WP-Safety

WP Cassify Security & Risk Analysis

wordpress.org/plugins/wp-cassify

The plugin is an Apereo CAS Client. It performs CAS authentication and autorization for Wordpress.

900 active installs v2.3.9 PHP 7.0+ WP 4.4+ Updated Oct 2, 2025
authauthenticationcascentralwpcas
99
A · Safe
CVEs total1
Unpatched0
Last CVEMar 26, 2025
Plugin page Download
Safety Verdict

Is WP Cassify Safe to Use in 2026?

Generally Safe

Score 99/100

WP Cassify has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 26, 2025Updated 6mo ago
Risk Assessment

The wp-cassify plugin v2.3.9 presents a mixed security posture. While the static analysis shows a limited attack surface with no identified unprotected entry points, and a respectable number of nonce and capability checks, there are several areas of concern. The presence of dangerous functions like `unserialize` and `assert` is a significant red flag. Additionally, the SQL query usage is concerning, with 67% of queries not employing prepared statements, increasing the risk of SQL injection vulnerabilities. The output escaping is also suboptimal, with 41% of outputs not properly escaped, potentially leading to Cross-Site Scripting (XSS) vulnerabilities. The vulnerability history indicates one past medium-severity CVE related to XSS, which, coupled with the code analysis, suggests a recurring pattern of input sanitization and output escaping issues. Despite the limited attack surface and absence of unpatched CVEs currently, the identified code signals and historical pattern warrant caution.

Key Concerns

  • Dangerous functions (unserialize, assert)
  • SQL queries not using prepared statements
  • Output escaping not properly handled
  • Medium severity CVE in history
Vulnerabilities
1

WP Cassify Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-30771medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Cassify <= 2.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 26, 2025 Patched in 2.3.6 (8d)
Code Analysis
Analyzed Mar 16, 2026

WP Cassify Code Analysis

Dangerous Functions
14
Raw SQL Queries
6
3 prepared
Unescaped Output
52
76 escaped
Nonce Checks
4
Capability Checks
3
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$wp_cassify_autorization_rules = unserialize(admin\admin-menu.php:613
unserialize$wp_cassify_user_role_rules = unserialize(admin\admin-menu.php:700
unserialize$wp_cassify_user_attributes_mapping_list = unserialize(admin\admin-menu.php:789
unserialize$wp_cassify_notification_rules = unserialize(admin\admin-menu.php:1009
unserialize$wp_cassify_expiration_rules = unserialize(admin\admin-menu.php:1071
unserialize$wp_cassify_autorization_rules = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $this->wp_casclasses\wp_cassify_plugin.php:363
unserialize$wp_cassify_user_role_rules = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $this->wp_cassifclasses\wp_cassify_plugin.php:364
unserialize$wp_cassify_user_attributes_mapping_list = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $thclasses\wp_cassify_plugin.php:366
unserialize$wp_cassify_notification_rules = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $this->wp_casclasses\wp_cassify_plugin.php:367
unserialize$wp_cassify_expiration_rules = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $this->wp_cassiclasses\wp_cassify_plugin.php:368
unserialize$wp_cassify_notification_rules = unserialize( WP_Cassify_Utils::wp_cassify_get_option( $this->wp_casclasses\wp_cassify_plugin.php:672
unserialize$left_operand_array = @unserialize( $wp_cassify_rule_solver_item->left_operand );classes\wp_cassify_rule_solver.php:262
unserialize$left_operand_array = @unserialize( $wp_cassify_rule_solver_item->left_operand );classes\wp_cassify_rule_solver.php:285
assertassert($result === $expected, "Test failed: '$condition' expected " . var_export($expected, true) . test.php:49

SQL Query Safety

33% prepared9 total queries

Output Escaping

59% escaped128 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
wp_cassify_options (admin\admin-menu.php:1215)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Cassify Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[wp_cassify_login_with_redirect] classes\wp_cassify_shortcodes.php:54
[wp_cassify_logout_with_redirect] classes\wp_cassify_shortcodes.php:55
WordPress Hooks 14
actionnetwork_admin_menuadmin\admin-menu.php:75
actionadmin_menuadmin\admin-menu.php:78
actionadmin_initadmin\admin-menu.php:88
actionadmin_initadmin\admin-menu.php:103
filterquery_varsclasses\wp_cassify_plugin.php:142
filterlogin_urlclasses\wp_cassify_plugin.php:143
filterthe_contentclasses\wp_cassify_plugin.php:144
actionwp_loadedclasses\wp_cassify_plugin.php:147
actionwp_loadedclasses\wp_cassify_plugin.php:150
actionwp_loadedclasses\wp_cassify_plugin.php:153
actiontemplate_redirectclasses\wp_cassify_plugin.php:157
actionwp_authenticateclasses\wp_cassify_plugin.php:160
actionwp_logoutclasses\wp_cassify_plugin.php:163
actionwp_cassify_send_notificationclasses\wp_cassify_plugin.php:166
Maintenance & Trust

WP Cassify Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 2, 2025
PHP min version7.0
Downloads34K

Community Trust

Rating100/100
Number of ratings16
Active installs900
Alternatives

WP Cassify Alternatives

wpCAS

wpCAS

wpcas

C
63

wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogen &hellip;

100 1 unpatched
wpCAS Server

wpCAS Server

wpcas-server

A
85

Turns WordPress or WordPress MU into a CAS single sign-on authenticator.

10 No CVEs
Cassava CAS Server

Cassava CAS Server

wp-cas-server

A
85

Cassava provides authentication services based on the Jasig CAS protocol.

30 No CVEs
Authorizer

Authorizer

authorizer

A
99

Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).

5K 1 CVE
YEGHRO Nostr Login

YEGHRO Nostr Login

nostr-login

A
92

Enable secure WordPress authentication using Nostr keys - login with your Nostr identity.

10 No CVEs
Developer Profile

WP Cassify Developer Profile

Alain-Aymerick FRANCOIS

1 plugin · 900 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect WP Cassify

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-cassify/admin/css/wp-cassify-admin-menu.css/wp-content/plugins/wp-cassify/admin/js/wp-cassify-admin-menu.js/wp-content/plugins/wp-cassify/js/wp-cassify-login.js/wp-content/plugins/wp-cassify/js/wp-cassify-service-validation.js
Script Paths
/wp-content/plugins/wp-cassify/admin/css/wp-cassify-admin-menu.css/wp-content/plugins/wp-cassify/admin/js/wp-cassify-admin-menu.js/wp-content/plugins/wp-cassify/js/wp-cassify-login.js/wp-content/plugins/wp-cassify/js/wp-cassify-service-validation.js
Version Parameters
wp-cassify/admin/css/wp-cassify-admin-menu.css?ver=wp-cassify/admin/js/wp-cassify-admin-menu.js?ver=wp-cassify/js/wp-cassify-login.js?ver=wp-cassify/js/wp-cassify-service-validation.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-cassify-admin-pagewp-cassify-login-page
HTML Comments
<!-- Begin WP Cassify Shortcode: wp_cassify_login --><!-- End WP Cassify Shortcode: wp_cassify_login --><!-- Begin WP Cassify Shortcode: wp_cassify_logout --><!-- End WP Cassify Shortcode: wp_cassify_logout -->+4 more
Data Attributes
data-wp-cassify-login-urldata-wp-cassify-logout-urldata-wp-cassify-service-validation-url
JS Globals
wpCassifyAdminMenuwpCassifyLoginwpCassifyServiceValidation
Shortcode Output
[wp_cassify_login][wp_cassify_logout][wp_cassify_login_logout][wp_cassify_service_validation]
FAQ

Frequently Asked Questions about WP Cassify