WP-Safety

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Security & Risk Analysis

wordpress.org/plugins/wpo365-login

WordPress + Microsoft Entra | Ext. ID | B2C | M365 Integration for your Digital Workplace. For SSO, Mail, Roles, Access, Profiles, SharePoint, PowerBI …

10K active installs v40.3 PHP 7.4+ WP 5.0+ Updated Feb 20, 2026
emailmicrosoftpowerbisharepointsso
90
A · Safe
CVEs total4
Unpatched0
Last CVEJan 21, 2026
Plugin page Download
Safety Verdict

Is WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Safe to Use in 2026?

Generally Safe

Score 90/100

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 21, 2026Updated 1mo ago
Risk Assessment

The wpo365-login plugin exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and output escaping, with high percentages of both, it has a significant concern regarding its attack surface. A large number of AJAX handlers (35) are unprotected by authentication checks, presenting a substantial entry point for attackers. The taint analysis revealed a small number of flows with unsanitized paths, though thankfully none reached critical or high severity levels.

The plugin's vulnerability history is a notable weakness. With four known CVEs, including one previously classified as critical and three as medium, it indicates a pattern of past security flaws. The common vulnerability types (SSRF, XSS, Improper Authentication) are serious and often exploitable. The fact that there are currently no unpatched vulnerabilities is positive, but the historical prevalence of these issues warrants caution. The last recorded vulnerability date, 2026-01-21, seems to be in the future, which may indicate a data error or that this is a projection.

Overall, the plugin has strengths in secure coding practices for SQL and output handling. However, the unprotected AJAX endpoints and the history of critical and medium severity vulnerabilities, particularly those related to SSRF, XSS, and improper authentication, significantly elevate the risk. Users should exercise caution and ensure the plugin is always updated to the latest version to mitigate known risks.

Key Concerns

  • Large attack surface without auth checks (AJAX)
  • History of 1 critical CVE
  • History of 3 medium CVEs
  • Flows with unsanitized paths
  • Limited nonce checks
  • Limited capability checks
Vulnerabilities
4

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2021
2021
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
3

4 total CVEs

CVE-2025-67961medium · 6.4Server-Side Request Forgery (SSRF)

WPO365 <= 40.0 - Authenticated (Subscriber+) Server-Side Request Forgery

Jan 21, 2026 Patched in 40.1 (8d)
CVE-2024-4706medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress + Microsoft Office 365 / Azure AD | LOGIN <= 27.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via pintra Shortcode

May 22, 2024 Patched in 28.0 (1d)
CVE-2021-43409medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress + Microsoft Office 365 / Azure AD | LOGIN <= 15.3 - Stored Cross-Site Scripting

Oct 15, 2021 Patched in 15.4 (830d)
CVE-2020-26511critical · 9.1Improper Authentication

WPO365 | LOGIN <= 11.6 - Authentication Bypass

Oct 2, 2020 Patched in 11.7 (1208d)
Code Analysis
Analyzed Mar 16, 2026

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
35 prepared
Unescaped Output
5
162 escaped
Nonce Checks
10
Capability Checks
3
File Operations
4
External Requests
25
Bundled Libraries
0

SQL Query Safety

85% prepared41 total queries

Output Escaping

97% escaped167 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

9 flows2 with unsanitized paths
license_page (Pages\License_Page.php:343)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
35 unprotected

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Attack Surface

Entry Points41
Unprotected35

AJAX Handlers 35

authwp_ajax_wpo365_delete_settingsCore\Wp_Hooks.php:39
authwp_ajax_wpo365_delete_tokensCore\Wp_Hooks.php:40
authwp_ajax_wpo365_get_settingsCore\Wp_Hooks.php:41
authwp_ajax_wpo365_update_settingsCore\Wp_Hooks.php:42
authwp_ajax_wpo365_get_logCore\Wp_Hooks.php:43
authwp_ajax_wpo365_get_self_test_resultsCore\Wp_Hooks.php:44
authwp_ajax_wpo365_import_idp_metaCore\Wp_Hooks.php:45
authwp_ajax_wpo365_export_sp_metaCore\Wp_Hooks.php:46
authwp_ajax_wpo365_get_wpo_health_messagesCore\Wp_Hooks.php:47
authwp_ajax_wpo365_dismiss_wpo_health_messagesCore\Wp_Hooks.php:48
authwp_ajax_wpo365_get_insights_summaryCore\Wp_Hooks.php:49
authwp_ajax_wpo365_get_insightsCore\Wp_Hooks.php:50
authwp_ajax_wpo365_get_parseable_optionsCore\Wp_Hooks.php:51
authwp_ajax_wpo365_truncate_insights_dataCore\Wp_Hooks.php:52
authwp_ajax_wpo365_is_wpo365_configuredCore\Wp_Hooks.php:53
authwp_ajax_wpo365_get_multiple_idpsCore\Wp_Hooks.php:54
authwp_ajax_wpo365_copy_main_site_optionsCore\Wp_Hooks.php:55
authwp_ajax_wpo365_switch_wpmu_modeCore\Wp_Hooks.php:56
authwp_ajax_wpo365_send_test_alertCore\Wp_Hooks.php:57
authwp_ajax_wpo365_send_test_mailCore\Wp_Hooks.php:62
authwp_ajax_wpo365_get_mail_authorization_urlCore\Wp_Hooks.php:63
authwp_ajax_wpo365_get_mail_auth_configurationCore\Wp_Hooks.php:64
authwp_ajax_wpo365_try_migrate_mail_app_principal_infoCore\Wp_Hooks.php:65
authwp_ajax_wpo365_get_mail_logCore\Wp_Hooks.php:69
authwp_ajax_wpo365_send_mail_againCore\Wp_Hooks.php:70
authwp_ajax_wpo365_truncate_mail_logCore\Wp_Hooks.php:71
authwp_ajax_wpo365_mail_auto_retryCore\Wp_Hooks.php:74
authwp_ajax_wpo365_lookup_userCore\Wp_Hooks.php:83
authwp_ajax_wpo365_save_newuser_configCore\Wp_Hooks.php:84
authwp_ajax_wpo365_get_newuser_configCore\Wp_Hooks.php:85
authwp_ajax_wpo365_block_direct_media_accessCore\Wp_Hooks.php:91
authwp_ajax_wpo365_test_sync_queryCore\Wp_Hooks.php:113
authwp_ajax_wpo365_generate_scim_secret_tokenCore\Wp_Hooks.php:148
authwp_ajax_get_tokencacheCore\Wp_Hooks.php:245
authwp_ajax_cors_proxyCore\Wp_Hooks.php:246

Shortcodes 6

[pintra] Core\Shortcode_Helpers.php:30
[wpo365-sign-in-with-microsoft-v2-sc] Core\Shortcode_Helpers.php:99
[wpo365-login-button] Core\Shortcode_Helpers.php:153
[wpo365-display-error-message-sc] Core\Shortcode_Helpers.php:242
[wpo365-redirect-script] Core\Shortcode_Helpers.php:281
[wpo365-sso-button] Core\Shortcode_Helpers.php:310
WordPress Hooks 179
actionenqueue_block_editor_assetsBlocks\Loader.php:18
actionenqueue_block_assetsBlocks\Loader.php:26
filterdoing_it_wrong_trigger_errorCore\Cron_Helpers.php:21
actionuser_profile_update_errorsCore\Permissions_Helpers.php:118
actionadmin_noticesCore\Plugin_Helpers.php:132
actionnetwork_admin_noticesCore\Plugin_Helpers.php:140
filterallowed_redirect_hostsCore\Url_Helpers.php:409
filterpre_set_site_transient_update_pluginsCore\Wp_Hooks.php:17
actionadmin_menuCore\Wp_Hooks.php:22
actionnetwork_admin_menuCore\Wp_Hooks.php:23
actionadmin_noticesCore\Wp_Hooks.php:28
actionnetwork_admin_noticesCore\Wp_Hooks.php:29
actionadmin_initCore\Wp_Hooks.php:30
actionadmin_footerCore\Wp_Hooks.php:82
actionadmin_initCore\Wp_Hooks.php:101
filtermanage_users_columnsCore\Wp_Hooks.php:105
filtermanage_users_custom_columnCore\Wp_Hooks.php:109
filterbulk_actions-usersCore\Wp_Hooks.php:117
filterhandle_bulk_actions-usersCore\Wp_Hooks.php:118
actionadmin_initCore\Wp_Hooks.php:126
filtermanage_users_columnsCore\Wp_Hooks.php:127
filtermanage_users_custom_columnCore\Wp_Hooks.php:128
filterbulk_actions-usersCore\Wp_Hooks.php:129
filterhandle_bulk_actions-usersCore\Wp_Hooks.php:130
filterpre_get_usersCore\Wp_Hooks.php:131
actionrestrict_manage_usersCore\Wp_Hooks.php:132
actionpersonal_optionsCore\Wp_Hooks.php:135
actionprofile_personal_optionsCore\Wp_Hooks.php:136
actionadmin_post_wpo365_force_check_for_plugin_updatesCore\Wp_Hooks.php:152
filterplugin_row_metaCore\Wp_Hooks.php:153
filterplugins_apiCore\Wp_Hooks.php:154
actionwp_dashboard_setupCore\Wp_Hooks.php:157
actionwpo365/insights/notifyCore\Wp_Hooks.php:161
actionwpo365_insights_check_failed_notificationsCore\Wp_Hooks.php:171
actionwpo_check_password_credentials_expirationCore\Wp_Hooks.php:181
filterwpo365/cookie/redirectCore\Wp_Hooks.php:188
filterwpo365/cookie/setCore\Wp_Hooks.php:189
filterwpo365_skip_authenticationCore\Wp_Hooks.php:190
filterwpo365/cookie/remove/urlCore\Wp_Hooks.php:191
actionwpo_sync_v2_users_startCore\Wp_Hooks.php:197
actionwpo_sync_v2_users_nextCore\Wp_Hooks.php:198
actionwpo_sync_v2_monitorCore\Wp_Hooks.php:203
actionwpo365/sync/beforeCore\Wp_Hooks.php:204
actionwpo_sync_wp_to_aad_startCore\Wp_Hooks.php:210
actionwpo_sync_wp_to_aad_nextCore\Wp_Hooks.php:211
actionuser_registerCore\Wp_Hooks.php:215
filterwp_pre_insert_user_dataCore\Wp_Hooks.php:216
actionwpo365/aad_user/createdCore\Wp_Hooks.php:217
filterregister_urlCore\Wp_Hooks.php:220
actioninitCore\Wp_Hooks.php:224
actiondestroy_wpo365_sessionCore\Wp_Hooks.php:228
actionpersonal_options_updateCore\Wp_Hooks.php:231
actionposts_selectionCore\Wp_Hooks.php:234
actioninitCore\Wp_Hooks.php:237
actioninitCore\Wp_Hooks.php:238
actioninitCore\Wp_Hooks.php:239
actioninitCore\Wp_Hooks.php:240
actioninitCore\Wp_Hooks.php:241
actioninitCore\Wp_Hooks.php:242
filtermanage_pages_columnsCore\Wp_Hooks.php:253
filtermanage_posts_columnsCore\Wp_Hooks.php:254
actionmanage_pages_custom_columnCore\Wp_Hooks.php:255
actionmanage_posts_custom_columnCore\Wp_Hooks.php:256
filtermanage_users_columnsCore\Wp_Hooks.php:259
filtermanage_users_custom_columnCore\Wp_Hooks.php:260
filterposts_whereCore\Wp_Hooks.php:261
filterget_pagesCore\Wp_Hooks.php:262
filterwp_count_postsCore\Wp_Hooks.php:263
filterget_previous_post_whereCore\Wp_Hooks.php:264
filterget_next_post_whereCore\Wp_Hooks.php:265
filtermap_meta_capCore\Wp_Hooks.php:268
actioninitCore\Wp_Hooks.php:272
actionadd_meta_boxesCore\Wp_Hooks.php:275
actionsave_postCore\Wp_Hooks.php:279
filterstatus_headerCore\Wp_Hooks.php:283
actionrest_api_initCore\Wp_Hooks.php:288
actionshutdownCore\Wp_Hooks.php:307
actionwp_enqueue_scriptsCore\Wp_Hooks.php:311
actionlogin_enqueue_scriptsCore\Wp_Hooks.php:314
actionadmin_enqueue_scriptsCore\Wp_Hooks.php:315
filterscript_loader_tagCore\Wp_Hooks.php:316
filtersafe_style_cssCore\Wp_Hooks.php:319
actionlogin_formCore\Wp_Hooks.php:322
actionrest_api_initCore\Wp_Hooks.php:326
actionrest_api_initCore\Wp_Hooks.php:337
actionrest_api_initCore\Wp_Hooks.php:348
filterrest_authentication_errorsCore\Wp_Hooks.php:359
filterrest_authentication_errorsCore\Wp_Hooks.php:364
actionshow_user_profileCore\Wp_Hooks.php:369
actionedit_user_profileCore\Wp_Hooks.php:370
actionpersonal_options_updateCore\Wp_Hooks.php:371
actionedit_user_profile_updateCore\Wp_Hooks.php:372
actionwp_authenticateCore\Wp_Hooks.php:377
actionwp_authenticateCore\Wp_Hooks.php:384
actionafter_setup_themeCore\Wp_Hooks.php:387
actionwp_authenticateCore\Wp_Hooks.php:391
actionrest_api_initCore\Wp_Hooks.php:395
actionphpmailer_initCore\Wp_Hooks.php:399
filterwp_mail_fromCore\Wp_Hooks.php:400
filterwp_mailCore\Wp_Hooks.php:403
filterwpo365/mail/beforeCore\Wp_Hooks.php:407
actionwpo_process_unsent_messagesCore\Wp_Hooks.php:411
actionadmin_initCore\Wp_Hooks.php:412
actionadmin_bar_menuCore\Wp_Hooks.php:422
actionwp_enqueue_scriptsCore\Wp_Hooks.php:423
actionadmin_enqueue_scriptsCore\Wp_Hooks.php:424
actionbp_after_profile_loop_contentCore\Wp_Hooks.php:431
filterbp_core_fetch_avatarCore\Wp_Hooks.php:433
filterbp_core_fetch_avatar_urlCore\Wp_Hooks.php:436
filtershow_password_fieldsCore\Wp_Hooks.php:441
filterallow_password_resetCore\Wp_Hooks.php:442
filterlogin_messageCore\Wp_Hooks.php:445
filterquery_varsCore\Wp_Hooks.php:448
filtersend_email_change_emailCore\Wp_Hooks.php:451
filterpre_get_avatarCore\Wp_Hooks.php:463
filterpre_get_avatar_dataCore\Wp_Hooks.php:466
filterget_avatarCore\Wp_Hooks.php:468
filterwp_new_user_notification_emailCore\Wp_Hooks.php:474
filterwp_send_new_user_notification_to_userCore\Wp_Hooks.php:479
filterwp_send_new_user_notification_to_adminCore\Wp_Hooks.php:490
filterwp_send_new_user_notification_to_userCore\Wp_Hooks.php:503
actionwp_logoutCore\Wp_Hooks.php:507
actionwp_logoutCore\Wp_Hooks.php:510
actionwp_logoutCore\Wp_Hooks.php:511
actioncheck_admin_refererCore\Wp_Hooks.php:516
actionwpo365/oidc/authenticatingCore\Wp_Hooks.php:520
actionwpo365/saml2/authenticatingCore\Wp_Hooks.php:521
actionactivated_pluginCore\Wp_Hooks.php:524
actiondeactivated_pluginCore\Wp_Hooks.php:525
actionupgrader_process_completeCore\Wp_Hooks.php:528
actionuser_registerCore\Wp_Hooks.php:532
actionwpo365/user/created/failCore\Wp_Hooks.php:533
actionset_logged_in_cookieCore\Wp_Hooks.php:534
actionwpo365/user/loggedin/failCore\Wp_Hooks.php:535
filterauthenticateCore\Wp_Hooks.php:536
actionwp_login_failedCore\Wp_Hooks.php:537
actionwpo365/user/updatedCore\Wp_Hooks.php:538
actionwpo365/user/updated/failCore\Wp_Hooks.php:539
actionwpo365/mail/sentCore\Wp_Hooks.php:540
actionwpo365/mail/sent/failCore\Wp_Hooks.php:541
actionwpo365/alert/submittedCore\Wp_Hooks.php:542
actionwpo365/alert/submitted/failCore\Wp_Hooks.php:543
actionhttp_api_curlCore\Wp_Hooks.php:548
filterauthenticateCore\Wp_Hooks.php:553
actionwp_initialize_siteCore\Wp_Hooks.php:558
actionwpo365/user/createdCore\Wp_Hooks.php:563
filterwpo365/wpmu/user_site/nameCore\Wp_Hooks.php:564
actionwpo365/wpmu/access_deniedCore\Wp_Hooks.php:568
filterwpo365/userCore\Wp_Hooks.php:572
actionwpo365/user/createdCore\Wp_Hooks.php:576
actionwpo365/oidc/authenticated_onlyCore\Wp_Hooks.php:588
actionwpo365/oidc/authenticatedCore\Wp_Hooks.php:589
actionwpo365/saml/authenticatedCore\Wp_Hooks.php:590
filterphpmailer_initMail\Mailer.php:441
filterwp_mail_fromMail\Mailer.php:483
actionadmin_menuPages\License_Page.php:48
actionnetwork_admin_menuPages\License_Page.php:49
actionadmin_initPages\License_Page.php:54
actionadmin_initPages\License_Page.php:59
actionadmin_noticesPages\License_Page.php:64
actionnetwork_admin_noticesPages\License_Page.php:65
actioninitServices\Router_Service.php:28
actioninitServices\Router_Service.php:44
actioninitServices\Router_Service.php:51
actioninitServices\Router_Service.php:55
actioninitServices\Router_Service.php:76
actioninitServices\Router_Service.php:80
actioninitServices\Router_Service.php:92
actioninitServices\Router_Service.php:97
actioninitServices\Router_Service.php:101
actioninitServices\Router_Service.php:126
filterrest_post_dispatchServices\Scim_Service.php:41
filterwp_pre_insert_user_dataServices\User_Create_Service.php:117
actionuser_registerServices\User_Create_Service.php:121
filterallow_password_resetServices\User_Create_Service.php:158
actionplugins_loadedwpo365-login.php:38
filtercron_scheduleswpo365-login.php:39
actionlogin_initwpo365-login.php:46
actioninitwpo365-login.php:66

Scheduled Events 1

wpo_check_password_credentials_expiration
Maintenance & Trust

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 20, 2026
PHP min version7.4
Downloads496K

Community Trust

Rating98/100
Number of ratings145
Active installs10K
Alternatives

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Alternatives

WPO365 | MICROSOFT 365 GRAPH MAILER

WPO365 | MICROSOFT 365 GRAPH MAILER

wpo365-msgraphmailer

A
99

Send WordPress emails from a M365 / Exchange Online Mailbox using Microsoft Graph, leveraging OAuth for authentication which is more secure than SMTP

10K 1 CVE
miniOrange Embed Files for SharePoint/OneDrive

miniOrange Embed Files for SharePoint/OneDrive

embed-sharepoint-onedrive-documents

A
100

Embed, manage, and sync Microsoft SharePoint and OneDrive documents, folders, lists, and files within WordPress pages, posts, or the media library.

800 No CVEs
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login

All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login

login-with-azure

A
93

Enable secure Azure AD Single Sign On for WordPress and integrate SharePoint, Power BI, Outlook, Dynamics 365, Microsoft Graph Email, and more

600 2 CVEs
PowerBI Embed Reports

PowerBI Embed Reports

embed-power-bi-reports

A
98

Embed Microsoft Power BI reports, tiles, dashboards, Q&A, etc in WordPress site with support for Row-level security (RLS).[24*7 Support]

500 2 CVEs
Login with Microsoft Entra ID

Login with Microsoft Entra ID

login-azure

A
100

A lightweight plugin to enable secure Single Sign-On (SSO) with Azure Active Directory.

50 No CVEs
Developer Profile

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Developer Profile

Marco van Wieren

4 plugins · 22K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
385 days
View full developer profile
Detection Fingerprints

How We Detect WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpo365-login/Blocks/dist/docs/basic.js/wp-content/plugins/wpo365-login/Blocks/dist/docs/basic.asset.php/wp-content/plugins/wpo365-login/Blocks/dist/aud/basic.js/wp-content/plugins/wpo365-login/Blocks/dist/aud/basic.asset.php
Script Paths
/wp-content/plugins/wpo365-login/dist/main.js/wp-content/plugins/wpo365-login/dist/main.asset.php/wp-content/plugins/wpo365-login/dist/admin.js/wp-content/plugins/wpo365-login/dist/admin.asset.php
Version Parameters
wpo365-login/dist/main.js?ver=wpo365-login/dist/admin.js?ver=wpo365-login/Blocks/dist/docs/editor-basic.js?ver=wpo365-login/Blocks/dist/docs/app-basic.js?ver=wpo365-login/Blocks/dist/aud/editor-basic.js?ver=wpo365-login/Blocks/dist/aud/app-basic.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpo365-login-setup-pagewpo365-auth-setup-pagewpo365-auth-admin-page
Data Attributes
data-wpo365-login-setup
JS Globals
wpo365wpo365.blockswpo365.audwpo365.scenario
REST Endpoints
/wp-json/wpo365/v1/graph
FAQ

Frequently Asked Questions about WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)