aam_manage_application_passwords

The WordPress core team introduced the ability to create and manage application passwords directly from a user’s profile page in the v5.7.0. Alongside this feature, several new capabilities were added: create_app_password, list_app_passwords, read_app_password, edit_app_password, delete_app_passwords, and delete_app_password. They govern access to the respective REST API endpoints throughout the application password lifecycle.

However, this implementation has a notable flaw: while the REST API endpoints correctly enforce these capabilities, the WordPress admin interface does not reflect these permissions. Specifically, there is no native way to hide or remove the "Application Passwords" section from the user profile page based on access control.

To address this limitation, AAM introduces a custom capability aam_manage_application_passwords. When assigned, this capability determines whether a user or role can view or manage application passwords. If a role or user is denied this capability, the application password interface is hidden entirely.

For enhanced security, it is strongly recommended to disable application passwords for all accounts unless absolutely necessary. These passwords can be exploited by malicious actors to automate penetration through RESTful API endpoints and potentially gain unauthorized access.