[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9fg5hhuJleLdvb1a1PP9nP2PbeHtEh1tyTfk41_KpVg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":141,"fingerprints":175},"wp-cas-server","Cassava CAS Server","1.2.3","Luis Rodrigues","https:\u002F\u002Fprofiles.wordpress.org\u002Fgoblindegook\u002F","\u003Cp>Cassava allows WordPress to act as a single sign-on authenticator using the Central Authentication Service (CAS) protocol.\u003C\u002Fp>\n\u003Cp>That way, users on your WordPress install may be able to access different applications that support the CAS protocol by providing a single set of credentials and without exposing the user’s password.\u003C\u002Fp>\n\u003Cp>By default, CAS method URIs are provided under the \u003Ccode>wp-cas\u003C\u002Fcode> endpoint:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Flogin\u003C\u002Fcode>: Allows a remote service to request that a user authenticate on the CAS server. Will redirect back to the remote service along with a service ticket.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Flogout\u003C\u002Fcode>: Terminates the single sign-on session. May optionally redirect the user back to the remote service.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fvalidate\u003C\u002Fcode> [CAS 1.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns a plaintext response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fproxy\u003C\u002Fcode> [CAS 2.0]: Provides access to remote services with proxy tickets in exchange for proxy-granting tickets. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002FproxyValidate\u003C\u002Fcode> [CAS 2.0]: Allows a remote service to validate a service or proxy ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002FserviceValidate\u003C\u002Fcode> [CAS 2.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fp3\u002FproxyValidate\u003C\u002Fcode> [CAS 3.0]: Allows a remote service to validate a service or proxy ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fp3\u002FserviceValidate\u003C\u002Fcode> [CAS 3.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>There are a few \u003Ca href=\"http:\u002F\u002Fwww.jasig.org\u002Fcas\u002Fclient-integration\" rel=\"nofollow ugc\">client integration\u003C\u002Fa> libraries available for CAS, as well as a handy guide for \u003Ca href=\"https:\u002F\u002Fwiki.jasig.org\u002Fdisplay\u002FCASC\u002FCASifying+Applications\" rel=\"nofollow ugc\">CASifying several existing applications\u003C\u002Fa>. Independent WordPress installations may integrate with Cassava using a client plugin such as \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcas-maestro\u002F\" rel=\"ugc\">CAS Maestro\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please follow and contribute to Cassava’s development on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgoblindegook\u002Fwp-cas-server\" rel=\"nofollow ugc\">Github\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Ch4>Action: cas_server_before_request\u003C\u002Fh4>\n\u003Cp>Fires before a CAS request is processed.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_after_request\u003C\u002Fh4>\n\u003Cp>Fires after a CAS request is processed.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_error\u003C\u002Fh4>\n\u003Cp>Fires if the CAS server has to return an XML error.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>WP_Error\u003C\u002Fem> \u003Ccode>$error\u003C\u002Fcode>: WordPress error to return as XML.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_validation_success\u003C\u002Fh4>\n\u003Cp>Fires on successful ticket validation.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: WordPress user validated by ticket.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$ticket\u003C\u002Fcode>: Valid ticket string.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_enabled\u003C\u002Fh4>\n\u003Cp>Allows developers to disable CAS.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>boolean\u003C\u002Fem> \u003Ccode>$cas_enabled\u003C\u002Fcode>: Whether the server should respond to single sign-on requests.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_routes\u003C\u002Fh4>\n\u003Cp>Allows developers to override the default controller mapping, define additional endpoints and provide alternative implementations to the provided controllers.\u003C\u002Fp>\n\u003Cp>Controllers provided in this fashion should extend the \u003Ccode>\\Cassava\\CAS\\Controller\\BaseController\u003C\u002Fcode> class.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$cas_routes\u003C\u002Fcode>: CAS endpoint to controller mapping.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_response\u003C\u002Fh4>\n\u003Cp>Lets developers change the CAS server response string.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$output\u003C\u002Fcode>: Response output string.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_dispatch_args\u003C\u002Fh4>\n\u003Cp>Filters the callback arguments to be dispatched for the request. Plugin developers may return a \u003Ccode>WP_Error\u003C\u002Fcode> object here to abort the request.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: Arguments to pass the callback.\u003C\u002Fli>\n\u003Cli>\u003Cem>(string|array)\u003C\u002Fem> \u003Ccode>$callback\u003C\u002Fcode>: Callback function or method.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_login_args\u003C\u002Fh4>\n\u003Cp>Allows developers to change the request parameters passed to a \u003Ccode>\u002Flogin\u003C\u002Fcode> request.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: HTTP request (GET, POST) parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_redirect_service\u003C\u002Fh4>\n\u003Cp>Filters the redirect URI for the service requesting user authentication.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$service\u003C\u002Fcode>: Service URI requesting user authentication.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Logged in WordPress user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_custom_auth_uri\u003C\u002Fh4>\n\u003Cp>Allows developers to redirect the user to a custom login form.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$custom_login_url\u003C\u002Fcode>: URI for the custom login page.\u003C\u002Fli>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: Login request parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_ticket_expiration\u003C\u002Fh4>\n\u003Cp>This filter allows developers to override the default ticket expiration period.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>int\u003C\u002Fem> \u003Ccode>$expiration\u003C\u002Fcode>: Ticket expiration period (in seconds).\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$type\u003C\u002Fcode>: Type of ticket to set.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Authenticated user associated with the ticket.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_validation_user_attributes\u003C\u002Fh4>\n\u003Cp>Allows developers to change the list of (key, value) pairs before they’re included in a \u003Ccode>\u002FserviceValidate\u003C\u002Fcode> response.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$attributes\u003C\u002Fcode>: List of attributes to output.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Authenticated user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_settings_user_attribute_options\u003C\u002Fh4>\n\u003Cp>Allows developers to change the list of user attributes that appear in the dashboard for an administrator to set to return on successful validation requests.\u003C\u002Fp>\n\u003Cp>Options are stored in an associative array, with user attribute slugs as array keys and option labels as array values.\u003C\u002Fp>\n\u003Cp>These settings are valid only for CAS 2.0 validation requests.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$attributeOptions\u003C\u002Fcode> Attribute options an administrator can set on the dashboard.\u003C\u002Fli>\n\u003C\u002Ful>\n","Cassava provides authentication services based on the Jasig CAS protocol.",30,3163,100,2,"2016-02-13T00:05:00.000Z","4.4.34","3.9","",[20,21,22,23,24],"authentication","cas","central-authentication-service","jasig-cas","single-sign-on","https:\u002F\u002Fgoblindegook.github.io\u002Fwp-cas-server","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-cas-server.1.2.3.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":35,"avg_security_score":27,"avg_patch_time_days":11,"trust_score":36,"computed_at":37},"goblindegook",3,70,84,"2026-04-04T18:37:06.812Z",[39,58,75,99,121],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":13,"downloaded":47,"rating":28,"num_ratings":28,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":18,"tags":51,"homepage":53,"download_link":54,"security_score":55,"vuln_count":56,"unpatched_count":56,"last_vuln_date":57,"fetched_at":30},"wpcas","wpCAS","1.07","Casey Bisson","https:\u002F\u002Fprofiles.wordpress.org\u002Fmisterbisson\u002F","\u003Cp>wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogeneous environment.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCentral_Authentication_Service\" rel=\"nofollow ugc\">From Wikipedia\u003C\u002Fa>:\u003C\u002Fp>\n\u003Cblockquote>\u003Cp>The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to log into multiple applications simultaneously and automatically. It also allows untrusted web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.\u003C\u002Fp>\u003C\u002Fblockquote>\n\u003Cp>Users who attempt to login to WordPress are redirected to the central CAS sign-on screen. After the user’s credentials are verified, s\u002Fhe is then redirected back to the WordPress site. If the CAS username matches the WordPress username, the user is recognized as valid and allowed access.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAuthZ\" rel=\"nofollow ugc\">Authorization\u003C\u002Fa> of that user’s capabilities is based on native WordPress settings and functions. CAS only authenticates that the user is who s\u002Fhe claims to be.\u003C\u002Fp>\n\u003Cp>If the CAS user does not have an account in the WordPress site, an administrator defined function can be called to provision the account or do other actions. By default, CAS users without WordPress accounts are simply refused access.\u003C\u002Fp>\n","wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogen &hellip;",6205,"2010-03-25T15:28:00.000Z","2.7.1","2.7",[20,21,22,52,40],"phpcas","http:\u002F\u002Fmaisonbisson.com\u002Fprojects\u002Fwpcas","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcas.zip",63,1,"2026-01-20 00:00:00",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":28,"num_ratings":28,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":18,"tags":71,"homepage":73,"download_link":74,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"wpcas-server","wpCAS Server","1.0","Adam Backstrom","https:\u002F\u002Fprofiles.wordpress.org\u002Fadambackstrom\u002F","\u003Cp>This plugin reserves a collection of URIs that create, validate, and destroy CAS tickets.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u002Fcas\u002Flogin :: If user is not authenticated he\u002Fshe is redirected to the login page.  Otherwise the user is redirected to the service specified as a GET variable in the URL – or if service is not provided, the user is redirected to the WordPress instance’s home.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u002Fcas\u002Flogout :: The user’s session is destroyed, user is logged out of the WordPress instance, and redirected to $_GET[‘service’] (or the blog home if service isn’t provided)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u002Fcas\u002FproxyValidate and \u002Fcas\u002Fvalidate :: The CAS ticket must be passed as a GET parameter in the URL when calling \u002Fcas\u002Fvalidate.  The ticket is validated and XML is output with either cas:authenticationSuccess or cas:authenticationFailure\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Hooks & Filters\u003C\u002Fh3>\n\u003Ch4>wpcas_server_login Hook\u003C\u002Fh4>\n\u003Cp>This hook allows for the insertion of code after login has successfully completed and just before the ticket creation.  One common use of this hook is to fill out the $_SESSION variable with site\u002Fuser specific information.\u003C\u002Fp>\n\u003Ch4>wpcas_server_auth_value Filter\u003C\u002Fh4>\n\u003Cp>This filter (executed in a successful ticket validation in \u002Fcas\u002Fvalidate) is used to override the user identifier returned in the cas:authenticationSuccess XML response.  By default, the value returned is the $user_ID of the authenticated user.  Using this filter, that value can be altered to whatever suits your implementation.\u003C\u002Fp>\n","Turns WordPress or WordPress MU into a CAS single sign-on authenticator.",10,2448,"2012-07-12T13:42:00.000Z","2.9.2","2.8",[72,20,22,40,59],"auth","http:\u002F\u002Fborkweb.com\u002Fprojects\u002Fwpcas-server","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcas-server.zip",{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":85,"num_ratings":86,"last_updated":87,"tested_up_to":88,"requires_at_least":89,"requires_php":90,"tags":91,"homepage":18,"download_link":95,"security_score":96,"vuln_count":97,"unpatched_count":28,"last_vuln_date":98,"fetched_at":30},"auth0","Login by Auth0","4.6.2","Auth0","https:\u002F\u002Fprofiles.wordpress.org\u002Fauth0\u002F","\u003Cp>This plugin replaces standard WordPress login forms with one powered by \u003Ca href=\"https:\u002F\u002Fauth0.com\" rel=\"nofollow ugc\">Auth0\u003C\u002Fa> that enables:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Universal authentication\u003C\u002Fstrong>\n\u003Cul>\n\u003Cli>Over 30 social login providers\u003C\u002Fli>\n\u003Cli>Enterprise connections (ADFS, Active Directory \u002F LDAP, SAML, Office 365, Google Apps and more)\u003C\u002Fli>\n\u003Cli>Connect your own database\u003C\u002Fli>\n\u003Cli>Passwordless connections (using email or SMS)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultra secure\u003C\u002Fstrong>\n\u003Cul>\n\u003Cli>Multifactor authentication\u003C\u002Fli>\n\u003Cli>Password policies\u003C\u002Fli>\n\u003Cli>Email validation\u003C\u002Fli>\n\u003Cli>Mitigate brute force attacks\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Technical Notes\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>IMPORTANT\u003C\u002Fstrong>: By using this plugin you are delegating the site authentication and profile handling to Auth0. That means that you won’t be using the WordPress database to authenticate users and the default WordPress login forms will be replaced.\u003C\u002Fp>\n\u003Cp>Please see our \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fcms\u002Fwordpress\u002Fhow-does-it-work\" rel=\"nofollow ugc\">How It Works page\u003C\u002Fa> for more information on how Auth0 authenticates and manages your users.\u003C\u002Fp>\n\u003Ch4>Migrating Existing Users\u003C\u002Fh4>\n\u003Cp>Auth0 allows multiple authentication providers. You can have social providers like Facebook, Twitter, Google+, and more, a database of users and passwords (just like WordPress but hosted in Auth0), or you can use an Enterprise directory like Active Directory, LDAP, Office365, Google Apps, or SAML. All those authentication providers might give you an email and a flag indicating whether the email was verified or not. We use that email (only if it is verified) to associate a previous \u003Cstrong>existing\u003C\u002Fstrong> user with the one coming from Auth0.\u003C\u002Fp>\n\u003Cp>If the email was not verified and there is an account with that email in WordPress, the user will be presented with a page saying that the email was not verified and a link to “Re-send the verification email.” For either scenario, you can choose whether it is mandatory that the user has a verified email or not in the plugin settings.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Please note:\u003C\u002Fstrong> In order for a user to log in using Auth0, they will need to sign up via the Auth0 login form (or have an account created for them in Auth0). Once signup is complete, their Auth0 user will be automatically associated with their WordPress user.\u003C\u002Fp>\n\u003Ch4>Widget\u003C\u002Fh4>\n\u003Cp>You can enable Auth0 as a WordPress widget in order to show it in a sidebar. The widget inherits the main plugin settings but can be overridden with its own settings in the widget form. Note: this form will not display for logged-in users.\u003C\u002Fp>\n\u003Ch4>Shortcode\u003C\u002Fh4>\n\u003Cp>Also, you can use the Auth0 widget as a shortcode in your editor. Just add the following to use the global settings:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[auth0]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Like widgets, shortcode login forms will use the settings of the plugin. It can be customized by adding the following attributes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>icon_url\u003C\u002Fcode> – A direct URL to an image used at the top of the login form\u003C\u002Fli>\n\u003Cli>\u003Ccode>form_title\u003C\u002Fcode> – Text to appear at the top of the login form\u003C\u002Fli>\n\u003Cli>\u003Ccode>gravatar\u003C\u002Fcode> – Display the user’s Gravatar; set to \u003Ccode>1\u003C\u002Fcode> for yes\u003C\u002Fli>\n\u003Cli>\u003Ccode>redirect_to\u003C\u002Fcode> – A direct URL to use after successful login\u003C\u002Fli>\n\u003Cli>\u003Ccode>dict\u003C\u002Fcode> – Valid JSON to override form text (\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fauth0\u002Flock\u002Fblob\u002Fmaster\u002Fsrc\u002Fi18n\u002Fen.js\" rel=\"nofollow ugc\">see options here\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>extra_conf\u003C\u002Fcode> – Valid JSON to override Lock configuration (\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flibraries\u002Flock\u002Fv11\u002Fconfiguration\" rel=\"nofollow ugc\">see options here\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>show_as_modal\u003C\u002Fcode> – Display a button that triggers the login form in a modal; set to \u003Ccode>1\u003C\u002Fcode> for yes\u003C\u002Fli>\n\u003Cli>\u003Ccode>modal_trigger_name\u003C\u002Fcode> – Button text to display when using a modal\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[auth0 show_as_modal=\"1\" modal_trigger_name=\"Login button: This text is configurable!\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Note: this form will not display for logged-in users.\u003C\u002Fp>\n","Login by Auth0 provides improved username\u002Fpassword login, Passwordless login, Social login and Single Sign On for all your sites.",10000,253954,62,18,"2024-07-12T16:57:00.000Z","6.5.8","6.5.5","7.4",[20,92,93,24,94],"multi-factor","security","social","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauth0.4.6.2.zip",83,7,"2024-07-09 00:00:00",{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":107,"downloaded":108,"rating":13,"num_ratings":109,"last_updated":110,"tested_up_to":111,"requires_at_least":112,"requires_php":90,"tags":113,"homepage":117,"download_link":118,"security_score":119,"vuln_count":56,"unpatched_count":28,"last_vuln_date":120,"fetched_at":30},"authorizer","Authorizer","3.13.4","Paul Ryan","https:\u002F\u002Fprofiles.wordpress.org\u002Ffigureone\u002F","\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> restricts access to a WordPress site to specific users, typically students enrolled in a university course. It maintains a list of approved users that you can edit to determine who has access. It also replaces the default WordPress login\u002Fauthorization system with one relying on an external server, such as Google, CAS, LDAP, or an OAuth2 provider. Finally, \u003Cem>Authorizer\u003C\u002Fem> lets you limit invalid login attempts to prevent bots from compromising your users’ accounts.\u003C\u002Fp>\n\u003Cp>View or contribute to the plugin source on GitHub: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> requires the following:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>CAS server\u003C\u002Fstrong> (2.x, 3.x, 4.x, 5.x, 6.x, or 7.x) or \u003Cstrong>LDAP server\u003C\u002Fstrong> (plugin needs the URL)\u003C\u002Fli>\n\u003Cli>PHP extensions: php-ldap, php-curl, php-dom\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> provides the following options:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Authentication\u003C\u002Fstrong>: WordPress accounts; Google accounts; CAS accounts; LDAP accounts; OAuth2 accounts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Access\u003C\u002Fstrong>: All authenticated users (all local and all external can log in); Only specific users (all local and approved external users can log in)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>View Access\u003C\u002Fstrong>: Everyone (open access); Only logged in users\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Login Attempts\u003C\u002Fstrong>: Progressively increase the amount of time required between invalid login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcode\u003C\u002Fstrong>: Use the \u003Ccode>[authorizer_login_form]\u003C\u002Fcode> shortcode to embed a wp_login_form() outside of wp-login.php.\u003C\u002Fli>\n\u003C\u002Ful>\n","Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).",5000,181710,19,"2025-12-19T20:52:00.000Z","6.9.4","5.5",[20,21,114,115,116],"ldap","login","oauth","https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauthorizer.3.13.4.zip",99,"2022-11-01 00:00:00",{"slug":122,"name":123,"version":124,"author":125,"author_profile":126,"description":127,"short_description":128,"active_installs":129,"downloaded":130,"rating":13,"num_ratings":131,"last_updated":132,"tested_up_to":133,"requires_at_least":134,"requires_php":135,"tags":136,"homepage":138,"download_link":139,"security_score":119,"vuln_count":56,"unpatched_count":28,"last_vuln_date":140,"fetched_at":30},"wp-cassify","WP Cassify","2.3.9","Alain-Aymerick FRANCOIS","https:\u002F\u002Fprofiles.wordpress.org\u002Faaf017\u002F","\u003Cp>If you’re happy with this plugin :\u003Cbr \u002F>\nAs a reward for my efforts, I would like to receive T-shirts (or other goodies) as gifts from the universities or companies that use it.\u003Cbr \u002F>\nMy size is L. Best regards.\u003C\u002Fp>\n\u003Cp>This Apereo CAS authentication plugin has no phpCas library dependency. This is not only an authentication plugin.\u003Cbr \u002F>\nYou can build custom authorization rules according to cas user attributes populated. If user don’t exist in WordPress\u003Cbr \u002F>\ndatabase, it can be created automatically. There are many features. You can customize everything.\u003C\u002Fp>\n\u003Ch4>Website\u003C\u002Fh4>\n\u003Cp>https:\u002F\u002Fwpcassify.wordpress.com\u002F\u003C\u002Fp>\n\u003Ch4>Development and release environment\u003C\u002Fh4>\n\u003Cp>This plugin is now developed and tested from a github repository. You can find it here :\u003Cbr \u002F>\nhttps:\u002F\u002Fgithub.com\u002FWP-Cassify\u002Fwp-cassify-develop\u003C\u002Fp>\n\u003Cp>Don’t hesitate to contribute to this project. You can fork it and make pull requests !\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Require at least PHP version 7.0\u003C\u002Fli>\n\u003Cli>Require at least PHP CURL package\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>SLO (Single Log Out) support (thanks to dedotombo and me)\u003C\u002Fli>\n\u003Cli>Adding NCONTAINS operator (thanks to blandman)\u003C\u002Fli>\n\u003Cli>Fix bug on Gateway mode (autologin) (thanks to dedotombo again). Now it’s now necessary to hack theme files to fire it.\u003C\u002Fli>\n\u003Cli>Adding option logout on authentication failure to not disturb users\u003C\u002Fli>\n\u003Cli>Initialize PHP session at a later stage (on wp_loaded not on init)\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Adding some customs hooks and filters.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Tested with Apereo CAS Server version 7.2.5\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Compatible with CAS Protocol version 2 and 3\u003C\u002Fli>\n\u003Cli>Automatic user creation if not exist in WordPress database.\u003C\u002Fli>\n\u003Cli>Synchronize WordPress User metas with CAS User attributes.\u003C\u002Fli>\n\u003Cli>Add support for multivaluate cas user fields. Now multivaluate fields can be serialized to be stored in custom WP User meta.\u003C\u002Fli>\n\u003Cli>Backup \u002F Restore plugin configuration options settings\u003C\u002Fli>\n\u003Cli>You can choose CAS User attributes you want to populate. Then you can access them via PHP Session.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Be careful, to access to CAS User Attributes from your theme file (from 1.8.4), use code below :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n    if ( isset($GLOBALS['wp-cassify']) ) {\n        print_r( $GLOBALS['wp-cassify']->wp_cassify_get_cas_user_datas() );\n    }\n?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Set up WordPress Roles to User according to CAS User attributes.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>If plugin is network activated, you can define User Role Rule scope by blog id.\u003C\u002Fli>\n\u003Cli>Authorization rule editor.\u003C\u002Fli>\n\u003Cli>Compatible with WordPress Access Control Plugin.\u003C\u002Fli>\n\u003Cli>Manage URL White List to bypass CAS Authentication on certain pages.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Much simpler bypass authentication with post method provided by Susan Boland (See online documentation). Create wordpress authentication form with redirect attribute like this :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n\n    $args = array(\n        'echo'           => true,\n        'remember'       => true,\n        'redirect' => site_url( '\u002F?wp_cassify_bypass=bypass' ),\n        'form_id'        => 'loginform',\n        'id_username'    => 'user_login',\n        'id_password'    => 'user_pass',\n        'id_remember'    => 'rememberme',\n        'id_submit'      => 'wp-submit',\n        'label_username' => __( 'Username' ),\n        'label_password' => __( 'Password' ),\n        'label_remember' => __( 'Remember Me' ),\n        'label_log_in'   => __( 'Log In' ),\n        'value_username' => '',\n        'value_remember' => false\n    );\n\n    wp_login_form( $args ); \n?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Receive email notifications when trigger is fired (after user account creation, after user login\u002Flogout).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Define notifications rules based on user attributes values.\u003C\u002Fli>\n\u003Cli>Purge user roles before applying user role rules.\u003C\u002Fli>\n\u003Cli>Define user account expiration rules bases on CAS User attributes.\u003C\u002Fli>\n\u003Cli>Network activation allowed\u003C\u002Fli>\n\u003Cli>You can set Service Logout URL (Needs to have CAS Server with followServiceRedirects option configured).\u003C\u002Fli>\n\u003Cli>Add support for web application hosted behind a reverse proxy. (Thanks to franck86)\u003C\u002Fli>\n\u003Cli>Add custom hooks : wp_cassify_after_cas_authentication, wp_cassify_before_auth_user_wordpress, wp_cassify_before_redirect, wp_cassify_after_redirect. (See online documentation)\u003C\u002Fli>\n\u003Cli>Custom filter to perform custom cas server response parsing. Hook name : wp_cassify_custom_parsing_cas_xml_response (See online documentation)\u003C\u002Fli>\n\u003Cli>Custom shortcode to generate CAS login\u002Flogout link into your blog. (See online documentation)\u003C\u002Fli>\n\u003Cli>Debug settings, dump last xml cas server response.\u003C\u002Fli>\n\u003Cli>Detect if user has already authenticated by CAS from your public pages and perform auto-login with gateway mode\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add ‘-IN’ and ‘-NOTIN’ operators to process array attributes values returned from CAS.\u003Cbr \u002F>\nWhen you have :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$cas_user_datas['title'] = array( 'Student', 'Professor' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you can use :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>    (CAS{title} -IN \"professor\")\n\u003C\u002Fcode>\u003C\u002Fpre>\n","The plugin is an Apereo CAS Client. It performs CAS authentication and autorization for Wordpress.",900,34201,16,"2025-10-02T08:22:00.000Z","6.8.5","4.4","7.0",[72,20,21,137,40],"central","https:\u002F\u002Fwpcassify.wordpress.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-cassify.2.3.9.zip","2025-03-26 00:00:00",{"attackSurface":142,"codeSignals":158,"taintFlows":168,"riskAssessment":169,"analyzedAt":174},{"hooks":143,"ajaxHandlers":154,"restRoutes":155,"shortcodes":156,"cronEvents":157,"entryPointCount":28,"unprotectedCount":28},[144,150],{"type":145,"name":146,"callback":147,"file":148,"line":149},"action","admin_notices","print_notice","wp-requirements.php",260,{"type":145,"name":151,"callback":152,"file":148,"line":153},"admin_init","deactivate_plugin",261,[],[],[],[],{"dangerousFunctions":159,"sqlUsage":160,"outputEscaping":162,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":167},[],{"prepared":28,"raw":28,"locations":161},[],{"escaped":28,"rawEcho":56,"locations":163},[164],{"file":148,"line":165,"context":166},237,"raw output",[],[],{"summary":170,"deductions":171},"The wp-cas-server plugin v1.2.3 exhibits a generally strong security posture from a static analysis perspective. The absence of direct attack surface points like AJAX handlers, REST API routes, shortcodes, and cron events is a significant positive. Furthermore, the code signals indicate a lack of dangerous functions and file operations, and all SQL queries utilize prepared statements, which are excellent security practices.  The plugin also shows no external HTTP requests or bundled libraries, reducing potential attack vectors. However, the complete lack of output escaping is a notable concern. While taint analysis and vulnerability history show no current issues, this absence of output sanitization could lead to cross-site scripting (XSS) vulnerabilities if any data is ever outputted without proper escaping, especially if future development introduces dynamic content handling.\n\nThe plugin's development history shows no recorded vulnerabilities, which is highly encouraging and suggests a commitment to security by the developers. However, the static analysis did highlight one critical weakness: the complete absence of output escaping. This means that any dynamic data that is rendered by the plugin is susceptible to being displayed unescaped to the user. If this data originates from a source that can be influenced by an attacker, it could lead to cross-site scripting (XSS) vulnerabilities. While no current flows indicate this risk, it's a potential flaw that could be exploited with future code changes or if the plugin's functionality evolves.\n\nIn conclusion, wp-cas-server v1.2.3 is strong in preventing direct access and data manipulation through SQL. The lack of known vulnerabilities is a testament to its current security. The primary weakness lies in the universal lack of output escaping, which, while not actively exploited in the current code, represents a significant potential risk that should be addressed to ensure long-term security and prevent future XSS vulnerabilities.",[172],{"reason":173,"points":97},"Output escaping not implemented","2026-03-16T22:27:49.531Z",{"wat":176,"direct":181},{"assetPaths":177,"generatorPatterns":178,"scriptPaths":179,"versionParams":180},[],[],[],[],{"cssClasses":182,"htmlComments":183,"htmlAttributes":184,"restEndpoints":185,"jsGlobals":186,"shortcodeOutput":187},[],[],[],[],[],[]]