Does wpCAS have any unpatched vulnerabilities?

Yes — wpCAS currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is wpCAS compatible with WordPress 2.7.1?

According to WordPress.org data, wpCAS 1.07 has been tested up to WordPress 2.7.1. Check the plugin's changelog for the latest compatibility information.

How often is wpCAS updated?

wpCAS was last updated on Mar 25, 2010. Frequent updates are generally a positive security signal.

What is wpCAS's security score?

wpCAS has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

wpCAS Security & Risk Analysis

wordpress.org/plugins/wpcas

wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogen …

100 active installs v1.07 PHP + WP 2.7+ Updated Mar 25, 2010

authenticationcascentral-authentication-servicephpcaswpcas

C · Use Caution

CVEs total1

Unpatched1

Last CVEJan 20, 2026

Plugin page Download

Safety Verdict

Is wpCAS Safe to Use in 2026?

Use With Caution

Score 63/100

wpCAS has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jan 20, 2026Updated 16yr ago

Risk Assessment

The wpcas plugin v1.07 exhibits a mixed security posture. While the static analysis shows no direct attack surface (AJAX handlers, REST API routes, shortcodes, cron events) and all SQL queries utilize prepared statements, significant concerns arise from the output escaping and vulnerability history. The low percentage of properly escaped output (18%) indicates a strong potential for Cross-Site Scripting (XSS) vulnerabilities, even if not directly flagged by the taint analysis. The presence of a known medium severity Cross-Site Scripting (XSS) vulnerability, which remains unpatched and was discovered in 2026, is a critical indicator of ongoing risk. The fact that this is the only known CVE also suggests a potential for undiscovered vulnerabilities. The absence of nonce and capability checks across the board, coupled with a low output escaping rate, amplifies the risk associated with any potential input vectors that might exist but were not identified by the static analysis.

Key Concerns

Unpatched medium severity CVE
Low percentage of properly escaped output
No nonce checks
No capability checks
Flows with unsanitized paths

Vulnerabilities

wpCAS Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-68858medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpCAS <= 1.07 - Reflected Cross-Site Scripting

Jan 20, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

wpCAS Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

18% escaped11 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wpcas_options_page (wpcas.php:163)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

wpCAS Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 10

filterwpmu_signup_blog_notificationprovisioning_example.php:86

actionwp_headprovisioning_example.php:92

actionadmin_menuwpcas.php:46

actionwp_authenticatewpcas.php:77

actionwp_logoutwpcas.php:78

actionlost_passwordwpcas.php:79

actionretrieve_passwordwpcas.php:80

actioncheck_passwordswpcas.php:81

actionpassword_resetwpcas.php:82

filtershow_password_fieldswpcas.php:83

Maintenance & Trust

wpCAS Maintenance & Trust

Maintenance Signals

WordPress version tested2.7.1

Last updatedMar 25, 2010

PHP min version

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs100

Alternatives

wpCAS Alternatives

wpCAS Server

wpcas-server

Turns WordPress or WordPress MU into a CAS single sign-on authenticator.

10 No CVEs

WP Cassify

wp-cassify

The plugin is an Apereo CAS Client. It performs CAS authentication and autorization for Wordpress.

900 1 CVE

Cassava CAS Server

wp-cas-server

Cassava provides authentication services based on the Jasig CAS protocol.

30 No CVEs

Authorizer

authorizer

Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).

5K 1 CVE

WPCasa Contact Form 7

wpcasa-contact-form-7

100

Add support for Contact Form 7 to attach property details to the contact email sent from WPCasa listing pages.

500 No CVEs

Developer Profile

wpCAS Developer Profile

Casey Bisson

7 plugins · 290 total installs

trust score

Avg Security Score

84/100

Avg Patch Time

3405 days

View full developer profile

Detection Fingerprints

How We Detect wpCAS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ