WP-Safety

XMPP Authentication Security & Risk Analysis

wordpress.org/plugins/xmpp-auth

Allows users to authenticate without password via XMPP and for visitors to be filtered by XMPP verification.

10 active installs v0.6 PHP + WP 3.2.0+ Updated Jan 15, 2016
authenticationcommentsjabberxep-0070xmpp
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is XMPP Authentication Safe to Use in 2026?

Generally Safe

Score 85/100

XMPP Authentication has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The xmpp-auth v0.6 plugin exhibits a generally positive security posture with no known CVEs or recorded vulnerability history, suggesting a history of good security practices. The static analysis reveals a limited attack surface, with zero unprotected entry points, which is a strong indicator of secure design. However, the code analysis does highlight several areas of concern. The presence of dangerous functions like `create_function` and `shell_exec` warrants attention, as these can be misused in certain contexts. Furthermore, the plugin uses raw SQL queries without prepared statements, which is a common vector for SQL injection vulnerabilities. The moderate rate of properly escaped output (43%) suggests that some user-supplied data may not be adequately sanitized before being displayed, potentially leading to cross-site scripting (XSS) vulnerabilities. The absence of nonce checks on any entry points is also a notable weakness, as nonces are crucial for preventing cross-site request forgery (CSRF) attacks. Despite these specific coding concerns, the plugin's lack of a complex attack surface and its clean vulnerability history are significant strengths. The primary risks lie within the potential for SQL injection, XSS, and CSRF, stemming from the identified code-level weaknesses.

Key Concerns

  • Dangerous functions present (create_function, shell_exec)
  • SQL queries used without prepared statements
  • Low percentage of properly escaped output
  • Zero nonce checks on entry points
  • Limited capability checks
Vulnerabilities
None known

XMPP Authentication Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

XMPP Authentication Code Analysis

Dangerous Functions
5
Raw SQL Queries
1
0 prepared
Unescaped Output
17
13 escaped
Nonce Checks
0
Capability Checks
2
File Operations
10
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_function$this->hash = create_function('$data', 'return hash("' . $hashes[$hash] . '", $data, TRUE);');Auth\SASL2\SCRAM.php:83
create_function$this->hmac = create_function('$key,$str,$raw', 'return hash_hmac("' . $hashes[$hash] . '", $str, $kAuth\SASL2\SCRAM.php:84
create_function$this->hash = create_function('$data', 'return md5($data, true);');Auth\SASL2\SCRAM.php:88
create_function$this->hash = create_function('$data', 'return sha1($data, true);');Auth\SASL2\SCRAM.php:93
shell_exec$hash = shell_exec('openssl x509 -hash -noout -in "' . $cert . '"');xmpp-auth.php:44

SQL Query Safety

0% prepared1 total queries

Output Escaping

43% escaped30 total outputs
Attack Surface

XMPP Authentication Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 17
actionadmin_initadmin.php:43
actionadmin_menuadmin.php:292
actionadmin_noticesadmin.php:314
filteruser_jabber_labeladmin.php:323
filteruser_contactmethodsadmin.php:332
actionprofile_personal_optionsadmin.php:371
actionshow_user_profileadmin.php:381
actionpersonal_options_updateadmin.php:403
filterplugin_action_linksadmin.php:434
filtercomment_form_default_fieldscomment.php:49
filterpre_comment_approvedcomment.php:135
actioncomment_postcomment.php:149
actionlogin_initlogin.php:42
actionlogin_formlogin.php:68
filterauthenticatelogin.php:92
filterauthenticatelogin.php:187
filtershake_error_codeslogin.php:199
Maintenance & Trust

XMPP Authentication Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedJan 15, 2016
PHP min version
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

XMPP Authentication Alternatives

ConverseJS

ConverseJS

conversejs

A
100

Converse.js is an open source webchat client, that runs in the browser and can be integrated into any website.

10 No CVEs
Ejabberd Account Tools

Ejabberd Account Tools

ejabberd-account-tools

A
92

Provides a set of useful tools for the ejabberd server, both for the frontend and backend spaces

10 No CVEs
Identityplus

Identityplus

identity-plus

A
85

Identityplus is a novel security solution based on PKI (Public Key Infrastructure) called a network of trust. It features an all-in-one 2 (ocasionally …

10 No CVEs
P3chat

P3chat

p3chat

A
85

This plugin provides support for p3chat.com online chat service on Your wordpress website.

10 No CVEs
XMPP Statistics

XMPP Statistics

xmpp-statistics

A
92

Displays the statistics from ejabberd XMPP server through ReST API.

10 No CVEs
Developer Profile

XMPP Authentication Developer Profile

Jehan

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect XMPP Authentication

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/xmpp-auth/xmpp-auth.css
Script Paths
/wp-content/plugins/xmpp-auth/admin.js
Version Parameters
xmpp-auth.css?ver=admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
imauth-optionsimauth-advanced-options
Data Attributes
id='xmppauth-bot-conf'id='node'id='domain'id='password'id='xmppauth_component'id='component'+7 more
JS Globals
objectL10n
FAQ

Frequently Asked Questions about XMPP Authentication