[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fybVO8czCHBNk1yrXkQNEBLFtvIUeu5wH-33mg0R0rqM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":36,"analysis":126,"fingerprints":248},"token2-hardware-tokens","Token2 Hardware Tokens","0.1","token2","https:\u002F\u002Fprofiles.wordpress.org\u002Ftoken2\u002F","\u003Cp>The Token2 Hardware Tokens plugin for WordPress gives you two-factor authentication using the Token2 Hardware Tokens .\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis by administrators.\u003C\u002Fp>\n","Token2 Hardware Tokens for your WordPress blog.",20,1545,100,1,"2018-03-22T09:51:00.000Z","4.9.29","3.8","",[20,21,22,23,24],"authentication","login","otp","password","security","https:\u002F\u002Ftoken2.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftoken2-hardware-tokens.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},30,84,"2026-04-04T14:18:48.687Z",[37,56,73,91,109],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":18,"tags":52,"homepage":53,"download_link":54,"security_score":27,"vuln_count":14,"unpatched_count":28,"last_vuln_date":55,"fetched_at":30},"google-authenticator","Google Authenticator","0.54","Ivan","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankk\u002F","\u003Cp>The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android\u002FiPhone\u002FBlackberry.\u003C\u002Fp>\n\u003Cp>If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail\u002FDropbox\u002FLastpass\u002FAmazon etc.\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.\u003C\u002Fp>\n\u003Cp>If You need to maintain your blog using an Android\u002FiPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin,\u003Cbr \u002F>\nbut please note that enabling the App password feature will make your blog less secure.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Thanks to:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fevinak\u002F\" rel=\"nofollow ugc\">Oleksiy\u003C\u002Fa> for a bugfix in multisite.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpancek\" rel=\"nofollow ugc\">Paweł Nowacki\u003C\u002Fa> for the Polish translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFabioZumbi12\" rel=\"nofollow ugc\">Fabio Zumbi\u003C\u002Fa> for the Portuguese translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.guidoschalkx.com\u002F\" rel=\"nofollow ugc\">Guido Schalkx\u003C\u002Fa> for the Dutch translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8\" rel=\"nofollow ugc\">Henrik.Schack\u003C\u002Fa> for writing\u002Fmaintaining versions 0.20 through 0.48\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftobias.baethge.com\u002F\" rel=\"nofollow ugc\">Tobias Bäthge\u003C\u002Fa> for his code rewrite and German translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fblog.pcode.nl\u002F\" rel=\"nofollow ugc\">Pascal de Bruijn\u003C\u002Fa> for his “relaxed mode” idea.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftechnobabbl.es\u002F\" rel=\"nofollow ugc\">Daniel Werl\u003C\u002Fa> for his usability tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdd32.id.au\u002F\" rel=\"nofollow ugc\">Dion Hulse\u003C\u002Fa> for his bugfixes.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fusers\u002Faldolat\u002F\" rel=\"nofollow ugc\">Aldo Latino\u003C\u002Fa> for his Italian translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.kaijia.me\u002F\" rel=\"nofollow ugc\">Kaijia Feng\u003C\u002Fa> for his Simplified Chinese translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.buayacorp.com\u002F\" rel=\"nofollow ugc\">Alex Concha\u003C\u002Fa> for his security tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fjetienne.com\u002F\" rel=\"nofollow ugc\">Jerome Etienne\u003C\u002Fa> for his jquery-qrcode plugin.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Forizhial.com\u002F\" rel=\"nofollow ugc\">Sébastien Prunier\u003C\u002Fa> for his Spanish and French translation.\u003C\u002Fp>\n","Google Authenticator for your WordPress blog.",20000,687508,86,134,"2022-07-04T04:55:00.000Z","6.0.11","4.5",[20,21,22,23,24],"https:\u002F\u002Fgithub.com\u002Fivankruchkoff\u002Fgoogle-authenticator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-authenticator.0.54.zip","2016-04-28 00:00:00",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":18,"requires_at_least":17,"requires_php":18,"tags":69,"homepage":71,"download_link":72,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"woo-yubikey","yubikey-plugin","2.3","apb360","https:\u002F\u002Fprofiles.wordpress.org\u002Fapb360\u002F","\u003Cp>This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the \u003Ca href=\"http:\u002F\u002Fwww.yubico.com\u002F\" rel=\"nofollow ugc\">Yubikey USB token\u003C\u002Fa>.\u003Cbr \u002F>\nThe plugin uses the Yubico Web service API in the authentication process.\u003Cbr \u002F>\nThe one-time password requirement can be enabled on a per user basis.\u003C\u002Fp>\n","Enhanced Login Security for Your Wordpress blog.",400,6252,76,9,"2019-02-04T18:57:00.000Z",[20,21,23,24,70],"yubikey","https:\u002F\u002Fapb360.com\u002Fyubikey-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-yubikey.zip",{"slug":74,"name":75,"version":76,"author":77,"author_profile":78,"description":79,"short_description":80,"active_installs":33,"downloaded":81,"rating":82,"num_ratings":14,"last_updated":83,"tested_up_to":84,"requires_at_least":85,"requires_php":86,"tags":87,"homepage":18,"download_link":90,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"email-otp-login","Email OTP Login","1.0.0","Tushar Sharma","https:\u002F\u002Fprofiles.wordpress.org\u002Fricheal\u002F","\u003Cp>Email OTP Login adds an additional layer of security to your WordPress site by requiring users to verify an OTP sent to their email after entering their username and password. This ensures that only users with access to the registered email can log in.\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Email OTP verification during \u003Cstrong>login\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>OTP expires in 5 minutes (configurable).\u003C\u002Fli>\n\u003Cli>OTP stored securely using WordPress password hashing.\u003C\u002Fli>\n\u003Cli>Works with the default WordPress login form.\u003C\u002Fli>\n\u003Cli>Uses WordPress built-in \u003Ccode>wp_mail()\u003C\u002Fcode> function (works with SMTP plugins).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin does \u003Cstrong>not modify WordPress core files\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is free software: you can redistribute it and\u002For modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 or later.\u003C\u002Fp>\n\u003Cp>This plugin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\u003C\u002Fp>\n","Adds OTP (One-Time Password) verification after login for enhanced security in WordPress. OTP is sent to the user's email.",403,60,"2025-08-29T18:30:00.000Z","6.8.5","6.3","7.4",[88,21,22,24,89],"email-verification","two-factor-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-otp-login.1.0.0.zip",{"slug":92,"name":93,"version":94,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":11,"downloaded":99,"rating":13,"num_ratings":14,"last_updated":100,"tested_up_to":101,"requires_at_least":102,"requires_php":103,"tags":104,"homepage":107,"download_link":108,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"magiclabs","Login by Magic","1.0.4","Magic","https:\u002F\u002Fprofiles.wordpress.org\u002Fmagiclabs\u002F","\u003Cp>This plugin replaces the standard WordPress login form with one powered by \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">Magic\u003C\u002Fa> that enables passwordless email magic link login.\u003C\u002Fp>\n\u003Cp>Magic offers passwordless authentication and cryptographically secured user identity to your applications. With just a few lines of code, your application’s security is instantaneously upgraded, and your end users can enjoy a future-proof and blockchain-enabled login solution.\u003C\u002Fp>\n\u003Cp>Visit \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">https:\u002F\u002Fmagic.link\u003C\u002Fa> to learn more.\u003C\u002Fp>\n","Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.",2392,"2022-08-29T22:06:00.000Z","5.8.13","5.5.1","7.3",[20,21,105,106,24],"magiclink","passwordless","https:\u002F\u002Fgithub.com\u002Fmagiclabs\u002Fwp-magic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagiclabs.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":117,"downloaded":118,"rating":28,"num_ratings":28,"last_updated":119,"tested_up_to":120,"requires_at_least":51,"requires_php":121,"tags":122,"homepage":124,"download_link":125,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"passclip-auth-for-wordpress","PassClip Auth for WordPress","1.0.5","Passlogy","https:\u002F\u002Fprofiles.wordpress.org\u002Fpasslogy\u002F","\u003Cp>You need strong password to protect your site. However, how do you remember it or is it really strong?\u003Cbr \u002F>\n“PassClip Auth” provides really strong password that is also easy to remember.\u003Cbr \u002F>\nOnce you make your “pattern”, you can get your password using “PassClip”. And the password will change every 30 seconds(at the shortest).\u003C\u002Fp>\n\u003Ch4>Get and sign up for PassClip\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fwww.passclip.com\u002F\" rel=\"nofollow ugc\">the page about PassClip\u003C\u002Fa> and install PassClip on your smart phone.\u003C\u002Fli>\n\u003Cli>Activate your PassClip by registering your “pattern” and email address.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Sign up for PassClip Auth(PCA)\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Input PassClip Code “paauth” in your PassClip. That makes a new slot in your PassClip.\u003C\u002Fli>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fmember.passclip.com\u002Fmember\u002Fui\u002F\" rel=\"nofollow ugc\">PassClip Auth member’s page\u003C\u002Fa> and log in with your email address and password which the slot shows you.\u003C\u002Fli>\n\u003Cli>Make your “PassClip Code”. And then you get your “PassClip Auth app service id(PCA app service id)”. You need both “code” and “id” to use this plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to apply PassClip Auth to your site\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate this plugin to your WordPress.\u003C\u002Fli>\n\u003Cli>Go to PassClip Auth Options Setting from the menu.\u003C\u002Fli>\n\u003Cli>Input the PassClip Auth app service id(PCA app service id), PassClip Code and other items in the setting page and click the “Save Change” button.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to log in to WordPress site with PassClip Auth\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Users register PassClip Code of your site in their PassClip. That makes a new slot to get password to log in to your site.\u003C\u002Fli>\n\u003Cli>Show the password in PassClip (tap the new slot).\u003C\u002Fli>\n\u003Cli>In login form of your site, users enter email address and password in the slot. (\u003Cstrong>Users do not need general WordPress password.\u003C\u002Fstrong>)\u003C\u002Fli>\n\u003Cli>Click the “Log in” button.\u003C\u002Fli>\n\u003C\u002Fol>\n","\"PassClip Auth\" provides strong and easy authentication. \"PassClip Auth for WordPress\" is the plugin to launch PassClip Auth to Wo &hellip;",10,2199,"2019-12-27T07:42:00.000Z","5.3.21","5.3.3",[123,21,22,24,89],"2fa","https:\u002F\u002Fwww.passclip.com\u002Fja\u002Fpca\u002Fpca_for_wp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassclip-auth-for-wordpress.1.0.6.zip",{"attackSurface":127,"codeSignals":174,"taintFlows":223,"riskAssessment":241,"analyzedAt":247},{"hooks":128,"ajaxHandlers":164,"restRoutes":171,"shortcodes":172,"cronEvents":173,"entryPointCount":14,"unprotectedCount":28},[129,134,138,142,148,151,154,157,160],{"type":130,"name":131,"callback":131,"file":132,"line":133},"action","init","google-authenticator.php",55,{"type":130,"name":135,"callback":136,"file":132,"line":137},"login_form","loginform",64,{"type":130,"name":139,"callback":140,"file":132,"line":141},"login_footer","loginfooter",65,{"type":143,"name":144,"callback":145,"priority":146,"file":132,"line":147},"filter","authenticate","check_otp",50,66,{"type":130,"name":149,"callback":149,"file":132,"line":150},"personal_options_update",72,{"type":130,"name":152,"callback":152,"file":132,"line":153},"profile_personal_options",73,{"type":130,"name":155,"callback":155,"file":132,"line":156},"edit_user_profile",74,{"type":130,"name":158,"callback":158,"file":132,"line":159},"edit_user_profile_update",75,{"type":130,"name":161,"callback":162,"file":132,"line":163},"admin_enqueue_scripts","add_qrcode_script",77,[165],{"action":166,"nopriv":167,"callback":168,"hasNonce":169,"hasCapCheck":167,"file":132,"line":170},"Token2HWTokens_action",false,"ajax_callback",true,69,[],[],[],{"dangerousFunctions":175,"sqlUsage":176,"outputEscaping":178,"fileOperations":28,"externalRequests":28,"nonceChecks":14,"capabilityChecks":28,"bundledLibraries":222},[],{"prepared":28,"raw":28,"locations":177},[],{"escaped":179,"rawEcho":11,"locations":180},2,[181,184,186,188,190,192,194,196,198,200,202,204,206,208,210,212,214,216,218,220],{"file":132,"line":182,"context":183},168,"raw output",{"file":132,"line":185,"context":183},279,{"file":132,"line":187,"context":183},284,{"file":132,"line":189,"context":183},286,{"file":132,"line":191,"context":183},292,{"file":132,"line":193,"context":183},294,{"file":132,"line":195,"context":183},301,{"file":132,"line":197,"context":183},303,{"file":132,"line":199,"context":183},305,{"file":132,"line":201,"context":183},314,{"file":132,"line":203,"context":183},323,{"file":132,"line":205,"context":183},325,{"file":132,"line":207,"context":183},460,{"file":132,"line":209,"context":183},467,{"file":132,"line":211,"context":183},469,{"file":132,"line":213,"context":183},475,{"file":132,"line":215,"context":183},477,{"file":132,"line":217,"context":183},483,{"file":132,"line":219,"context":183},485,{"file":132,"line":221,"context":183},559,[],[224],{"entryPoint":225,"graph":226,"unsanitizedCount":28,"severity":240},"\u003Cgoogle-authenticator> (google-authenticator.php:0)",{"nodes":227,"edges":238},[228,233],{"id":229,"type":230,"label":231,"file":132,"line":232},"n0","source","$_POST (x2)",407,{"id":234,"type":235,"label":236,"file":132,"line":211,"wp_function":237},"n1","sink","echo() [XSS]","echo",[239],{"from":229,"to":234,"sanitized":169},"low",{"summary":242,"deductions":243},"The token2-hardware-tokens v0.1 plugin exhibits a generally good security posture in its static analysis. The complete absence of raw SQL queries, file operations, external HTTP requests, and dangerous functions is commendable. The presence of a nonce check on its single AJAX handler, coupled with the lack of reported vulnerabilities in its history, suggests a conscientious development approach.  However, a significant concern arises from the low percentage of properly escaped output. With only 9% of 22 outputs being properly escaped, this leaves a substantial portion vulnerable to Cross-Site Scripting (XSS) attacks. While taint analysis shows no critical or high-severity flows, the unescaped outputs represent a tangible risk that could be exploited if an attacker can inject malicious scripts into data that is then displayed to users. The plugin's overall security is decent due to the lack of historical issues and secure database handling, but the XSS potential is a notable weakness that requires attention.",[244],{"reason":245,"points":246},"Low percentage of properly escaped output",15,"2026-03-16T22:52:24.735Z",{"wat":249,"direct":255},{"assetPaths":250,"generatorPatterns":252,"scriptPaths":253,"versionParams":254},[251],"\u002Fwp-content\u002Fplugins\u002Ftoken2-hardware-tokens\u002Fjquery.qrcode.min.js",[],[251],[],{"cssClasses":256,"htmlComments":257,"htmlAttributes":258,"restEndpoints":262,"jsGlobals":263,"shortcodeOutput":264},[],[],[259,260,261],"id=\"user_email\"","name=\"googleotp\"","autocomplete=\"off\"",[],[],[]]