WP-Safety

User Login History Security & Risk Analysis

wordpress.org/plugins/user-login-history

Helps you to know your website's visitors by tracking their login related information like login/logout time, country, browser and many more.

10K active installs v2.1.8 PHP 7.4+ WP 6.2+ Updated Mar 17, 2026
brute-forcehistorylogin-activitylogin-loglogin-tacker
95
A · Safe
CVEs total4
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is User Login History Safe to Use in 2026?

Generally Safe

Score 95/100

User Login History has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: May 7, 2025Updated 2mo ago
Risk Assessment

The 'user-login-history' plugin v2.1.8 exhibits a generally strong security posture based on the static analysis. The code demonstrates excellent practices regarding SQL query handling, with 100% of queries using prepared statements, and robust output escaping, with 100% of outputs properly escaped. The absence of critical or high severity taint flows is also a positive indicator. The plugin also correctly implements nonce and capability checks for its identified entry points, which are limited to a single shortcode.

However, the plugin's vulnerability history presents a significant concern. With a total of 4 known CVEs, including 2 high and 2 medium severity vulnerabilities, it indicates a recurring pattern of security weaknesses. The common vulnerability types being SQL Injection and Cross-site Scripting, despite the static analysis suggesting preparedness in these areas for the current version, highlight past issues that could potentially re-emerge or be introduced in future updates if not meticulously addressed. The most recent vulnerability being in 2025 suggests a recent history of security flaws.

In conclusion, while the current version of the plugin is technically well-implemented with good coding practices for data handling and input validation, the historical record of numerous past vulnerabilities, particularly those of high severity, necessitates caution. Users should remain vigilant about future updates and monitor for any newly disclosed vulnerabilities. The plugin's strengths lie in its current secure coding practices, but its weakness is the demonstrated historical tendency for security flaws.

Key Concerns

  • Multiple high/medium severity historical CVEs
  • 2 High severity known CVEs (unpatched)
  • 2 Medium severity known CVEs (unpatched)
Vulnerabilities
4 published

User Login History Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
2 CVEs in 2019
2019
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2025-47676medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Login History <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.1.7 (42d)
WF-2c25a344-4876-4ba8-bbc6-d1a32f4b1d08-user-login-historyhigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

User Login History <= 1.7.0 - SQL Injection via Order By

Mar 16, 2019 Patched in 1.7.1 (1774d)
WF-6fb2d9ec-1082-4209-9fc9-6f10ba3a2398-user-login-historyhigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

User Login History <= 1.7.0 - SQL Injection via OrderBy

Mar 16, 2019 Patched in 1.7.1 (1774d)
CVE-2017-15867medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Login History Plugin <= 1.5.2 - Cross-Site Scripting

Oct 26, 2017 Patched in 1.6 (2280d)
Version History

User Login History Release Timeline

v2.1.8Current
v2.1.7
v2.1.61 CVE
CVE-2025-47676
v2.1.51 CVE
CVE-2025-47676
v2.1.41 CVE
CVE-2025-47676
v2.1.31 CVE
CVE-2025-47676
v2.1.21 CVE
CVE-2025-47676
v2.1.11 CVE
CVE-2025-47676
v2.1.01 CVE
CVE-2025-47676
v2.0.21 CVE
CVE-2025-47676
v2.0.11 CVE
CVE-2025-47676
v2.0.01 CVE
CVE-2025-47676
v1.7.41 CVE
CVE-2025-47676
v1.7.31 CVE
CVE-2025-47676
v1.7.21 CVE
CVE-2025-47676
v1.7.11 CVE
CVE-2025-47676
v1.7.03 CVEs
WF-2c25a344-4876-4ba8-bbc6-d1a32f4b1d08-user-login-history WF-6fb2d9ec-1082-4209-9fc9-6f10ba3a2398-user-login-history CVE-2025-47676
Code Analysis
Analyzed Apr 16, 2026

User Login History Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
25 prepared
Unescaped Output
1
460 escaped
Nonce Checks
7
Capability Checks
8
File Operations
2
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared25 total queries

Output Escaping

100% escaped461 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

5 flows
<class-admin-login-list-table> (inc/admin/class-admin-login-list-table.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

User Login History Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[user_login_history] inc/core/class-init.php:159
WordPress Hooks 30
actionadmin_enqueue_scriptsinc/admin/class-settings-api.php:35
actionwp_insert_siteinc/core/class-init.php:104
actionwp_delete_siteinc/core/class-init.php:105
actionadmin_initinc/core/class-init.php:113
actionadmin_initinc/core/class-init.php:114
actionadmin_initinc/core/class-init.php:118
actionadmin_enqueue_scriptsinc/core/class-init.php:121
actionadmin_enqueue_scriptsinc/core/class-init.php:122
actionadmin_menuinc/core/class-init.php:123
actionnetwork_admin_menuinc/core/class-init.php:124
filterset-screen-optioninc/core/class-init.php:125
actionadmin_noticesinc/core/class-init.php:127
actionnetwork_admin_noticesinc/core/class-init.php:128
actionset_logged_in_cookieinc/core/class-init.php:130
actionwp_login_failedinc/core/class-init.php:131
actionwp_logoutinc/core/class-init.php:132
actioninitinc/core/class-init.php:133
actionattach_session_informationinc/core/class-init.php:134
actionadmin_initinc/core/class-init.php:136
actionadmin_menuinc/core/class-init.php:137
actioninitinc/core/class-init.php:139
actionshow_user_profileinc/core/class-init.php:140
actionedit_user_profileinc/core/class-init.php:141
actionpersonal_options_updateinc/core/class-init.php:142
actionedit_user_profile_updateinc/core/class-init.php:143
actionnetwork_admin_menuinc/core/class-init.php:145
actionwp_enqueue_scriptsinc/core/class-init.php:160
actionwp_enqueue_scriptsinc/core/class-init.php:161
actioninitinc/core/class-init.php:163
actioninitinc/core/class-init.php:164
Maintenance & Trust

User Login History Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 17, 2026
PHP min version7.4
Downloads277K

Community Trust

Rating92/100
Number of ratings28
Active installs10K
Alternatives

User Login History Alternatives

Joe's Recent Users Activity

Joe's Recent Users Activity

joes-recent-users-activity

A
100

A mobile-responsive plugin showing the last 100 logged-in users & their last page in admin via a 'Recent Activity' menu.

0 No CVEs
WP Users Login History

WP Users Login History

wp-users-login-history

A
85

Track website's users by their login related information like Last login Date/Time, Environment/Server IP address,Country/City/Continent/Timezone &hellip;

70 No CVEs
Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall

limit-login-attempts-reloaded

A
98

Stop password guessing attacks, secure WooCommerce, block bad IPs, block by countries (Pro), and add email 2FA. Lightweight with better performance.

2.0M 4 CVEs
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

A
93

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs
Simple History – Track, Log, and Audit WordPress Changes

Simple History – Track, Log, and Audit WordPress Changes

simple-history

A
95

Track changes and user activities on your WordPress site. See who created a page, uploaded an attachment, and more, for a complete audit trail.

300K 5 CVEs
Developer Profile

User Login History Developer Profile

Faiyaz Alam

1 plugin · 10K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1468 days
View full developer profile
Detection Fingerprints

How We Detect User Login History

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-login-history/inc/admin/js/admin.js/wp-content/plugins/user-login-history/inc/admin/css/admin.css/wp-content/plugins/user-login-history/inc/admin/css/listing.css/wp-content/plugins/user-login-history/inc/admin/css/user-profile.css/wp-content/plugins/user-login-history/inc/admin/css/settings.css/wp-content/plugins/user-login-history/inc/admin/js/user-profile.js/wp-content/plugins/user-login-history/inc/admin/js/settings.js
Script Paths
/wp-content/plugins/user-login-history/inc/admin/js/admin.js/wp-content/plugins/user-login-history/inc/admin/js/user-profile.js/wp-content/plugins/user-login-history/inc/admin/js/settings.js
Version Parameters
user-login-history/inc/admin/js/admin.js?ver=user-login-history/inc/admin/css/admin.css?ver=user-login-history/inc/admin/css/listing.css?ver=user-login-history/inc/admin/css/user-profile.css?ver=user-login-history/inc/admin/css/settings.css?ver=user-login-history/inc/admin/js/user-profile.js?ver=user-login-history/inc/admin/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
fa-user-login-history-wrapfaulh-settings-wrapfaulh-form-fieldfaulh-checkboxfaulh-text-inputfaulh-selectfaulh-submit-buttonfaulh-user-profile-wrapper+2 more
HTML Comments
Plugin ConstantsAutoload ClassesRegister Activation and Deactivation HooksThe code that runs during plugin deactivation.+64 more
Data Attributes
data-plugin-namedata-plugin-versiondata-action-urldata-ajax-urldata-noncedata-delete-nonce+4 more
JS Globals
admin_custom_objectuser_profile_custom_objectsettings_custom_object
REST Endpoints
/wp-json/user-login-history/v1/login/wp-json/user-login-history/v1/logout/wp-json/user-login-history/v1/get-login-history/wp-json/user-login-history/v1/delete-login-entry/wp-json/user-login-history/v1/bulk-delete-login-entries/wp-json/user-login-history/v1/reset-login-history/wp-json/user-login-history/v1/user-profile-settings/wp-json/user-login-history/v1/get-settings/wp-json/user-login-history/v1/update-settings
FAQ

Frequently Asked Questions about User Login History