[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMbEizIEB9tzJY9ndZNE0Hw_zIpIdrhrtBdLmVjsRZz8":3,"$fkvqRSS4HUB1ebHFh5YnivM4_KCxF6HOX8cWpYTlFqgo":174,"$fS2liTIg9sf8pDmUCEaNGNyRFpCEvw2yyNJWLH-QfcVo":179},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":35,"analysis":120,"fingerprints":158},"twelve-legs-marketing-sso","Twelve Legs Marketing SSO","1.0.2","websitetwelvelegsmarketing","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebsitetwelvelegsmarketing\u002F","\u003Cp>TWL SSO is a secure single sign-on plugin for WordPress that enables seamless authentication using RS256 JWT tokens from an external SSO application.\u003Cbr \u002F>\nThis plugin provides login security features and is designed for allowing Twelve Legs Marketing centralized authentication management.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Single Sign In\u003C\u002Fstrong>: Agency employees can log into websites they manage from a central dashboard.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Just-in-Time User Provisioning\u003C\u002Fstrong>: Automatic user creation and role assignment\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Validation\u003C\u002Fstrong>: Full RS256 signature verification with JWKS endpoint integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Key Rotation\u003C\u002Fstrong>: Support key rotation through JWKS endpoint\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role Management\u003C\u002Fstrong>: Flexible role assignment from JWT claims\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer Validation\u003C\u002Fstrong>: Enhanced security through referrer validation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audience Validation\u003C\u002Fstrong>: Ensures tokens are valid for the specific WordPress site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Expiration\u003C\u002Fstrong>: Built-in token expiration and clock skew tolerance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Validation\u003C\u002Fstrong>: Comprehensive email validation with optional allowlist\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Caching\u003C\u002Fstrong>: JWKS caching for improved performance\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Referrer validation to prevent unauthorized access\u003C\u002Fli>\n\u003Cli>JWT signature verification using public key cryptography\u003C\u002Fli>\n\u003Cli>Issuer validation to ensure tokens come from trusted sources\u003C\u002Fli>\n\u003Cli>Audience validation to prevent token reuse across sites\u003C\u002Fli>\n\u003Cli>Token expiration validation with configurable leeway\u003C\u002Fli>\n\u003Cli>Email format validation and filtering via hook\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Use Cases\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress installations managed centrally by agency\u003C\u002Fli>\n\u003Cli>Organization using Google for external identity provider\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch4>Authentication Flow\u003C\u002Fh4>\n\u003Col>\n\u003Cli>User clicks login link from SSO application sso.twelvelegsmarketing.com\u003C\u002Fli>\n\u003Cli>SSO application redirects to WordPress with JWT token: \u003Ccode>\u002Fwp-login.php?action=twl_sso&token=JWT_TOKEN\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Plugin validates the JWT token signature and claims\u003C\u002Fli>\n\u003Cli>Plugin extracts user information from JWT claims\u003C\u002Fli>\n\u003Cli>Plugin creates or retrieves WordPress user\u003C\u002Fli>\n\u003Cli>Plugin assigns appropriate role based on JWT claims\u003C\u002Fli>\n\u003Cli>User is logged into WordPress\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>JWT Claims\u003C\u002Fh4>\n\u003Cp>The plugin expects the following JWT claims:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>email\u003C\u002Fcode> or \u003Ccode>sub\u003C\u002Fcode>: User’s email address\u003C\u002Fli>\n\u003Cli>\u003Ccode>iss\u003C\u002Fcode>: Issuer (must match allowed issuers)\u003C\u002Fli>\n\u003Cli>\u003Ccode>aud\u003C\u002Fcode>: Audience (must match WordPress site URL)\u003C\u002Fli>\n\u003Cli>\u003Ccode>exp\u003C\u002Fcode>: Expiration time\u003C\u002Fli>\n\u003Cli>\u003Ccode>nbf\u003C\u002Fcode>: Not before time (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>wp_role\u003C\u002Fcode>: WordPress role to assign (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>name\u003C\u002Fcode>: User’s display name (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>given_name\u003C\u002Fcode>: User’s first name (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>family_name\u003C\u002Fcode>: User’s last name (optional)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Configuration\u003C\u002Fh4>\n\u003Cp>The plugin automatically configures itself based on the WordPress environment:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Production\u003C\u002Fstrong>: Only allows \u003Ccode>https:\u002F\u002Fsso.twelvelegsmarketing.com\u003C\u002Fcode> as issuer\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Development\u002FStaging\u003C\u002Fstrong>: Also allows \u003Ccode>https:\u002F\u002Flocalhost:8443\u003C\u002Fcode> as issuer\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Customization\u003C\u002Fh4>\n\u003Cp>You can customize the plugin behavior using WordPress filters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>twl_sso_allow_email\u003C\u002Fcode>: Filter to control which email addresses are allowed\u003C\u002Fli>\n\u003Cli>\u003Ccode>twl_sso_allowed_roles\u003C\u002Fcode>: Filter to control which roles can be assigned\u003C\u002Fli>\n\u003Cli>\u003Ccode>twl_sso_allowed_issuers\u003C\u002Fcode>: Filter to control which issuers are allowed\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, please contact Twelve Legs Marketing at https:\u002F\u002Ftwelvelegsmarketing.com\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin does not collect, store, or transmit any personal data. All authentication is handled through secure JWT tokens from your configured SSO provider.\u003C\u002Fp>\n","Single sign-on plugin for WordPress that accepts RS256 JWTs from the TWL SSO application for secure authentication.",0,202,"2025-10-22T14:34:00.000Z","6.8.5","5.8","8.0",[18,19,20,21,22],"authentication","jwt","login","single-sign-on","sso","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwelve-legs-marketing-sso.1.0.2.zip",100,null,"2026-04-06T09:54:40.288Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},1,30,94,"2026-05-20T00:17:53.500Z",[36,55,73,89,105],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":11,"num_ratings":11,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":23,"download_link":52,"security_score":53,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":54},"ah-jwt-auth","AH JWT Auth","1.5.4","andrewheberle","https:\u002F\u002Fprofiles.wordpress.org\u002Fandrewheberle\u002F","\u003Cp>This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header that is added by a reverse proxy\u003Cbr \u002F>\nthat sits in front of your WordPress deployment.\u003C\u002Fp>\n\u003Cp>Authentication and optionally role assignment is handled by claims contained in the JWT.\u003C\u002Fp>\n\u003Cp>Verification of the JWT is handled by either:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>a shared secret key\u003C\u002Fli>\n\u003Cli>retrieving a JSON Web Key Set (JWKS) from a configured URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>During the login process if the user does not exist an account will be created with a matching role from the JWT.\u003C\u002Fp>\n\u003Cp>If the JWT did not contain a role claim then user is created with the role set in the plugin settings (by default this is the subscriber role).\u003C\u002Fp>\n","This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header.",10,2435,"2025-03-05T04:43:00.000Z","6.7.5","4.7","7.0",[51,18,19,20,22],"auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fah-jwt-auth.1.5.4.zip",92,"2026-03-15T15:16:48.613Z",{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":44,"downloaded":63,"rating":11,"num_ratings":11,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":23,"tags":67,"homepage":69,"download_link":70,"security_score":71,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":72},"jwt-authenticator","JWT Authenticator","1.1","Shawn","https:\u002F\u002Fprofiles.wordpress.org\u002Fshawnxlw\u002F","\u003Cp>This plugin integrates JWT authentication and automates user creation. The plugin is written for AAF Rapid Connect, but can be used for other providers too.\u003C\u002Fp>\n\u003Cp>Here is how this plugin works:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Generate a secrete key with command: tr -dc ‘[[:alnum:][:punct:]]’ \u003C \u002Fdev\u002Furandom | head -c32 ;echo\u003C\u002Fli>\n\u003Cli>Register the key and call back URL http:\u002F\u002Fyoursite.com\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Fcallback with your authentication provider.\u003C\u002Fli>\n\u003Cli>Specify authentication and user creation parameters. Those marked with * are required.\u003C\u002Fli>\n\u003C\u002Fol>\n","This plugin integrates JWT authentication and automates user creation.",1727,"2016-12-01T17:58:00.000Z","4.6.30","3.2",[18,19,20,22,68],"token","https:\u002F\u002Fshawnwang.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authenticator.zip",85,"2026-04-16T10:56:18.058Z",{"slug":74,"name":75,"version":76,"author":77,"author_profile":78,"description":79,"short_description":80,"active_installs":11,"downloaded":81,"rating":25,"num_ratings":31,"last_updated":82,"tested_up_to":14,"requires_at_least":83,"requires_php":84,"tags":85,"homepage":87,"download_link":88,"security_score":53,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"frontegg-saml-sso","Frontegg SAML SSO","1.0.1","Frontegg","https:\u002F\u002Fprofiles.wordpress.org\u002Ffrontegg\u002F","\u003Cp>Frontegg SAML SSO replaces the default WordPress login and logout experiences with seamless SAML authentication via \u003Ca href=\"https:\u002F\u002Ffrontegg.com\" rel=\"nofollow ugc\">Frontegg\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin is designed for modern SaaS and enterprise WordPress environments where you need to enforce login via an external identity provider (IdP).\u003C\u002Fp>\n\u003Cp>It includes:\u003Cbr \u002F>\n– 🔐 Secure SAML 2.0 login and logout\u003Cbr \u002F>\n– 📋 Admin-friendly configuration of SSO URLs and certificate\u003Cbr \u002F>\n– 📎 Auto-generated SP (Service Provider) values (Entity ID, ACS URL, SLO URL)\u003Cbr \u002F>\n– 🧭 Redirect control after logout\u003Cbr \u002F>\n– 🔄 Auto-redirects from \u003Ccode>wp-login.php\u003C\u002Fcode> to Frontegg\u003Cbr \u002F>\n– ✨ Clean and accessible admin UI using native WordPress components\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPL v2.0 or later. See LICENSE.txt for details.\u003C\u002Fp>\n","Replace the WordPress login and logout flows with secure SAML-based authentication via Frontegg. Easily configure your SSO app from the admin panel.",342,"2025-04-23T23:01:00.000Z","5.0","7.4",[18,20,86,21,22],"saml","https:\u002F\u002Ffrontegg.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffrontegg-saml-sso.zip",{"slug":90,"name":91,"version":92,"author":93,"author_profile":94,"description":95,"short_description":96,"active_installs":11,"downloaded":97,"rating":11,"num_ratings":11,"last_updated":98,"tested_up_to":99,"requires_at_least":100,"requires_php":84,"tags":101,"homepage":103,"download_link":104,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":72},"tokenlink-sso-login-for-zendesk","TokenLink SSO Login for Zendesk","1.0.9","Jerry Benton","https:\u002F\u002Fprofiles.wordpress.org\u002Fmailborder\u002F","\u003Cp>TokenLink SSO Login for Zendesk allows WordPress site administrators to provide seamless, secure single sign-on (SSO) access to Zendesk using JWT (JSON Web Tokens) authentication.\u003C\u002Fp>\n\u003Cp>This plugin uses the official Firebase PHP-JWT library (BSD 3-Clause licensed, included and updated for WordPress compliance).\u003C\u002Fp>\n\u003Cp>Setup takes less than five minutes using standard WordPress shortcodes — no third-party dependencies, no tracking, no bloat.\u003C\u002Fp>\n\u003Cp>Written by Jerry Benton, the creator of Mailborder and MailScanner v5.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv3 or later.\u003Cbr \u002F>\nIt includes the Firebase PHP-JWT library, which is licensed under the BSD 3-Clause license.\u003C\u002Fp>\n","Provides secure JWT-based single sign-on (SSO) between WordPress and Zendesk. No third-party plugins, no tracking, no bloat. Totally free.",249,"2026-01-26T21:00:00.000Z","6.9.4","5.5",[19,20,21,22,102],"zendesk","https:\u002F\u002Fwww.mailborder.com\u002Fzendesk-sso-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftokenlink-sso-login-for-zendesk.1.0.9.zip",{"slug":106,"name":106,"version":107,"author":108,"author_profile":109,"description":110,"short_description":111,"active_installs":11,"downloaded":112,"rating":11,"num_ratings":11,"last_updated":113,"tested_up_to":114,"requires_at_least":115,"requires_php":23,"tags":116,"homepage":23,"download_link":119,"security_score":71,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":72},"wp-sso-client","1.0","MarianoFerro","https:\u002F\u002Fprofiles.wordpress.org\u002Fferromariano-1\u002F","\u003Ch4>Documentacion completa\u003C\u002Fh4>\n\u003Cp>https:\u002F\u002Fgitlab.com\u002Fwp-sso\u002Fwp-sso-client\u003C\u002Fp>\n\u003Ch3>¿ Afectas a las URL ?\u003C\u002Fh3>\n\u003Cp>NO\u003C\u002Fp>\n\u003Ch3>¿ Requiere compartir servidor ?\u003C\u002Fh3>\n\u003Cp>NO\u003C\u002Fp>\n\u003Ch3>¿ Requiere compartir DBS ?\u003C\u002Fh3>\n\u003Cp>NO\u003C\u002Fp>\n\u003Ch3>¿ como lo hace ?\u003C\u002Fh3>\n\u003Cp>El cliente incluye un jsonp el cual le entrega la sobre el usuario, el login y un token. Si el usuario no esta registrado en el WP cliente pero esta logueado en el WP servidor, este pide información al servidor, servidor a servidor, enviando el token. Con la información devuelta comprueba si el usuario esta registrado un usuario en el WP cliente, ( si no está lo registra ) y lo loguea\u003C\u002Fp>\n","Documentacion completa https:\u002F\u002Fgitlab.com\u002Fwp-sso\u002Fwp-sso-client",1081,"2018-02-27T03:55:00.000Z","4.9.29","4.9.2",[18,117,118,21,22],"my-sso","one-login","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-sso-client.zip",{"attackSurface":121,"codeSignals":138,"taintFlows":146,"riskAssessment":147,"analyzedAt":157},{"hooks":122,"ajaxHandlers":134,"restRoutes":135,"shortcodes":136,"cronEvents":137,"entryPointCount":11,"unprotectedCount":11},[123,129],{"type":124,"name":125,"callback":126,"file":127,"line":128},"filter","allowed_redirect_hosts","twl_sso_allowed_redirect_hosts","twelve-legs-marketing-sso.php",114,{"type":130,"name":131,"callback":132,"file":127,"line":133},"action","login_init","twl_sso_handle_login",587,[],[],[],[],{"dangerousFunctions":139,"sqlUsage":140,"outputEscaping":142,"fileOperations":11,"externalRequests":31,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":145},[],{"prepared":11,"raw":11,"locations":141},[],{"escaped":143,"rawEcho":11,"locations":144},6,[],[],[],{"summary":148,"deductions":149},"The twelve-legs-marketing-sso plugin v1.0.2 exhibits a strong security posture based on the provided static analysis. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events without proper authentication and permission checks, coupled with zero recorded vulnerabilities, is highly commendable. The code signals also indicate good practices with 100% of SQL queries using prepared statements and all output being properly escaped. There are no indications of dangerous functions, file operations, or critical taint flows.  However, the presence of a single external HTTP request without further context raises a slight concern, as it could potentially be a vector for certain types of attacks if not handled securely within the plugin's logic. Additionally, the complete lack of nonce checks and capability checks across all potential entry points (though there are none explicitly identified) signifies a gap in defense-in-depth, which could become a risk if new entry points are added in future versions without these checks. The absence of any vulnerability history is a positive sign, suggesting a history of secure development or minimal exposure to attackers. Overall, this plugin appears to be developed with security in mind, but vigilance regarding external dependencies and the implementation of standard WordPress security features for any future expansion is advised.",[150,153,155],{"reason":151,"points":152},"External HTTP request without auth\u002Fsanitization context",5,{"reason":154,"points":152},"0 Nonce checks found",{"reason":156,"points":152},"0 Capability checks found","2026-03-17T05:53:57.045Z",{"wat":159,"direct":166},{"assetPaths":160,"generatorPatterns":162,"scriptPaths":163,"versionParams":164},[161],"\u002Fwp-content\u002Fplugins\u002Ftwelve-legs-marketing-sso\u002F",[],[],[165],"twelve-legs-marketing-sso\u002Fstyle.css?ver=",{"cssClasses":167,"htmlComments":168,"htmlAttributes":169,"restEndpoints":170,"jsGlobals":172,"shortcodeOutput":173},[],[],[],[171],"\u002F?action=oidc.jwks",[],[],{"error":175,"url":176,"statusCode":177,"statusMessage":178,"message":178},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Ftwelve-legs-marketing-sso\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":180,"versions":181},3,[182,188,194],{"version":6,"download_url":24,"svn_tag_url":183,"released_at":26,"has_diff":184,"diff_files_changed":185,"diff_lines":26,"trac_diff_url":186,"vulnerabilities":187,"is_current":175},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Ftwelve-legs-marketing-sso\u002Ftags\u002F1.0.2\u002F",false,[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Ftwelve-legs-marketing-sso%2Ftags%2F1.0.1&new_path=%2Ftwelve-legs-marketing-sso%2Ftags%2F1.0.2",[],{"version":76,"download_url":189,"svn_tag_url":190,"released_at":26,"has_diff":184,"diff_files_changed":191,"diff_lines":26,"trac_diff_url":192,"vulnerabilities":193,"is_current":184},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwelve-legs-marketing-sso.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Ftwelve-legs-marketing-sso\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Ftwelve-legs-marketing-sso%2Ftags%2F1.0&new_path=%2Ftwelve-legs-marketing-sso%2Ftags%2F1.0.1",[],{"version":107,"download_url":195,"svn_tag_url":196,"released_at":26,"has_diff":184,"diff_files_changed":197,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":198,"is_current":184},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwelve-legs-marketing-sso.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Ftwelve-legs-marketing-sso\u002Ftags\u002F1.0\u002F",[],[]]