WP-Safety

wpDirAuth Security & Risk Analysis

wordpress.org/plugins/wpdirauth

WordPress directory authentication plugin through LDAP and LDAPS (SSL).

600 active installs v1.10.7 PHP + WP 2.2+ Updated Aug 18, 2023
authenticationdirectoryldapldapslogin
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is wpDirAuth Safe to Use in 2026?

Generally Safe

Score 85/100

wpDirAuth has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The "wpdirauth" v1.10.7 plugin exhibits a mixed security posture. On the positive side, the plugin has a remarkably small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, there is no vulnerability history, suggesting a potentially stable and well-maintained codebase. However, the code analysis reveals significant concerns, including the use of dangerous functions like `unserialize` and `create_function`, and the absence of prepared statements for all SQL queries. The taint analysis shows one flow with unsanitized paths, which, while not classified as critical or high, still represents a potential risk. The lack of capability checks for any entry points, though the attack surface is zero, indicates a potential weakness if any new entry points are introduced in the future without proper authorization checks. The plugin has some strengths in its limited attack surface and clean vulnerability history, but the presence of dangerous functions and un-prepared SQL queries, along with the unsanitized taint flow, warrants caution.

Key Concerns

  • Use of dangerous function: unserialize
  • Use of dangerous function: create_function
  • SQL queries not using prepared statements
  • Taint flow with unsanitized paths
  • No capability checks for entry points
  • Output escaping not fully implemented
Vulnerabilities
None known

wpDirAuth Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

wpDirAuth Code Analysis

Dangerous Functions
4
Raw SQL Queries
2
0 prepared
Unescaped Output
15
23 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$aryLdapKeys = apply_filters('wpdirauth_ldap_user_keys',unserialize(WPDIRAUTH_LDAP_RETURN_KEYS));wpDirAuth.php:1643
create_functionadd_action('lostpassword_form',create_function('','echo get_site_option("dirAuthChangePassMsg");'));wpDirAuth.php:2196
unserialize$aryReturnKeys = array_values(unserialize(WPDIRAUTH_LDAP_RETURN_KEYS));wpDirAuth.php:2349
unserializeforeach(unserialize(WPDIRAUTH_OPTIONS) as $strOption){wpDirAuth.php:2376

SQL Query Safety

0% prepared2 total queries

Output Escaping

61% escaped38 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
wpDirAuth_loginFormExtra (wpDirAuth.php:1104)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

wpDirAuth Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 16
filterauthenticatewpDirAuth.php:156
actionadmin_menuwpDirAuth.php:255
filterauthenticatewpDirAuth.php:1411
actionnetwork_admin_menuwpDirAuth.php:2172
actionshow_network_site_users_add_new_formwpDirAuth.php:2173
actionnetwork_admin_menuwpDirAuth.php:2175
actionadmin_menuwpDirAuth.php:2177
actionadmin_menuwpDirAuth.php:2183
actionlogin_formwpDirAuth.php:2185
actionprofile_updatewpDirAuth.php:2186
actionlostpassword_formwpDirAuth.php:2196
actionlostpassword_formwpDirAuth.php:2198
filtershow_password_fieldswpDirAuth.php:2213
filterallow_password_resetwpDirAuth.php:2214
filterauth_cookie_expirationwpDirAuth.php:2215
filterlogin_messagewpDirAuth.php:2252
Maintenance & Trust

wpDirAuth Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8
Last updatedAug 18, 2023
PHP min version
Downloads47K

Community Trust

Rating94/100
Number of ratings12
Active installs600
Alternatives

wpDirAuth Alternatives

Simple LDAP Login

Simple LDAP Login

simple-ldap-login

A
91

Integrating WordPress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles.

1K 1 CVE
Active Directory Authentication Integration

Active Directory Authentication Integration

active-directory-authentication-integration

A
85

Allows WordPress to authenticate, authorize, create and update users through Active Directory

10 No CVEs
authLdap

authLdap

authldap

A
99

Use your existing LDAP flexible as authentication backend for WordPress

5K 2 CVEs
Authorizer

Authorizer

authorizer

A
99

Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).

5K 1 CVE
Active Directory Integration / LDAP Integration

Active Directory Integration / LDAP Integration

ldap-login-for-intranet-sites

A
97

Active Directory Integration/LDAP Integration enables login & sync in WordPress with Active Directory/LDAP Directory credentials, 24/7 ACTIVE SUPPORT

4K 7 CVEs
Developer Profile

wpDirAuth Developer Profile

Paul Gilzow

1 plugin · 600 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect wpDirAuth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpdirauth/css/wpdirauth-settings.css/wp-content/plugins/wpdirauth/css/wpdirauth.css/wp-content/plugins/wpdirauth/js/wpdirauth.js
Script Paths
/wp-content/plugins/wpdirauth/js/wpdirauth.js
Version Parameters
wpdirauth/css/wpdirauth-settings.css?ver=wpdirauth/css/wpdirauth.css?ver=wpdirauth/js/wpdirauth.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpdirauth-settings
HTML Comments
SAFE MODESAFE MODE: wpDirAuth plugin configuration panel.
Data Attributes
data-wpdirauth-ajax-url
JS Globals
wpdirauth_ajax_object
FAQ

Frequently Asked Questions about wpDirAuth