login Page Customizer

Branda – White Label & Branding, Free Login Page Customizer

branda-white-labeling

A
89

White label & rebrand your login page & WordPress dashboard. Customize system emails & get everything to rebrand WordPress with Branda.

20K 7 CVEs
WP Custom Login

WP Custom Login

bm-custom-login

A
100

Customize the WordPress login screen with your own colors, logo, backgrounds, and form styles.

10K No CVEs
AJAX Login and Registration modal popup + inline form

AJAX Login and Registration modal popup + inline form

ajax-login-and-registration-modal-popup

A
99

Easy to integrate modal with Login and Registration features.

4K 2 CVEs
WPEPP – Essential Security, Password Protect & Login Page Customizer

WPEPP – Essential Security, Password Protect & Login Page Customizer

wp-edit-password-protected

A
98

Essential security, password protected, block AI crawlers, limit login attempts, CPU monitor & login page customizer with live preview.

3K 2 CVEs
Developer Profile

Theme My Login Developer Profile

Jeff Farthing

2 plugins · 60K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
878 days
View full developer profile
Detection Fingerprints

How We Detect Theme My Login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/theme-my-login/admin/assets/styles/theme-my-login-admin.css/wp-content/plugins/theme-my-login/admin/assets/scripts/theme-my-login-admin.js
Script Paths
/wp-content/plugins/theme-my-login/admin/assets/scripts/theme-my-login-admin.js
Version Parameters
theme-my-login/style.css?ver=theme-my-login/admin/assets/styles/theme-my-login-admin.css?ver=theme-my-login/admin/assets/scripts/theme-my-login-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
tml-notice
HTML Comments
<!-- Theme My Login Admin Functions --><!-- Theme My Login --><!-- Theme My Login Admin --><!-- Theme My Login Extensions -->
Data Attributes
data-notice
JS Globals
tmlAdmin
FAQ

Frequently Asked Questions about Theme My Login