Does JWT Authentication for WP REST APIs have any unpatched vulnerabilities?

No. All known vulnerabilities in JWT Authentication for WP REST APIs have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is JWT Authentication for WP REST APIs compatible with WordPress 6.9.4?

According to WordPress.org data, JWT Authentication for WP REST APIs 4.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is JWT Authentication for WP REST APIs compatible with PHP 5.6+?

JWT Authentication for WP REST APIs requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is JWT Authentication for WP REST APIs updated?

JWT Authentication for WP REST APIs was last updated on Feb 9, 2026. Frequent updates are generally a positive security signal.

What is JWT Authentication for WP REST APIs's security score?

JWT Authentication for WP REST APIs has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

JWT Authentication for WP REST APIs Security & Risk Analysis

wordpress.org/plugins/wp-rest-api-authentication

Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.

20K active installs v4.3.0 PHP 5.6+ WP 3.0.1+ Updated Feb 9, 2026

api-keyjwt-authenticationrestrest-apisecure-api

A · Safe

CVEs total2

Unpatched0

Last CVEApr 16, 2025

Plugin page Download

Safety Verdict

Is JWT Authentication for WP REST APIs Safe to Use in 2026?

Generally Safe

Score 97/100

JWT Authentication for WP REST APIs has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 16, 2025Updated 1mo ago

Risk Assessment

The wp-rest-api-authentication plugin exhibits a mixed security posture. While it demonstrates good practices in areas such as using prepared statements for all SQL queries and properly escaping all output, significant concerns arise from its attack surface and historical vulnerability data. The analysis reveals a substantial number of unprotected entry points, including a majority of AJAX handlers and REST API routes that lack proper authentication or permission checks. This directly exposes functionalities to unauthorized access and potential manipulation. The plugin's vulnerability history, with past medium and high severity issues related to Missing Authorization and CSRF, reinforces these concerns. Although there are no currently unpatched vulnerabilities, the recurring pattern of authorization-related weaknesses suggests a persistent oversight in securing these critical entry points. In conclusion, while the plugin has strengths in data handling and output sanitization, the prevalent lack of authentication on its exposed interfaces presents a significant security risk that needs immediate attention.

Key Concerns

Multiple unprotected AJAX handlers
Multiple unprotected REST API routes
High severity historical vulnerability (unpatched)
Medium severity historical vulnerability (unpatched)
Flows with unsanitized paths

Vulnerabilities

JWT Authentication for WP REST APIs Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-39545medium · 4.3Missing Authorization

WordPress REST API Authentication <= 3.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

Apr 16, 2025 Patched in 3.6.4 (7d)

CVE-2022-45073high · 8.8Cross-Site Request Forgery (CSRF)

WordPress REST API Authentication <= 2.4.0 - Cross-Site Request Forgery

Nov 9, 2022 Patched in 2.4.1 (440d)

Code Analysis

Analyzed Mar 16, 2026

JWT Authentication for WP REST APIs Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

492 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped493 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths

mo_api_auth_initialize_api_flow (admin\class-miniorange-api-authentication-admin.php:370)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

JWT Authentication for WP REST APIs Attack Surface

Entry Points6

Unprotected5

AJAX Handlers 4

authwp_ajax_save_temporary_dataincludes\class-miniorange-api-authentication.php:178

authwp_ajax_install_and_activate_caw_freeincludes\class-miniorange-api-authentication.php:180

authwp_ajax_install_and_activate_wcps_freeincludes\class-miniorange-api-authentication.php:181

authwp_ajax_mo_api_auth_close_admin_noticesminiorange-api-authentication.php:82

REST API Routes 2

GET/wp-json/api/v1token-validateadmin\class-miniorange-api-authentication-admin.php:323

POST/wp-json/api/v1tokenadmin\class-miniorange-api-authentication-admin.php:332

WordPress Hooks 18

actionadmin_menuadmin\class-miniorange-api-authentication-admin.php:59

actionadmin_enqueue_scriptsadmin\class-miniorange-api-authentication-admin.php:60

actionadmin_enqueue_scriptsadmin\class-miniorange-api-authentication-admin.php:61

actionmo_api_auth_daily_cron_hookincludes\class-miniorange-api-authentication-cron-manager.php:29

actionplugins_loadedincludes\class-miniorange-api-authentication.php:148

actionadmin_enqueue_scriptsincludes\class-miniorange-api-authentication.php:172

actionadmin_enqueue_scriptsincludes\class-miniorange-api-authentication.php:173

actionadmin_menuincludes\class-miniorange-api-authentication.php:174

actionadmin_menuincludes\class-miniorange-api-authentication.php:175

actionrest_api_initincludes\class-miniorange-api-authentication.php:176

actionrest_api_initincludes\class-miniorange-api-authentication.php:177

actionadmin_noticesincludes\class-miniorange-api-authentication.php:179

filteradmin_footer_textminiorange-api-authentication.php:47

actionadmin_enqueue_scriptsminiorange-api-authentication.php:75

actionadmin_initminiorange-api-authentication.php:76

actionadmin_print_footer_scripts-plugins.phpminiorange-api-authentication.php:81

actionadmin_noticesminiorange-api-authentication.php:171

actionadmin_noticesminiorange-api-authentication.php:181

Scheduled Events 1

mo_api_auth_daily_cron_hook

Maintenance & Trust

JWT Authentication for WP REST APIs Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 9, 2026

PHP min version5.6

Downloads490K

Community Trust

Rating88/100

Number of ratings73

Active installs20K

Alternatives

JWT Authentication for WP REST APIs Alternatives

WP REST API Key Authentication

rest-api-key-authentication

A simple plugin to add API key-based authentication to the WordPress REST API. Manage multiple API keys and secure your REST API endpoints.

20 No CVEs

PKL WPz REST API Authentication

pkl-wpz-rest-api-auth

100

Control WordPress REST API access by requiring user authentication with API key system.

0 No CVEs

WooCommerce Legacy REST API

woocommerce-legacy-rest-api

The WooCommerce Legacy REST API, which is now part of WooCommerce itself but will be removed in WooCommerce 9.0.

400K No CVEs

Disable REST API

disable-json-api

Disable the use of the REST API on your website to site users. Now with User Role support!

90K No CVEs

Make Connector

integromat-connector

Make Connector. Make lets you design, build, and automate by connecting with WordPress in just a few clicks.

80K 3 CVEs

Developer Profile

JWT Authentication for WP REST APIs Developer Profile

miniOrange

38 plugins · 83K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

324 days

View full developer profile

Detection Fingerprints

How We Detect JWT Authentication for WP REST APIs

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-rest-api-authentication/css/font-awesome.min.css/wp-content/plugins/wp-rest-api-authentication/css/style_settings.min.css

Version Parameters

wp-rest-api-authentication/css/style_settings.min.css?ver=wp-rest-api-authentication/css/font-awesome.min.css?ver=

HTML / DOM Fingerprints

JS Globals

Mo_API_Authentication_Feedback

FAQ