WP-Safety

Ace User Management Security & Risk Analysis

wordpress.org/plugins/ace-user-management

It help us to create registration form with unlimted custom fields.

0 active installs v2.6 PHP + WP 3.0.1+ Updated Dec 18, 2025
custom-fieldspages-custom-cssrecaptcha-for-loginregisteruser-login
72
B · Generally Safe
CVEs total1
Unpatched1
Last CVEOct 15, 2025
Plugin page Download
Safety Verdict

Is Ace User Management Safe to Use in 2026?

Mostly Safe

Score 72/100

Ace User Management is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Oct 15, 2025Updated 4mo ago
Risk Assessment

The 'ace-user-management' plugin version 2.6 presents a mixed security posture. While it demonstrates good practices in output escaping, with 100% of outputs properly handled, and a moderate adoption of prepared statements for SQL queries (58%), significant concerns remain regarding its attack surface and vulnerability history. The presence of two AJAX handlers without authentication checks is a direct pathway for potential unauthorized actions, and the lack of explicit permission callbacks for its REST API routes (though none are present) suggests a potential future risk if added. The plugin's history is marred by a critical, unpatched vulnerability from late 2025, specifically an 'Authorization Bypass Through User-Controlled Key'. This indicates a recurring pattern of serious authorization flaws, which is a major red flag for the plugin's overall security maturity and maintenance.

Key Concerns

  • Unpatched critical CVE
  • Unprotected AJAX handlers
  • SQL queries with insufficient prepared statement usage
Vulnerabilities
1 published

Ace User Management Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

CVE-2025-6027critical · 9.8Authorization Bypass Through User-Controlled Key

Ace User Management <= 2.0.3 - Unauthenticated Privilege Escalation via Password Reset

Oct 15, 2025Unpatched
Version History

Ace User Management Release Timeline

v2.6Current1 CVE
CVE-2025-6027
v2.51 CVE
CVE-2025-6027
v2.0.51 CVE
CVE-2025-6027
v2.0.41 CVE
CVE-2025-6027
v2.0.31 CVE
CVE-2025-6027
v2.0.21 CVE
CVE-2025-6027
v2.0.11 CVE
CVE-2025-6027
v2.0.01 CVE
CVE-2025-6027
v1.0.91 CVE
CVE-2025-6027
v1.0.81 CVE
CVE-2025-6027
v1.0.71 CVE
CVE-2025-6027
v1.0.61 CVE
CVE-2025-6027
v1.0.51 CVE
CVE-2025-6027
v1.0.41 CVE
CVE-2025-6027
v1.0.31 CVE
CVE-2025-6027
v1.0.21 CVE
CVE-2025-6027
v1.0.11 CVE
CVE-2025-6027
v1.0.01 CVE
CVE-2025-6027
Code Analysis
Analyzed Mar 17, 2026

Ace User Management Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
11 prepared
Unescaped Output
2
416 escaped
Nonce Checks
15
Capability Checks
3
File Operations
1
External Requests
2
Bundled Libraries
0

SQL Query Safety

58% prepared19 total queries

Output Escaping

100% escaped418 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

5 flows
add_all_setting_plugin (admin\class-ace-user-management-admin.php:149)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Ace User Management Attack Surface

Entry Points8
Unprotected2

AJAX Handlers 2

authwp_ajax_delete_userincludes\class-ace-user-management.php:168
noprivwp_ajax_delete_userincludes\class-ace-user-management.php:169

Shortcodes 6

[ace-profile-page] includes\class-ace-user-management.php:213
[ace-login-public-form] includes\class-ace-user-management.php:214
[ace-forget-password] includes\class-ace-user-management.php:215
[ace-random-code-page] includes\class-ace-user-management.php:216
[ace-profile-page] includes\class-ace-user-management.php:217
[ace-registration-public-form] includes\class-ace-user-management.php:218
WordPress Hooks 23
actionplugins_loadedincludes\class-ace-user-management.php:145
actionadmin_enqueue_scriptsincludes\class-ace-user-management.php:160
actionadmin_enqueue_scriptsincludes\class-ace-user-management.php:161
actionadmin_menuincludes\class-ace-user-management.php:162
actioninitincludes\class-ace-user-management.php:170
actionshow_user_profileincludes\class-ace-user-management.php:172
actionedit_user_profileincludes\class-ace-user-management.php:173
actionpersonal_options_updateincludes\class-ace-user-management.php:175
actionedit_user_profile_updateincludes\class-ace-user-management.php:176
actionuser_registerincludes\class-ace-user-management.php:178
actionwp_enqueue_scriptsincludes\class-ace-user-management.php:197
actionwp_enqueue_scriptsincludes\class-ace-user-management.php:198
actionwp_logoutincludes\class-ace-user-management.php:199
filterlogin_redirectincludes\class-ace-user-management.php:200
actioninitincludes\class-ace-user-management.php:201
actiontemplate_redirectincludes\class-ace-user-management.php:202
filterregisterincludes\class-ace-user-management.php:203
filterwp_nav_menu_itemsincludes\class-ace-user-management.php:204
actionwp_authenticateincludes\class-ace-user-management.php:205
filtershow_admin_barincludes\class-ace-user-management.php:206
actioninitincludes\class-ace-user-management.php:208
filterquery_varsincludes\class-ace-user-management.php:209
actiontemplate_redirectincludes\class-ace-user-management.php:210
Maintenance & Trust

Ace User Management Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 18, 2025
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Ace User Management Alternatives

DRegister

DRegister

dregister

A
85

Enhance your Registration Page. Require First Name, Last Name. Add custom fields. Require custom fields.

10 No CVEs
Login & Register Form by BestWebSoft – WordPress Website Access Control Plugin

Login & Register Form by BestWebSoft – WordPress Website Access Control Plugin

bws-login-register

A
100

Add custom login and registration forms to your WordPress website with enhanced access control and user authentication options.

0 No CVEs
Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
92

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 10 CVEs
Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 7 CVEs
Checkout Field Editor (Checkout Manager) for WooCommerce

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

A
93

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K 3 CVEs
Developer Profile

Ace User Management Developer Profile

Acewebx

9 plugins · 330 total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
330 days
View full developer profile
Detection Fingerprints

How We Detect Ace User Management

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ace-user-management/css/ace-user-management-admin.css/wp-content/plugins/ace-user-management/css/ace-fontawesome.css/wp-content/plugins/ace-user-management/css/bootstrap.min.css/wp-content/plugins/ace-user-management/js/ace-user-management-admin.js/wp-content/plugins/ace-user-management/js/ace-bootstrap.min.js
Script Paths
/wp-content/plugins/ace-user-management/js/ace-user-management-admin.js
Version Parameters
ace-user-management-admin.css?ver=ace-fontawesome.css?ver=bootstrap.min.css?ver=ace-bootstrap.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
ace-user-management-adminace-fontawesome
HTML Comments
<!-- wordpress menu -->
Data Attributes
data-ace-user-management-nonce
JS Globals
ajax.urlajax.nonce
FAQ

Frequently Asked Questions about Ace User Management