[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyXY4aZedrlQbYaGJn3nZketeS2OWaCnlEeHeecLEEls":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":39,"analysis":141,"fingerprints":360},"wp-qr-code-login","Unlock Digital (No Passwords)","1.4.3","Jack Reichert","https:\u002F\u002Fprofiles.wordpress.org\u002Fjackreichert\u002F","\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FK-YuU7NAMZM?version=3&rel=0&showsearch=0&showinfo=0&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>With this plugin you can make passwords a thing of the past. All you need is your trusty smartphone with a QR Code reading app.\u003C\u002Fp>\n\u003Cp>(Coming soon, iOS companion app that will negate your need for a separate QR Code reading app!)\u003C\u002Fp>\n\u003Cp>Disclaimer: A website is only as secure as the least secure component on it. This plugin aims to be more secure than using the default login page.\u003C\u002Fp>\n","Log into your WordPress site using a smartphone... No typing and no passwords! (almost)",10,4400,88,7,"2015-06-28T20:09:00.000Z","4.2.39","4","",[20,21,22,23,24],"login","no-more-passwords","password","qr-code","security","http:\u002F\u002Funlock.digital\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-qr-code-login.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":35,"avg_security_score":27,"avg_patch_time_days":36,"trust_score":37,"computed_at":38},"jackreichert",6,180,30,84,"2026-04-04T13:56:40.178Z",[40,62,83,102,120],{"slug":41,"name":42,"version":43,"author":44,"author_profile":45,"description":46,"short_description":47,"active_installs":48,"downloaded":49,"rating":50,"num_ratings":51,"last_updated":52,"tested_up_to":53,"requires_at_least":54,"requires_php":18,"tags":55,"homepage":58,"download_link":59,"security_score":27,"vuln_count":60,"unpatched_count":28,"last_vuln_date":61,"fetched_at":30},"google-authenticator","Google Authenticator","0.54","Ivan","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankk\u002F","\u003Cp>The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android\u002FiPhone\u002FBlackberry.\u003C\u002Fp>\n\u003Cp>If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail\u002FDropbox\u002FLastpass\u002FAmazon etc.\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.\u003C\u002Fp>\n\u003Cp>If You need to maintain your blog using an Android\u002FiPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin,\u003Cbr \u002F>\nbut please note that enabling the App password feature will make your blog less secure.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Thanks to:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fevinak\u002F\" rel=\"nofollow ugc\">Oleksiy\u003C\u002Fa> for a bugfix in multisite.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpancek\" rel=\"nofollow ugc\">Paweł Nowacki\u003C\u002Fa> for the Polish translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFabioZumbi12\" rel=\"nofollow ugc\">Fabio Zumbi\u003C\u002Fa> for the Portuguese translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.guidoschalkx.com\u002F\" rel=\"nofollow ugc\">Guido Schalkx\u003C\u002Fa> for the Dutch translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8\" rel=\"nofollow ugc\">Henrik.Schack\u003C\u002Fa> for writing\u002Fmaintaining versions 0.20 through 0.48\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftobias.baethge.com\u002F\" rel=\"nofollow ugc\">Tobias Bäthge\u003C\u002Fa> for his code rewrite and German translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fblog.pcode.nl\u002F\" rel=\"nofollow ugc\">Pascal de Bruijn\u003C\u002Fa> for his “relaxed mode” idea.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftechnobabbl.es\u002F\" rel=\"nofollow ugc\">Daniel Werl\u003C\u002Fa> for his usability tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdd32.id.au\u002F\" rel=\"nofollow ugc\">Dion Hulse\u003C\u002Fa> for his bugfixes.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fusers\u002Faldolat\u002F\" rel=\"nofollow ugc\">Aldo Latino\u003C\u002Fa> for his Italian translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.kaijia.me\u002F\" rel=\"nofollow ugc\">Kaijia Feng\u003C\u002Fa> for his Simplified Chinese translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.buayacorp.com\u002F\" rel=\"nofollow ugc\">Alex Concha\u003C\u002Fa> for his security tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fjetienne.com\u002F\" rel=\"nofollow ugc\">Jerome Etienne\u003C\u002Fa> for his jquery-qrcode plugin.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Forizhial.com\u002F\" rel=\"nofollow ugc\">Sébastien Prunier\u003C\u002Fa> for his Spanish and French translation.\u003C\u002Fp>\n","Google Authenticator for your WordPress blog.",20000,687508,86,134,"2022-07-04T04:55:00.000Z","6.0.11","4.5",[56,20,57,22,24],"authentication","otp","https:\u002F\u002Fgithub.com\u002Fivankruchkoff\u002Fgoogle-authenticator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-authenticator.0.54.zip",1,"2016-04-28 00:00:00",{"slug":63,"name":64,"version":65,"author":66,"author_profile":67,"description":68,"short_description":69,"active_installs":70,"downloaded":71,"rating":37,"num_ratings":72,"last_updated":73,"tested_up_to":74,"requires_at_least":75,"requires_php":76,"tags":77,"homepage":18,"download_link":81,"security_score":82,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"expire-user-passwords","Expire User Passwords","1.4.2","Matt Miller","https:\u002F\u002Fprofiles.wordpress.org\u002Fmillermedianow\u002F","\u003Cp>Note: This is a forked version of the now unsupported \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fexpire-passwords\u002F\" rel=\"ugc\">Expire Passwords\u003C\u002Fa> plugin. The notes below are copied over from the original plugin and will be updated as relevant updates become available. Please help by contributing to the GitHub repository \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMiller-Media\u002Fexpire-passwords\" rel=\"nofollow ugc\">Expire Passwords\u003C\u002Fa> on GitHub\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Did you find this plugin helpful? Please consider \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fview\u002Fplugin-reviews\u002Fexpire-user-passwords\" rel=\"ugc\">leaving a 5-star review\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Harden the security of your site by preventing unauthorized access to stale user accounts.\u003C\u002Fp>\n\u003Cp>This plugin is also ideal for sites needing to meet certain industry security compliances – such as government, banking or healthcare.\u003C\u002Fp>\n\u003Cp>In the plugin settings you can set the maximum number of days users are allowed to use the same password (90 days by default), as well as which user roles will be required to reset their passwords regularly (non-Administrators by default).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Languages supported:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Albanian (Shqip)\u003C\u002Fli>\n\u003Cli>Arabic (العربية)\u003C\u002Fli>\n\u003Cli>Armenian (Հայերեն)\u003C\u002Fli>\n\u003Cli>Basque (Euskara)\u003C\u002Fli>\n\u003Cli>Bengali (বাংলা)\u003C\u002Fli>\n\u003Cli>Bulgarian (Български)\u003C\u002Fli>\n\u003Cli>Catalan (Català)\u003C\u002Fli>\n\u003Cli>Chinese Simplified (简体中文)\u003C\u002Fli>\n\u003Cli>Croatian (Hrvatski)\u003C\u002Fli>\n\u003Cli>Czech (Čeština)\u003C\u002Fli>\n\u003Cli>Danish (Dansk)\u003C\u002Fli>\n\u003Cli>Dutch (Nederlands)\u003C\u002Fli>\n\u003Cli>Estonian (Eesti)\u003C\u002Fli>\n\u003Cli>Finnish (Suomi)\u003C\u002Fli>\n\u003Cli>French (Français)\u003C\u002Fli>\n\u003Cli>Galician (Galego)\u003C\u002Fli>\n\u003Cli>Georgian (ქართული)\u003C\u002Fli>\n\u003Cli>German (Deutsch)\u003C\u002Fli>\n\u003Cli>Greek (Ελληνικά)\u003C\u002Fli>\n\u003Cli>Hebrew (עברית)\u003C\u002Fli>\n\u003Cli>Hindi (हिन्दी)\u003C\u002Fli>\n\u003Cli>Hungarian (Magyar)\u003C\u002Fli>\n\u003Cli>Indonesian (Bahasa Indonesia)\u003C\u002Fli>\n\u003Cli>Irish (Gaeilge)\u003C\u002Fli>\n\u003Cli>Italian (Italiano)\u003C\u002Fli>\n\u003Cli>Japanese (日本語)\u003C\u002Fli>\n\u003Cli>Korean (한국어)\u003C\u002Fli>\n\u003Cli>Latvian (Latviešu)\u003C\u002Fli>\n\u003Cli>Lithuanian (Lietuvių)\u003C\u002Fli>\n\u003Cli>Macedonian (Македонски)\u003C\u002Fli>\n\u003Cli>Norwegian (Norsk)\u003C\u002Fli>\n\u003Cli>Persian (فارسی)\u003C\u002Fli>\n\u003Cli>Persian – Afghanistan (دری)\u003C\u002Fli>\n\u003Cli>Polish (Polski)\u003C\u002Fli>\n\u003Cli>Portuguese – Brazil (Português do Brasil)\u003C\u002Fli>\n\u003Cli>Portuguese – Portugal (Português)\u003C\u002Fli>\n\u003Cli>Romanian (Română)\u003C\u002Fli>\n\u003Cli>Russian (Русский)\u003C\u002Fli>\n\u003Cli>Serbian (Српски)\u003C\u002Fli>\n\u003Cli>Slovak (Slovenčina)\u003C\u002Fli>\n\u003Cli>Slovenian (Slovenščina)\u003C\u002Fli>\n\u003Cli>Spanish (Español)\u003C\u002Fli>\n\u003Cli>Swedish (Svenska)\u003C\u002Fli>\n\u003Cli>Tamil (தமிழ்)\u003C\u002Fli>\n\u003Cli>Thai (ไทย)\u003C\u002Fli>\n\u003Cli>Turkish (Türkçe)\u003C\u002Fli>\n\u003Cli>Ukrainian (Українська)\u003C\u002Fli>\n\u003Cli>Urdu (اردو)\u003C\u002Fli>\n\u003Cli>Vietnamese (Tiếng Việt)\u003C\u002Fli>\n\u003Cli>Welsh (Cymraeg)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Development of this plugin is done \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMiller-Media\u002Fexpire-passwords\" rel=\"nofollow ugc\">on GitHub\u003C\u002Fa>. Pull requests welcome. Please see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FMiller-Media\u002Fexpire-passwords\u002Fissues\" rel=\"nofollow ugc\">issues reported\u003C\u002Fa> there before going to the plugin forum.\u003C\u002Fstrong>\u003C\u002Fp>\n","Require certain users to change their passwords on a regular basis.",3000,57937,5,"2026-02-17T09:27:00.000Z","6.9.4","4.0","8.1",[20,78,79,24,80],"membership","passwords","users","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fexpire-user-passwords.1.4.2.zip",100,{"slug":84,"name":85,"version":86,"author":87,"author_profile":88,"description":89,"short_description":90,"active_installs":91,"downloaded":92,"rating":93,"num_ratings":94,"last_updated":95,"tested_up_to":16,"requires_at_least":96,"requires_php":18,"tags":97,"homepage":100,"download_link":101,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"smart-passworded-pages","Smart Passworded Pages","2.0.0","Brian Layman","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrianlayman\u002F","\u003Cp>The Smart Passworded Pages plugin enhances WordPress by allowing the creation of central login pages that grant access to any number of passworded child pages. In this fashion you can give each client\u002Fmember\u002Forganization a central place to enter a password and they will be taken to the page that has only their information.\u003C\u002Fp>\n\u003Cp>The password field is displayed as a field followed by a button with customizable text. The form is can be uniquely stylized with CSS. The child pages can in turn link to other pages protected with the same password and the password will not need to be re-entered.\u003C\u002Fp>\n\u003Cp>To add the password field to a parent page, simply enter the short code\u003Cbr \u002F>\n[smartpwpages]\u003C\u002Fp>\n\u003Cp>If you wish to assign a unique label to the submit button or give the form a unique ID for CSS identification, the attributes in the following example can be used:\u003Cbr \u002F>\n[smartpwpages label=\\”Login\\” ID=\\”sppForm1\\”]\u003C\u002Fp>\n\u003Cp>This plugin doesn’t add the ability to add passwords to pages.  WordPress has that built in.  On the right hand side of the page editing screen in WordPress, you can change the visibility to Password protected and enter in a password. If you are unfamiliar with using passwords in WordPress, you might want to read this page first:  https:\u002F\u002Fcodex.wordpress.org\u002FUsing_Password_Protection\u003C\u002Fp>\n\u003Cp>This plugin does make the password handling smarter and enhances it so that you can enter one password on a parent page and gain access to all the children pages using that password.  If you don’t know what children pages or sub-pages are, you might want to read about it here:  https:\u002F\u002Fcodex.wordpress.org\u002FPages#Creating_Pages\u003C\u002Fp>\n\u003Cp>You can find out more about the Smart Passworded Pages plugin here: http:\u002F\u002Fthecodecave.com\u002Fsmart-passworded-pages-plugin\u002F\u003C\u002Fp>\n","Create central \"Enter your password\" page and the password entered determine which page the user sees next.",2000,65167,96,21,"2017-11-28T17:15:00.000Z","2.5",[20,98,99,22,24],"member","page","http:\u002F\u002Fthecodecave.com\u002Fplugins\u002Fsmart-passworded-pages-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-passworded-pages.zip",{"slug":103,"name":104,"version":105,"author":106,"author_profile":107,"description":108,"short_description":109,"active_installs":110,"downloaded":111,"rating":112,"num_ratings":113,"last_updated":114,"tested_up_to":18,"requires_at_least":115,"requires_php":18,"tags":116,"homepage":118,"download_link":119,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"woo-yubikey","yubikey-plugin","2.3","apb360","https:\u002F\u002Fprofiles.wordpress.org\u002Fapb360\u002F","\u003Cp>This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the \u003Ca href=\"http:\u002F\u002Fwww.yubico.com\u002F\" rel=\"nofollow ugc\">Yubikey USB token\u003C\u002Fa>.\u003Cbr \u002F>\nThe plugin uses the Yubico Web service API in the authentication process.\u003Cbr \u002F>\nThe one-time password requirement can be enabled on a per user basis.\u003C\u002Fp>\n","Enhanced Login Security for Your Wordpress blog.",400,6252,76,9,"2019-02-04T18:57:00.000Z","3.8",[56,20,22,24,117],"yubikey","https:\u002F\u002Fapb360.com\u002Fyubikey-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-yubikey.zip",{"slug":121,"name":122,"version":123,"author":124,"author_profile":125,"description":126,"short_description":127,"active_installs":82,"downloaded":128,"rating":129,"num_ratings":130,"last_updated":131,"tested_up_to":132,"requires_at_least":133,"requires_php":18,"tags":134,"homepage":139,"download_link":140,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"loginrequirepress","Login Require Press","1.4.0","Marat Nepomnyashy","https:\u002F\u002Fprofiles.wordpress.org\u002Fmaratbn\u002F","\u003Cp>Overview:\u003C\u002Fp>\n\u003Cp>At the time of this writing, the latest version of WordPress, version 5.3, has 3 post visibility options, which are ‘public’, ‘password protected’, and ‘private’.\u003C\u002Fp>\n\u003Cp>The ‘password protected’ option allows the site administrator to individually lock certain posts, even from the logged in users, with an additional password \u002F passcode.  However, there is currently no built-in way to just deny access only to the unauthenticated users.\u003C\u002Fp>\n\u003Cp>Login Require Press is a WordPress plugin that allows site administrators to specifically designate arbitrary posts with any public post type as viewable only after user login.  Post authors can also enable or disable login protection for their own posts.\u003C\u002Fp>\n\u003Cp>It is an easy way to require login to view specific pages \u002F posts.\u003C\u002Fp>\n\u003Cp>Unauthenticated site visitors attempting to view any page that includes any such specifically designated post will then be automatically redirected to the site’s default login page, and then back to the original page after they login, thereby limiting access only to logged-in users with subscriber roles and above.\u003C\u002Fp>\n\u003Cp>Plugin will still allow unauthenticated downloading of site’s feeds, but will filter out all login-requiring posts from the feed listings.\u003C\u002Fp>\n\u003Cp>Plugin will protect the titles, contents, and excerpts of login-requiring posts in search result page listings when the user is not logged in.  The titles \u002F contents \u002F excerpts will be replaced by text “[Post title \u002F content \u002F excerpts protected by Login Require Press.  Login to see the title \u002F content \u002F excerpt.]”\u003C\u002Fp>\n\u003Cp>Technical summary:\u003C\u002Fp>\n\u003Cp>Plugin works by hooking-in special logic into the action ‘send_headers’ to redirect unauthenticated client browsers to the site’s login page from any non-feed and non-search-results page upon detecting any login-requiring post, and by hooking-in another special logic into the filter ‘posts_results’ to filter out all login-requiring posts from all feed page listings, and to protect the titles, contents, and excerpts of login-requiring posts in search result page listings.\u003C\u002Fp>\n\u003Cp>Login-requiring posts are marked with a custom field ‘login_require_press’ set to ‘yes’.\u003C\u002Fp>\n\u003Cp>Official project URLs:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fgithub.com\u002Fmaratbn\u002FLoginRequirePress\u003Cbr \u002F>\n  https:\u002F\u002Fwordpress.org\u002Fplugins\u002Floginrequirepress\u003Cbr \u002F>\n  http:\u002F\u002Fwww.maratbn.com\u002Fprojects\u002Flogin-require-press\u003C\u002Fp>\n","Easy way to require user login to view specific pages \u002F posts.",12306,90,4,"2019-11-27T02:55:00.000Z","5.3.21","3.8.1",[135,136,137,138,24],"control-access","limit-access","password-protect","require-login","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Floginrequirepress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Floginrequirepress.1.4.0.zip",{"attackSurface":142,"codeSignals":179,"taintFlows":243,"riskAssessment":353,"analyzedAt":359},{"hooks":143,"ajaxHandlers":167,"restRoutes":174,"shortcodes":175,"cronEvents":176,"entryPointCount":60,"unprotectedCount":28},[144,150,154,158,162],{"type":145,"name":146,"callback":147,"file":148,"line":149},"action","login_enqueue_scripts","wp_qr_code_login_head","qrLogin.php",48,{"type":145,"name":151,"callback":152,"file":148,"line":153},"parse_request","qrLoginOTP",50,{"type":145,"name":155,"callback":156,"file":148,"line":157},"admin_menu","qrLogin_plugin_menu",51,{"type":145,"name":159,"callback":160,"file":148,"line":161},"qr_three_clean","qr_housecleaning",52,{"type":163,"name":164,"callback":165,"file":148,"line":166},"filter","cron_schedules","newSchedules",55,[168],{"action":169,"nopriv":170,"callback":171,"hasNonce":170,"hasCapCheck":172,"file":148,"line":173},"ajax-qrLogin",true,"ajax_check_logs_in",false,49,[],[],[177],{"hook":159,"callback":159,"file":148,"line":178},539,{"dangerousFunctions":180,"sqlUsage":181,"outputEscaping":189,"fileOperations":28,"externalRequests":28,"nonceChecks":241,"capabilityChecks":60,"bundledLibraries":242},[],{"prepared":34,"raw":182,"locations":183},2,[184,187],{"file":148,"line":185,"context":186},497,"$wpdb->get_results() with variable interpolation",{"file":148,"line":188,"context":186},550,{"escaped":28,"rawEcho":190,"locations":191},24,[192,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235,237,239],{"file":148,"line":193,"context":194},167,"raw output",{"file":148,"line":196,"context":194},175,{"file":148,"line":198,"context":194},284,{"file":148,"line":200,"context":194},313,{"file":148,"line":202,"context":194},318,{"file":148,"line":204,"context":194},323,{"file":148,"line":206,"context":194},325,{"file":148,"line":208,"context":194},329,{"file":148,"line":210,"context":194},330,{"file":148,"line":212,"context":194},344,{"file":148,"line":214,"context":194},345,{"file":148,"line":216,"context":194},349,{"file":148,"line":218,"context":194},350,{"file":148,"line":220,"context":194},351,{"file":148,"line":222,"context":194},352,{"file":148,"line":224,"context":194},388,{"file":148,"line":226,"context":194},392,{"file":148,"line":228,"context":194},393,{"file":148,"line":230,"context":194},399,{"file":148,"line":232,"context":194},443,{"file":148,"line":234,"context":194},444,{"file":148,"line":236,"context":194},456,{"file":148,"line":238,"context":194},457,{"file":148,"line":240,"context":194},467,3,[],[244,276,287,322],{"entryPoint":245,"graph":246,"unsanitizedCount":28,"severity":275},"ajax_check_logs_in (qrLogin.php:151)",{"nodes":247,"edges":271},[248,253,258,262,266],{"id":249,"type":250,"label":251,"file":148,"line":252},"n0","source","$_POST (x2)",157,{"id":254,"type":255,"label":256,"file":148,"line":193,"wp_function":257},"n1","sink","echo() [XSS]","echo",{"id":259,"type":250,"label":260,"file":148,"line":261},"n2","$_POST",162,{"id":263,"type":264,"label":265,"file":148,"line":261},"n3","transform","→ get_user_by_qrHash()",{"id":267,"type":255,"label":268,"file":148,"line":269,"wp_function":270},"n4","get_results() [SQLi]",118,"get_results",[272,273,274],{"from":249,"to":254,"sanitized":170},{"from":259,"to":263,"sanitized":172},{"from":263,"to":267,"sanitized":170},"low",{"entryPoint":277,"graph":278,"unsanitizedCount":28,"severity":275},"qrLoginOTP (qrLogin.php:191)",{"nodes":279,"edges":284},[280,282,283],{"id":249,"type":250,"label":260,"file":148,"line":281},209,{"id":254,"type":264,"label":265,"file":148,"line":281},{"id":259,"type":255,"label":268,"file":148,"line":269,"wp_function":270},[285,286],{"from":249,"to":254,"sanitized":172},{"from":254,"to":259,"sanitized":170},{"entryPoint":288,"graph":289,"unsanitizedCount":28,"severity":275},"qrLogin_plugin_options (qrLogin.php:259)",{"nodes":290,"edges":315},[291,293,294,296,297,300,303,306,308,311,313],{"id":249,"type":250,"label":292,"file":148,"line":210},"$_SERVER[?]",{"id":254,"type":255,"label":256,"file":148,"line":210,"wp_function":257},{"id":259,"type":250,"label":251,"file":148,"line":295},347,{"id":263,"type":255,"label":256,"file":148,"line":216,"wp_function":257},{"id":267,"type":250,"label":298,"file":148,"line":299},"$_GET",381,{"id":301,"type":255,"label":268,"file":148,"line":302,"wp_function":270},"n5",384,{"id":304,"type":250,"label":305,"file":148,"line":299},"n6","$_GET (x3)",{"id":307,"type":255,"label":256,"file":148,"line":224,"wp_function":257},"n7",{"id":309,"type":250,"label":298,"file":148,"line":310},"n8",295,{"id":312,"type":264,"label":265,"file":148,"line":310},"n9",{"id":314,"type":255,"label":268,"file":148,"line":269,"wp_function":270},"n10",[316,317,318,319,320,321],{"from":249,"to":254,"sanitized":170},{"from":259,"to":263,"sanitized":170},{"from":267,"to":301,"sanitized":170},{"from":304,"to":307,"sanitized":170},{"from":309,"to":312,"sanitized":172},{"from":312,"to":314,"sanitized":170},{"entryPoint":323,"graph":324,"unsanitizedCount":28,"severity":275},"\u003CqrLogin> (qrLogin.php:0)",{"nodes":325,"edges":344},[326,328,329,330,331,332,333,334,335,336,337,338,340,342],{"id":249,"type":250,"label":327,"file":148,"line":252},"$_POST (x5)",{"id":254,"type":255,"label":256,"file":148,"line":193,"wp_function":257},{"id":259,"type":250,"label":292,"file":148,"line":210},{"id":263,"type":255,"label":256,"file":148,"line":210,"wp_function":257},{"id":267,"type":250,"label":298,"file":148,"line":299},{"id":301,"type":255,"label":268,"file":148,"line":302,"wp_function":270},{"id":304,"type":250,"label":305,"file":148,"line":299},{"id":307,"type":255,"label":256,"file":148,"line":224,"wp_function":257},{"id":309,"type":250,"label":251,"file":148,"line":261},{"id":312,"type":264,"label":265,"file":148,"line":261},{"id":314,"type":255,"label":268,"file":148,"line":269,"wp_function":270},{"id":339,"type":250,"label":298,"file":148,"line":310},"n11",{"id":341,"type":264,"label":265,"file":148,"line":310},"n12",{"id":343,"type":255,"label":268,"file":148,"line":269,"wp_function":270},"n13",[345,346,347,348,349,350,351,352],{"from":249,"to":254,"sanitized":170},{"from":259,"to":263,"sanitized":170},{"from":267,"to":301,"sanitized":170},{"from":304,"to":307,"sanitized":170},{"from":309,"to":312,"sanitized":172},{"from":312,"to":314,"sanitized":170},{"from":339,"to":341,"sanitized":172},{"from":341,"to":343,"sanitized":170},{"summary":354,"deductions":355},"The \"wp-qr-code-login\" plugin v1.4.3 exhibits a generally good security posture with several positive indicators. The complete absence of known CVEs and recorded vulnerabilities suggests a history of stability and responsible development. Furthermore, the plugin has a limited attack surface, with only one AJAX handler and no exposed REST API routes, shortcodes, or cron events that are not protected by authentication. The code also signals a commitment to security by utilizing prepared statements for a significant portion of its SQL queries and including nonce checks and capability checks.\n\nHowever, a significant concern arises from the complete lack of output escaping. With 24 total outputs and 0% properly escaped, this presents a high risk of Cross-Site Scripting (XSS) vulnerabilities. Attackers could potentially inject malicious scripts into the plugin's output, impacting users who interact with the affected pages or administrative interfaces. While taint analysis did not reveal critical or high-severity unsanitized flows, the lack of output escaping is a pervasive weakness that could be exploited in conjunction with other less severe issues.\n\nIn conclusion, while the plugin benefits from a clean vulnerability history and a well-controlled attack surface, the critical deficiency in output escaping is a major security flaw that needs immediate attention. This weakness overshadows the positive aspects and requires a significant deduction in the overall security score. Addressing this output escaping issue should be the top priority for improving the plugin's security.",[356],{"reason":357,"points":358},"0% output escaping",15,"2026-03-17T00:42:52.820Z",{"wat":361,"direct":368},{"assetPaths":362,"generatorPatterns":364,"scriptPaths":365,"versionParams":366},[363],"\u002Fwp-content\u002Fplugins\u002Fwp-qr-code-login\u002Fjs\u002FqrLogin.js",[],[363],[367],"wp-qr-code-login\u002Fjs\u002FqrLogin.js?ver=",{"cssClasses":369,"htmlComments":370,"htmlAttributes":371,"restEndpoints":372,"jsGlobals":373,"shortcodeOutput":375},[],[],[],[],[374],"qrLoginAjaxRequest",[]]