WP-Safety

WP-WebAuthn Security & Risk Analysis

wordpress.org/plugins/wp-webauthn

WP-WebAuthn enables passwordless login through FIDO2 and U2F devices like Passkey, FaceID or Windows Hello for your site.

2K active installs v1.4.1 PHP 7.4+ WP 5.0+ Updated Apr 15, 2026
fidologinpasskeysecuritywebauthn
74
B · Generally Safe
CVEs total3
Unpatched1
Last CVEMar 20, 2026
Plugin page Download
Safety Verdict

Is WP-WebAuthn Safe to Use in 2026?

Mostly Safe

Score 74/100

WP-WebAuthn is generally safe to use. 3 past CVEs were resolved.

3 known CVEs 1 unpatched Last CVE: Mar 20, 2026Updated 1mo ago
Risk Assessment

The wp-webauthn plugin, in version 1.4.1, exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to fundamental WordPress security practices, with all identified entry points (AJAX handlers, REST API routes, shortcodes, and cron events) appearing to have appropriate authentication and authorization checks. SQL queries are exclusively handled via prepared statements, and output escaping is generally robust, with only a small percentage showing potential for issues. Furthermore, the absence of external HTTP requests and the use of capability checks on a significant portion of its code are commendable.

However, several critical concerns warrant attention. The static analysis reveals a notable number of 'dangerous functions' being utilized, including those capable of executing arbitrary code on the server. More alarmingly, the taint analysis identified six high-severity flows with unsanitized paths. This suggests that user-supplied input could be improperly handled, leading to potential vulnerabilities if not meticulously sanitized before being used in sensitive operations, especially in conjunction with the identified dangerous functions. The vulnerability history, while not detailing critical or high severity CVEs in the past, indicates a pattern of medium-severity Cross-Site Scripting (XSS) vulnerabilities. The presence of a recent, unpatched medium vulnerability (as of 2026-03-20) is a significant red flag, suggesting potential ongoing issues with input validation or output encoding in specific scenarios.

In conclusion, while wp-webauthn implements several key security best practices, the presence of dangerous functions, high-severity unsanitized taint flows, and a history of XSS vulnerabilities, compounded by an unpatched medium CVE, indicates a substantial risk. The plugin requires immediate attention to address the identified taint flows and the unpatched vulnerability. Further in-depth review of the usage of dangerous functions in conjunction with user input is also strongly recommended.

Key Concerns

  • Unsanitized paths in taint analysis (high severity)
  • Unpatched CVE (medium severity)
  • Presence of dangerous functions
  • Low percentage of properly escaped output
  • History of XSS vulnerabilities
Vulnerabilities
3 published

WP-WebAuthn Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-13910medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting

Mar 20, 2026Unpatched
CVE-2024-47650medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-WebAuthn <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 1.3.2 (11d)
CVE-2024-9023medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-WebAuthn <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode

Sep 27, 2024 Patched in 1.3.4 (10d)
Version History

WP-WebAuthn Release Timeline

v1.4.1Current1 CVE
CVE-2025-13910
v1.4.01 CVE
CVE-2025-13910
v1.3.41 CVE
CVE-2025-13910
v1.3.32 CVEs
CVE-2025-13910 CVE-2024-9023
v1.3.22 CVEs
CVE-2025-13910 CVE-2024-9023
v1.3.13 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.3.03 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.83 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.73 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.63 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.53 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.43 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.33 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.23 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.13 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.2.03 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.1.03 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.0.163 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.0.153 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
v1.0.123 CVEs
CVE-2024-47650 CVE-2025-13910 CVE-2024-9023
Code Analysis
Analyzed Apr 16, 2026

WP-WebAuthn Code Analysis

Dangerous Functions
32
Raw SQL Queries
0
27 prepared
Unescaped Output
6
282 escaped
Nonce Checks
9
Capability Checks
29
File Operations
40
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

assertassert($bin !== false);wp-webauthn-vendor/brick/math/src/BigInteger.php:1087
assertassert($denominator !== null);wp-webauthn-vendor/brick/math/src/BigNumber.php:93
assertassert($q !== null);wp-webauthn-vendor/brick/math/src/Internal/Calculator/BcMathCalculator.php:81
assertassert($r !== null);wp-webauthn-vendor/brick/math/src/Internal/Calculator/BcMathCalculator.php:82
assertassert(is_int($q));wp-webauthn-vendor/brick/math/src/Internal/Calculator/NativeCalculator.php:189
assertassert($carry === 0);wp-webauthn-vendor/brick/math/src/Internal/Calculator/NativeCalculator.php:435
unserialize$data = unserialize($serialized, ['allowed_classes' => false]);wp-webauthn-vendor/ramsey/collection/src/AbstractArray.php:166
unserialize$data = unserialize($serialized, ['allowed_classes' => [$this->getType()]]);wp-webauthn-vendor/ramsey/collection/src/AbstractCollection.php:283
unserialize$data = unserialize($serialized, [wp-webauthn-vendor/ramsey/uuid/src/Builder/BuilderCollection.php:61
assertassert($instance instanceof UuidV6);wp-webauthn-vendor/ramsey/uuid/src/Lazy/LazyUuidFromString.php:547
assertassert($instance instanceof UuidV6);wp-webauthn-vendor/ramsey/uuid/src/Lazy/LazyUuidFromString.php:556
shell_execreturn trim((string) shell_exec('id -u'));wp-webauthn-vendor/ramsey/uuid/src/Provider/Dce/SystemDceSecurityProvider.php:114
shell_execreturn trim((string) shell_exec('id -g'));wp-webauthn-vendor/ramsey/uuid/src/Provider/Dce/SystemDceSecurityProvider.php:134
shell_exec$response = shell_exec('whoami /user /fo csv /nh');wp-webauthn-vendor/ramsey/uuid/src/Provider/Dce/SystemDceSecurityProvider.php:174
shell_exec$response = shell_exec('net user %username% | findstr /b /i "Local Group Memberships"');wp-webauthn-vendor/ramsey/uuid/src/Provider/Dce/SystemDceSecurityProvider.php:202
shell_exec$response = shell_exec('wmic group get name,sid | findstr /b /i ' . escapeshellarg($firstGroup));wp-webauthn-vendor/ramsey/uuid/src/Provider/Dce/SystemDceSecurityProvider.php:217
unserialize$data = unserialize($serialized, [wp-webauthn-vendor/ramsey/uuid/src/Provider/Node/NodeProviderCollection.php:45
passthrupassthru('ipconfig /all 2>&1');wp-webauthn-vendor/ramsey/uuid/src/Provider/Node/SystemNodeProvider.php:110
passthrupassthru('ifconfig 2>&1');wp-webauthn-vendor/ramsey/uuid/src/Provider/Node/SystemNodeProvider.php:114
passthrupassthru('netstat -i -f link 2>&1');wp-webauthn-vendor/ramsey/uuid/src/Provider/Node/SystemNodeProvider.php:118
passthrupassthru('netstat -ie 2>&1');wp-webauthn-vendor/ramsey/uuid/src/Provider/Node/SystemNodeProvider.php:123
assertassert($uuid !== '');wp-webauthn-vendor/ramsey/uuid/src/Uuid.php:480
exec$execResult = exec('command -v -- '.escapeshellarg($name));wp-webauthn-vendor/symfony/process/ExecutableFinder.php:95
proc_open$this->process = @proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $envwp-webauthn-vendor/symfony/process/Process.php:353
proc_open$isTtySupported = (bool) @proc_open('echo 1 >/dev/null', [['file', '/dev/tty', 'r'], ['file', '/dev/wp-webauthn-vendor/symfony/process/Process.php:1261
proc_openreturn $result = (bool) @proc_open('echo 1 >/dev/null', [['pty'], ['pty'], ['pty']], $pipes);wp-webauthn-vendor/symfony/process/Process.php:1284
execexec(sprintf('taskkill /F /T /PID %d 2>&1', $pid), $output, $exitCode);wp-webauthn-vendor/symfony/process/Process.php:1524
proc_open} elseif ($ok = proc_open(sprintf('kill -%d %d', $signal, $pid), [2 => ['pipe', 'w']], $pipes)) {wp-webauthn-vendor/symfony/process/Process.php:1537
unserializeunserialize(base64_decode($temp_val["pkcco"]), ['allowed_classes' => [wwa-ajax.php:585
unserialize$temp_val["usernameless_auth"] = unserialize($temp_val["usernameless_auth"], ['allowed_classes' => fwwa-ajax.php:970
unserialize$userEntity = unserialize($temp_val["user_auth"], ['allowed_classes' => [wwa-ajax.php:1132
unserializeunserialize(base64_decode($temp_val["pkcco_auth"]), ['allowed_classes' => [wwa-ajax.php:1164

SQL Query Safety

100% prepared27 total queries

Output Escaping

98% escaped288 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths
wwa_no_authenticator_warning (wwa-functions.php:283)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-WebAuthn Attack Surface

Entry Points14
Unprotected0

AJAX Handlers 10

authwp_ajax_wwa_createwwa-ajax.php:456
authwp_ajax_wwa_create_responsewwa-ajax.php:637
authwp_ajax_wwa_auth_startwwa-ajax.php:904
noprivwp_ajax_wwa_auth_startwwa-ajax.php:905
authwp_ajax_wwa_authwwa-ajax.php:1243
noprivwp_ajax_wwa_authwwa-ajax.php:1244
authwp_ajax_wwa_authenticator_listwwa-ajax.php:1293
authwp_ajax_wwa_modify_authenticatorwwa-ajax.php:1381
authwp_ajax_wwa_get_logwwa-ajax.php:1402
authwp_ajax_wwa_clear_logwwa-ajax.php:1420

Shortcodes 4

[wwa_login_form] wwa-shortcodes.php:105
[wwa_register_form] wwa-shortcodes.php:149
[wwa_verify_button] wwa-shortcodes.php:175
[wwa_list] wwa-shortcodes.php:212
WordPress Hooks 33
actionplugins_loadedwp-webauthn.php:30
actionplugins_loadedwp-webauthn.php:221
actionwp_loadedwp-webauthn.php:251
actionwp_loadedwp-webauthn.php:275
filtertwo_factor_enabled_providers_for_userwwa-compatibility.php:45
actiondelete_userwwa-functions.php:150
actionwpmu_delete_userwwa-functions.php:162
actionremove_user_from_blogwwa-functions.php:174
actionlogin_enqueue_scriptswwa-functions.php:217
filterwp_authenticate_userwwa-functions.php:235
actionregister_new_userwwa-functions.php:248
actionlogin_initwwa-functions.php:277
filterlost_password_html_linkwwa-functions.php:278
filtershow_password_fieldswwa-functions.php:279
filterallow_password_resetwwa-functions.php:280
actionadmin_noticeswwa-functions.php:354
actionenqueue_block_editor_assetswwa-functions.php:366
actioninitwwa-functions.php:372
filterplugin_action_linkswwa-functions.php:381
filternetwork_admin_plugin_action_linkswwa-functions.php:390
filterplugin_row_metawwa-functions.php:400
actionwp_initialize_sitewwa-functions.php:506
filterquery_varswwa-functions.php:508
actionparse_requestwwa-functions.php:509
actioninitwwa-functions.php:510
actionshow_user_profilewwa-menus.php:18
actionpersonal_options_updatewwa-menus.php:42
actionedit_user_profilewwa-menus.php:47
actionedit_user_profile_updatewwa-menus.php:48
actionadmin_menuwwa-menus.php:51
actionplugins_loadedwwa-menus.php:54
actionnetwork_admin_menuwwa-menus.php:61
actionnetwork_admin_edit_wwa_network_options_updatewwa-menus.php:62
Maintenance & Trust

WP-WebAuthn Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version7.4
Downloads24K

Community Trust

Rating90/100
Number of ratings17
Active installs2K
Alternatives

WP-WebAuthn Alternatives

Devch Passkey Login

Devch Passkey Login

devch-passkey-login

A
100

Passwordless passkey authentication (WebAuthn/FIDO2) for WordPress and WordPress Multisite.

0 No CVEs
Login With Ajax – Fast Logins, 2FA, Redirects

Login With Ajax – Fast Logins, 2FA, Redirects

login-with-ajax

A
99

Add beautiful login forms with smooth AJAX login/registration effects, 2FA support, custom redrection options and many more login-related features!

20K 6 CVEs
Secure Passkeys

Secure Passkeys

secure-passkeys

A
99

Secure Passkeys is a powerful WordPress plugin that enables passwordless authentication using WebAuthn technology.

1K 1 CVE
WebAuthn Provider for Two Factor

WebAuthn Provider for Two Factor

two-factor-provider-webauthn

A
100

WebAuthn authentication provider for Two Factor plugin.

1K No CVEs
Bye Bye Passwords

Bye Bye Passwords

bye-bye-passwords

A
100

Enable passwordless authentication for WordPress using WebAuthn/Passkeys. More secure, more convenient.

20 No CVEs
Developer Profile

WP-WebAuthn Developer Profile

Axton

2 plugins · 2K total installs

80
trust score
Avg Security Score
80/100
Avg Patch Time
11 days
View full developer profile
Detection Fingerprints

How We Detect WP-WebAuthn

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-webauthn/assets/css/wp-webauthn-admin.css/wp-content/plugins/wp-webauthn/assets/css/wp-webauthn-user.css/wp-content/plugins/wp-webauthn/assets/js/wp-webauthn-admin.js/wp-content/plugins/wp-webauthn/assets/js/wp-webauthn-user.js
Script Paths
/wp-content/plugins/wp-webauthn/assets/js/wp-webauthn-admin.js/wp-content/plugins/wp-webauthn/assets/js/wp-webauthn-user.js
Version Parameters
wp-webauthn/assets/css/wp-webauthn-admin.css?ver=wp-webauthn/assets/css/wp-webauthn-user.css?ver=wp-webauthn/assets/js/wp-webauthn-admin.js?ver=wp-webauthn/assets/js/wp-webauthn-user.js?ver=

HTML / DOM Fingerprints

CSS Classes
wwa-webauthn-login-containerwwa-webauthn-login-buttonwwa-webauthn-registration-containerwwa-webauthn-registration-button
Data Attributes
data-wwa-optionsdata-wwa-user-id
JS Globals
wwa_webauthn_optionswwa_user_id
FAQ

Frequently Asked Questions about WP-WebAuthn