Secufor_OAuth Security & Risk Analysis

wordpress.org/plugins/wpoauth

Looking for a budget-friendly alternative to expensive SSO solutions? Our OAuth extension provides the same robust security and provider support as Mi …

0 active installs v0.0 PHP + WP 5.0+ Updated Mar 24, 2026
authenticationoauthsecuritysingle-sign-onsso
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJun 23, 2026
Download
Safety Verdict

Is Secufor_OAuth Safe to Use in 2026?

Mostly Safe

Score 78/100

Secufor_OAuth is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Jun 23, 2026Updated 3mo ago
Risk Assessment

The wpoauth v1.0.7 plugin exhibits a generally strong security posture with several good practices in place. Notably, it demonstrates 100% usage of prepared statements for SQL queries and 100% proper output escaping, which are critical for preventing common web vulnerabilities. The absence of known CVEs and a clean vulnerability history further suggest a well-maintained and secure codebase. However, there are significant concerns regarding its attack surface. With 3 total entry points, 2 of which lack authentication checks (AJAX handlers), this presents a notable risk. The plugin also performs 7 external HTTP requests, which, while not inherently problematic, can become a vector if not handled securely and are not explicitly detailed in the static analysis. The presence of file operations, though only one, warrants attention in a more in-depth review to ensure it's not exploitable. The lack of capability checks on any entry points is a weakness that, combined with the unprotected AJAX handlers, could allow unauthorized actions. While the taint analysis shows no critical or high severity flows, the absence of capability checks on AJAX endpoints is a significant omission that could lead to unintended consequences.

Key Concerns

  • Unprotected AJAX handlers
  • No capability checks on entry points
  • File operations present
Vulnerabilities
1 published

Secufor_OAuth Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-7617medium · 5.3Missing Authorization

Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action

Jun 23, 2026Unpatched
Version History

Secufor_OAuth Release Timeline

v1.0.81 CVE
v1.0.71 CVE
v1.0.61 CVE
v1.0.51 CVE
v1.0.41 CVE
v1.0.31 CVE
v1.0.21 CVE
v1.0.11 CVE
Code Analysis
Analyzed Mar 17, 2026

Secufor_OAuth Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
109 escaped
Nonce Checks
7
Capability Checks
0
File Operations
1
External Requests
7
Bundled Libraries
0

Output Escaping

100% escaped109 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
secuforoauth_handle_login (secuforoauth_login.php:80)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Secufor_OAuth Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 3

authwp_ajax_secuforoauth_unregister_actionsecuforoauth_login.php:220
noprivwp_ajax_secuforoauth_unregister_actionsecuforoauth_login.php:221
authwp_ajax_delete_oauth_providersecuforoauth_provider_page.php:328
WordPress Hooks 7
actioninitincludes\secuforoauth_providers.php:207
actioninitincludes\secuforoauth_providers.php:278
actionadmin_menusecuforoauth.php:30
actionadmin_enqueue_scriptssecuforoauth_enqueue_handler.php:17
actionadmin_enqueue_scriptssecuforoauth_enqueue_handler.php:31
actioninitsecuforoauth_login.php:102
actionadmin_initsecuforoauth_provider_page.php:244
Maintenance & Trust

Secufor_OAuth Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 24, 2026
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings2
Active installs0
Developer Profile

Secufor_OAuth Developer Profile

Secufor

1 plugin · 0 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Secufor_OAuth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpoauth/javascript/login.js/wp-content/plugins/wpoauth/javascript/mappage.js/wp-content/plugins/wpoauth/css/loginPage.css/wp-content/plugins/wpoauth/css/homePage.css/wp-content/plugins/wpoauth/css/providerPage.css/wp-content/plugins/wpoauth/css/userHelp.css
Script Paths
/wp-content/plugins/wpoauth/javascript/login.js/wp-content/plugins/wpoauth/javascript/mappage.js

HTML / DOM Fingerprints

CSS Classes
secuforoauth-containersecuforoauth-buttonssecuforoauth-btnsecuforoauth-content
Data Attributes
data-secuforoauth-delete-provider-action
JS Globals
secuforoauth_ajaxsecuforoauth_delete_provider_action
FAQ

Frequently Asked Questions about Secufor_OAuth