Does WP Social AutoConnect have any unpatched vulnerabilities?

Yes — WP Social AutoConnect currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Social AutoConnect compatible with WordPress 6.3.8?

According to WordPress.org data, WP Social AutoConnect 4.6.4 has been tested up to WordPress 6.3.8. Check the plugin's changelog for the latest compatibility information.

How often is WP Social AutoConnect updated?

WP Social AutoConnect was last updated on Aug 13, 2025. Frequent updates are generally a positive security signal.

What is WP Social AutoConnect's security score?

WP Social AutoConnect has a WP-Safety security score of 74/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Social AutoConnect Security & Risk Analysis

wordpress.org/plugins/wp-fb-autoconnect

A lightweight but powerful Facebook login plugin, easy to setup and transparent to new and returning users alike. Supports Buddypress.

500 active installs v4.6.4 PHP + WP 2.5+ Updated Aug 13, 2025

buddypressfacebook-connectfacebook-loginlogin-with-facebooksocial-login

B · Generally Safe

CVEs total5

Unpatched1

Last CVEJun 19, 2025

Plugin page Download

Safety Verdict

Is WP Social AutoConnect Safe to Use in 2026?

Mostly Safe

Score 74/100

WP Social AutoConnect is generally safe to use. 5 past CVEs were resolved. Keep it updated.

5 known CVEs 1 unpatched Last CVE: Jun 19, 2025Updated 7mo ago

Risk Assessment

The 'wp-fb-autoconnect' v4.6.4 plugin exhibits a mixed security posture. On one hand, the static analysis reveals a commendable lack of direct attack surface through AJAX, REST API, shortcodes, and cron events. The use of prepared statements for all SQL queries is also a strong positive. However, concerns arise from the low percentage of properly escaped output, indicating a significant risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of several unsanitized paths in the taint analysis, while not classified as critical or high, still points to potential areas where user input might not be handled securely.

The plugin's vulnerability history is a significant red flag. With five known CVEs, including one that is currently unpatched, and a recent vulnerability discovered in June 2025, this plugin has a history of introducing security flaws. The common types of vulnerabilities (XSS and CSRF) align with the concerns raised by the static analysis regarding output escaping and unsanitized paths. The existence of an unpatched vulnerability of medium severity means a known exploit is available and not yet mitigated by the developer, posing an immediate risk to users of this plugin.

In conclusion, while the plugin demonstrates some good security practices like secure SQL handling and a limited direct attack surface, the high number of past vulnerabilities, particularly the unpatched one, and the significant output escaping issues present a considerable security risk. Users should exercise extreme caution and consider alternative plugins until all known vulnerabilities are addressed.

Key Concerns

Unpatched CVE exists (Medium severity)
Low percentage of properly escaped output
Flows with unsanitized paths identified
History of 5 known CVEs

Vulnerabilities

WP Social AutoConnect Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

2 CVEs in 2023

2023

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-50022medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-FB-AutoConnect <= 4.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 19, 2025Unpatched

CVE-2024-12279medium · 6.1Cross-Site Request Forgery (CSRF)

WP Social AutoConnect <= 4.6.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Jan 3, 2025 Patched in 4.6.3 (1d)

CVE-2023-37974medium · 5.4Cross-Site Request Forgery (CSRF)

WP-FB-AutoConnect <= 4.6.1 - Cross-Site Request Forgery via jfb_admin_page

Jul 12, 2023 Patched in 4.6.2 (195d)

WF-50f69182-66c0-4d3a-aabe-015b72937f3e-wp-fb-autoconnectmedium · 4.3Cross-Site Request Forgery (CSRF)

WP Social AutoConnect <= 4.6.1 - Cross-Site Request Forgery via jfb_admin_page

Jul 1, 2023 Patched in 4.6.2 (206d)

WF-d118beb2-bcb1-4d35-b25e-172fa4b6d916-wp-fb-autoconnectmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-FB-AutoConnect <= 4.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Dec 14, 2014 Patched in 4.0.6 (3327d)

Code Analysis

Analyzed Mar 16, 2026

WP Social AutoConnect Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

107

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

10% escaped119 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

9 flows7 with unsanitized paths

jfb_admin_notices (AdminPage.php:53)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Social AutoConnect Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 19

actionadmin_menuAdminPage.php:6

filterplugin_action_linksAdminPage.php:17

actionadmin_headAdminPage.php:28

actionadmin_noticesAdminPage.php:52

actionwp_enqueue_scriptsMain.php:73

actionwpfb_add_to_asyncinitMain.php:147

actionwp_footerMain.php:174

actionwp_footerMain.php:213

actionwp_footerMain.php:284

filterget_avatarMain.php:308

filterbp_core_fetch_avatarMain.php:350

filterwpfb_insert_userMain.php:389

actionpersonal_optionsMain.php:441

actionbp_initMain.php:470

actionbp_after_sidebar_login_formMain.php:482

actionbp_after_login_widget_loggedoutMain.php:483

actionwpfb_loginMain.php:497

actionwidgets_initWidget.php:97

actioninit_process_login.php:7

Maintenance & Trust

WP Social AutoConnect Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8

Last updatedAug 13, 2025

PHP min version

Downloads385K

Community Trust

Rating88/100

Number of ratings13

Active installs500

Alternatives

WP Social AutoConnect Alternatives

Social Login

oa-social-login

With Social Login your users can login, register and comment with 40+ Social Networks. Maintenance Free. Uptime Guarantee. Fulltime devs

5K 1 CVE

UsersWP – Social Login

userswp-social-login

100

Social Login addon for UsersWP.

2K No CVEs

JSON API User

json-api-user

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K 1 CVE

Happy Social Login

happy-social-login

Enables user authentication through various social media accounts. Login through Google, Facebook, LinkedIn, GitHub and more.

100 No CVEs

DE Social Login

de-social-login

A Simple wordpress plugin which enable the user to login in wordress site with Google/Facebook/Twitter/LinkedIn/Yahoo/OpenId accounts with one click.

10 No CVEs

Developer Profile

WP Social AutoConnect Developer Profile

3 plugins · 2K total installs

trust score

Avg Security Score

78/100

Avg Patch Time

1466 days

View full developer profile

Detection Fingerprints

How We Detect WP Social AutoConnect

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-fb-autoconnect/style.css

Version Parameters

wp-fb-autoconnect/style.css?ver=

HTML / DOM Fingerprints

CSS Classes

fbLoginButton

HTML Comments

JS Globals

FB.login

FAQ