[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fB43qignvkvW175SePGX8UYo9ijeOGbFp3ST9rS6ApKM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":16,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":36,"analysis":122,"fingerprints":248},"woo-yubikey","yubikey-plugin","2.3","apb360","https:\u002F\u002Fprofiles.wordpress.org\u002Fapb360\u002F","\u003Cp>This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the \u003Ca href=\"http:\u002F\u002Fwww.yubico.com\u002F\" rel=\"nofollow ugc\">Yubikey USB token\u003C\u002Fa>.\u003Cbr \u002F>\nThe plugin uses the Yubico Web service API in the authentication process.\u003Cbr \u002F>\nThe one-time password requirement can be enabled on a per user basis.\u003C\u002Fp>\n","Enhanced Login Security for Your Wordpress blog.",400,6252,76,9,"2019-02-04T18:57:00.000Z","","3.8",[19,20,21,22,23],"authentication","login","password","security","yubikey","https:\u002F\u002Fapb360.com\u002Fyubikey-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-yubikey.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},1,30,84,"2026-04-04T04:25:04.022Z",[37,57,77,91,108],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":16,"tags":52,"homepage":54,"download_link":55,"security_score":26,"vuln_count":32,"unpatched_count":27,"last_vuln_date":56,"fetched_at":29},"google-authenticator","Google Authenticator","0.54","Ivan","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankk\u002F","\u003Cp>The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android\u002FiPhone\u002FBlackberry.\u003C\u002Fp>\n\u003Cp>If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail\u002FDropbox\u002FLastpass\u002FAmazon etc.\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.\u003C\u002Fp>\n\u003Cp>If You need to maintain your blog using an Android\u002FiPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin,\u003Cbr \u002F>\nbut please note that enabling the App password feature will make your blog less secure.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Thanks to:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fevinak\u002F\" rel=\"nofollow ugc\">Oleksiy\u003C\u002Fa> for a bugfix in multisite.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpancek\" rel=\"nofollow ugc\">Paweł Nowacki\u003C\u002Fa> for the Polish translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFabioZumbi12\" rel=\"nofollow ugc\">Fabio Zumbi\u003C\u002Fa> for the Portuguese translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.guidoschalkx.com\u002F\" rel=\"nofollow ugc\">Guido Schalkx\u003C\u002Fa> for the Dutch translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8\" rel=\"nofollow ugc\">Henrik.Schack\u003C\u002Fa> for writing\u002Fmaintaining versions 0.20 through 0.48\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftobias.baethge.com\u002F\" rel=\"nofollow ugc\">Tobias Bäthge\u003C\u002Fa> for his code rewrite and German translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fblog.pcode.nl\u002F\" rel=\"nofollow ugc\">Pascal de Bruijn\u003C\u002Fa> for his “relaxed mode” idea.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftechnobabbl.es\u002F\" rel=\"nofollow ugc\">Daniel Werl\u003C\u002Fa> for his usability tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdd32.id.au\u002F\" rel=\"nofollow ugc\">Dion Hulse\u003C\u002Fa> for his bugfixes.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fusers\u002Faldolat\u002F\" rel=\"nofollow ugc\">Aldo Latino\u003C\u002Fa> for his Italian translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.kaijia.me\u002F\" rel=\"nofollow ugc\">Kaijia Feng\u003C\u002Fa> for his Simplified Chinese translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.buayacorp.com\u002F\" rel=\"nofollow ugc\">Alex Concha\u003C\u002Fa> for his security tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fjetienne.com\u002F\" rel=\"nofollow ugc\">Jerome Etienne\u003C\u002Fa> for his jquery-qrcode plugin.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Forizhial.com\u002F\" rel=\"nofollow ugc\">Sébastien Prunier\u003C\u002Fa> for his Spanish and French translation.\u003C\u002Fp>\n","Google Authenticator for your WordPress blog.",20000,687508,86,134,"2022-07-04T04:55:00.000Z","6.0.11","4.5",[19,20,53,21,22],"otp","https:\u002F\u002Fgithub.com\u002Fivankruchkoff\u002Fgoogle-authenticator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-authenticator.0.54.zip","2016-04-28 00:00:00",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":67,"num_ratings":32,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":75,"download_link":76,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"magiclabs","Login by Magic","1.0.4","Magic","https:\u002F\u002Fprofiles.wordpress.org\u002Fmagiclabs\u002F","\u003Cp>This plugin replaces the standard WordPress login form with one powered by \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">Magic\u003C\u002Fa> that enables passwordless email magic link login.\u003C\u002Fp>\n\u003Cp>Magic offers passwordless authentication and cryptographically secured user identity to your applications. With just a few lines of code, your application’s security is instantaneously upgraded, and your end users can enjoy a future-proof and blockchain-enabled login solution.\u003C\u002Fp>\n\u003Cp>Visit \u003Ca href=\"https:\u002F\u002Fmagic.link\" rel=\"nofollow ugc\">https:\u002F\u002Fmagic.link\u003C\u002Fa> to learn more.\u003C\u002Fp>\n","Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.",20,2392,100,"2022-08-29T22:06:00.000Z","5.8.13","5.5.1","7.3",[19,20,73,74,22],"magiclink","passwordless","https:\u002F\u002Fgithub.com\u002Fmagiclabs\u002Fwp-magic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagiclabs.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":65,"downloaded":85,"rating":67,"num_ratings":32,"last_updated":86,"tested_up_to":87,"requires_at_least":17,"requires_php":16,"tags":88,"homepage":89,"download_link":90,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"token2-hardware-tokens","Token2 Hardware Tokens","0.1","token2","https:\u002F\u002Fprofiles.wordpress.org\u002Ftoken2\u002F","\u003Cp>The Token2 Hardware Tokens plugin for WordPress gives you two-factor authentication using the Token2 Hardware Tokens .\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis by administrators.\u003C\u002Fp>\n","Token2 Hardware Tokens for your WordPress blog.",1545,"2018-03-22T09:51:00.000Z","4.9.29",[19,20,53,21,22],"https:\u002F\u002Ftoken2.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftoken2-hardware-tokens.zip",{"slug":92,"name":93,"version":94,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":27,"downloaded":99,"rating":27,"num_ratings":27,"last_updated":100,"tested_up_to":101,"requires_at_least":102,"requires_php":103,"tags":104,"homepage":106,"download_link":107,"security_score":67,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"dolutech-passwordless-login","Dolutech Passwordless Login","1.1.0","Lucas Catão Moraes","https:\u002F\u002Fprofiles.wordpress.org\u002Fdolutech\u002F","\u003Cp>Este plugin substitui o formulário de login padrão do WordPress por um sistema de autenticação sem senha mais seguro.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Recursos principais:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Login sem senha via link seguro enviado por e-mail\u003Cbr \u002F>\n* Autenticação de dois fatores (2FA) via TOTP (Google Authenticator, Authy, etc.)\u003Cbr \u002F>\n* Códigos de backup para recuperação de acesso\u003Cbr \u002F>\n* Verificação de IP para segurança adicional\u003Cbr \u002F>\n* Rate limiting para prevenir ataques de força bruta\u003Cbr \u002F>\n* Painel de configurações completo no wp-admin\u003Cbr \u002F>\n* Opção de tornar 2FA obrigatório para perfis específicos\u003C\u002Fp>\n\u003Cp>O link de login expira imediatamente após o primeiro uso ou após o tempo configurado (padrão 15 minutos). A autenticação só é permitida pelo mesmo IP que solicitou o login.\u003C\u002Fp>\n","Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.",390,"2025-09-02T19:34:00.000Z","6.8.5","6.5","8.2",[105,19,20,74,22],"2fa","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdolutech-passwordless-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdolutech-passwordless-login.1.1.0.zip",{"slug":109,"name":110,"version":111,"author":112,"author_profile":113,"description":114,"short_description":115,"active_installs":27,"downloaded":67,"rating":27,"num_ratings":27,"last_updated":116,"tested_up_to":117,"requires_at_least":118,"requires_php":16,"tags":119,"homepage":16,"download_link":121,"security_score":67,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"elevation-magic-link","Elevation Magic Link Login","1.2.2","Elevation Team","https:\u002F\u002Fprofiles.wordpress.org\u002Felevation1support\u002F","\u003Cp>Elevation Magic Link Login allows your users to sign in without remembering a password. By simply entering their username or email address, they receive a secure, time-sensitive link via email that logs them in instantly.\u003C\u002Fp>\n\u003Cp>This plugin is built with security as a priority, utilizing WordPress best practices such as nonces, input sanitization, output escaping, hashed tokens, and HMAC signatures to ensure your site and users remain protected.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Adds a “Send Me a Magic Link” button to the default WP login form.\u003C\u002Fp>\n\u003Cp>New: Toggle-based UI that hides the password field when requesting a link for a cleaner experience.\u003C\u002Fp>\n\u003Cp>Secure, high-entropy token generation.\u003C\u002Fp>\n\u003Cp>Tokens are hashed before storage for maximum security.\u003C\u002Fp>\n\u003Cp>Cross-device support: Uses stateless HMAC signatures to validate links even if opened on a different device than requested.\u003C\u002Fp>\n\u003Cp>One-time use links that expire after 15 minutes (filterable).\u003C\u002Fp>\n\u003Cp>No-password fallback for users who forget their credentials.\u003C\u002Fp>\n\u003Cp>Lightweight and developer-friendly.\u003C\u002Fp>\n\u003Cp>Filterable redirect URL after successful login.\u003C\u002Fp>\n","Add a secure, passwordless login option to the default WordPress login form.","2026-01-23T18:34:00.000Z","6.9.4","5.0",[19,20,120,74,22],"magic-link","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felevation-magic-link.1.2.2.zip",{"attackSurface":123,"codeSignals":182,"taintFlows":236,"riskAssessment":237,"analyzedAt":247},{"hooks":124,"ajaxHandlers":178,"restRoutes":179,"shortcodes":180,"cronEvents":181,"entryPointCount":27,"unprotectedCount":27},[125,131,135,138,141,146,150,153,156,160,164,168,172,175],{"type":126,"name":127,"callback":128,"file":129,"line":130},"action","personal_options_update","yubikey_personal_options_update","yubikey.php",444,{"type":126,"name":132,"callback":133,"file":129,"line":134},"profile_personal_options","yubikey_profile_personal_options",445,{"type":126,"name":136,"callback":133,"file":129,"line":137},"edit_user_profile",449,{"type":126,"name":139,"callback":133,"file":129,"line":140},"edit_user_profile_update",450,{"type":142,"name":143,"callback":144,"file":129,"line":145},"filter","pre_kses","yubikey_plugin_description",453,{"type":126,"name":147,"callback":148,"file":129,"line":149},"admin_menu","yubikey_admin",455,{"type":126,"name":151,"callback":133,"file":129,"line":152},"woocommerce_edit_account_form_start",457,{"type":126,"name":154,"callback":128,"file":129,"line":155},"woocommerce_save_account_details",458,{"type":126,"name":157,"callback":158,"file":129,"line":159},"login_form","yubikey_loginform",466,{"type":142,"name":161,"callback":162,"file":129,"line":163},"wp_authenticate_user","yubikey_check_otp",467,{"type":126,"name":165,"callback":166,"file":129,"line":167},"user_register","yubikey_user_register",469,{"type":126,"name":169,"callback":170,"file":129,"line":171},"register_form","yubikey_registerform",470,{"type":126,"name":157,"callback":173,"file":129,"line":174},"yubikey_loginform_apiinfomissing",472,{"type":126,"name":157,"callback":176,"file":129,"line":177},"yubikey_loginform_functionsmissing",476,[],[],[],[],{"dangerousFunctions":183,"sqlUsage":184,"outputEscaping":186,"fileOperations":27,"externalRequests":32,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":235},[],{"prepared":27,"raw":27,"locations":185},[],{"escaped":187,"rawEcho":188,"locations":189},8,22,[190,193,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233],{"file":129,"line":191,"context":192},67,"raw output",{"file":129,"line":194,"context":192},77,{"file":129,"line":196,"context":192},88,{"file":129,"line":198,"context":192},97,{"file":129,"line":200,"context":192},117,{"file":129,"line":202,"context":192},121,{"file":129,"line":204,"context":192},147,{"file":129,"line":206,"context":192},152,{"file":129,"line":208,"context":192},247,{"file":129,"line":210,"context":192},253,{"file":129,"line":212,"context":192},261,{"file":129,"line":214,"context":192},269,{"file":129,"line":216,"context":192},277,{"file":129,"line":218,"context":192},278,{"file":129,"line":220,"context":192},281,{"file":129,"line":222,"context":192},282,{"file":129,"line":224,"context":192},285,{"file":129,"line":226,"context":192},286,{"file":129,"line":228,"context":192},303,{"file":129,"line":230,"context":192},309,{"file":129,"line":232,"context":192},317,{"file":129,"line":234,"context":192},325,[],[],{"summary":238,"deductions":239},"The \"woo-yubikey\" v2.3 plugin exhibits a generally good security posture with no identified vulnerabilities in its history and a clean taint analysis. The static analysis reveals a minimal attack surface with no AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all observed SQL queries utilize prepared statements, and there are no file operations or external HTTP requests that are typically high-risk if not handled carefully.  The absence of known CVEs and a clean vulnerability history are strong indicators of a well-maintained and secure plugin. \n\nHowever, there are areas for improvement. The low percentage of properly escaped output (27%) is a significant concern. If user-supplied data is not consistently escaped before being displayed, it could lead to cross-site scripting (XSS) vulnerabilities. The complete lack of nonce checks and capability checks is also a weakness, as these are fundamental WordPress security mechanisms for preventing unauthorized actions and ensuring only authorized users can perform specific operations. While the attack surface is small, these missing checks mean that any potential entry points, even if currently non-existent or internal, are not adequately protected.\n\nIn conclusion, the plugin's strengths lie in its minimal attack surface and secure handling of database queries. The absence of known vulnerabilities is reassuring. The primary weaknesses are the insufficient output escaping and the lack of critical security checks like nonces and capability checks. Addressing these areas would significantly bolster the plugin's overall security. Despite these weaknesses, the plugin currently has no exploitable vulnerabilities based on the provided data and history.",[240,242,245],{"reason":241,"points":187},"Insufficient output escaping",{"reason":243,"points":244},"Missing nonce checks",7,{"reason":246,"points":244},"Missing capability checks","2026-03-16T19:46:39.212Z",{"wat":249,"direct":258},{"assetPaths":250,"generatorPatterns":252,"scriptPaths":253,"versionParams":255},[251],"\u002Fwp-content\u002Fplugins\u002Fwoo-yubikey\u002Fyubikey.css",[],[254],"\u002Fwp-content\u002Fplugins\u002Fwoo-yubikey\u002Fyubikey.js",[256,257],"woo-yubikey\u002Fyubikey.css?ver=","woo-yubikey\u002Fyubikey.js?ver=",{"cssClasses":259,"htmlComments":261,"htmlAttributes":282,"restEndpoints":285,"jsGlobals":286,"shortcodeOutput":288},[260],"yubikey-otp-field",[262,263,264,265,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281],"Thanks to the following contributor(s) :","Original Plugin Code","Ideas & code contribution to the separate admin\u002Foptionspage.","Ideas.","Copyright 2009  Henrik Schack","Copyright 2017  Adam Lyons","Add One-time Password field to login form.","Add One-time Password field to register form.","loginform info used in the case where PHP is missing vital functions and therefore can't use the plugin.","loginform info used in the case where no API ID or Key has been setup.","Optionspage for editing Yubikey global options (Yubico API ID & Key)","Display a warning if the PHP installation is to old.","To be removed later on when PHP4 is completely dead.","Attach a Yubikey options page to the settings menu","Login form handling.","Do OTP check if user has been setup to do so.","Get user specific settings","Get the global API ID\u002FKEY","Does keyid match ?","is OTP valid ?",[283,284],"placeholder=\"Touch the key...\"","autocomplete=\"off\"",[],[287],"yubikey_ajaxurl",[]]