Does Ace User Management have any unpatched vulnerabilities?

Yes — Ace User Management currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Ace User Management compatible with WordPress 6.9.4?

According to WordPress.org data, Ace User Management 2.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Ace User Management updated?

Ace User Management was last updated on Dec 18, 2025. Frequent updates are generally a positive security signal.

What is Ace User Management's security score?

Ace User Management has a WP-Safety security score of 70/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ace User Management Security & Risk Analysis

wordpress.org/plugins/ace-user-management

It help us to create registration form with unlimted custom fields.

0 active installs v2.6 PHP + WP 3.0.1+ Updated Dec 18, 2025

custom-fieldspages-custom-cssrecaptcha-for-loginregisteruser-login

B · Generally Safe

CVEs total1

Unpatched1

Last CVEOct 15, 2025

Plugin page Download

Safety Verdict

Is Ace User Management Safe to Use in 2026?

Mostly Safe

Score 70/100

Ace User Management is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Oct 15, 2025Updated 3mo ago

Risk Assessment

The 'ace-user-management' plugin version 2.6 presents a mixed security posture. While it demonstrates good practices in output escaping, with 100% of outputs properly handled, and a moderate adoption of prepared statements for SQL queries (58%), significant concerns remain regarding its attack surface and vulnerability history. The presence of two AJAX handlers without authentication checks is a direct pathway for potential unauthorized actions, and the lack of explicit permission callbacks for its REST API routes (though none are present) suggests a potential future risk if added. The plugin's history is marred by a critical, unpatched vulnerability from late 2025, specifically an 'Authorization Bypass Through User-Controlled Key'. This indicates a recurring pattern of serious authorization flaws, which is a major red flag for the plugin's overall security maturity and maintenance.

Key Concerns

Unpatched critical CVE
Unprotected AJAX handlers
SQL queries with insufficient prepared statement usage

Vulnerabilities

Ace User Management Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2025-6027critical · 9.8Authorization Bypass Through User-Controlled Key

Ace User Management <= 2.0.3 - Unauthenticated Privilege Escalation via Password Reset

Oct 15, 2025Unpatched

Code Analysis

Analyzed Mar 17, 2026

Ace User Management Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

416 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

58% prepared19 total queries

Output Escaping

100% escaped418 total outputs

Data Flows

All sanitized

Data Flow Analysis

5 flows

add_all_setting_plugin (admin\class-ace-user-management-admin.php:149)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Ace User Management Attack Surface

Entry Points8

Unprotected2

AJAX Handlers 2

authwp_ajax_delete_userincludes\class-ace-user-management.php:168

noprivwp_ajax_delete_userincludes\class-ace-user-management.php:169

Shortcodes 6

[ace-profile-page] includes\class-ace-user-management.php:213

[ace-login-public-form] includes\class-ace-user-management.php:214

[ace-forget-password] includes\class-ace-user-management.php:215

[ace-random-code-page] includes\class-ace-user-management.php:216

[ace-profile-page] includes\class-ace-user-management.php:217

[ace-registration-public-form] includes\class-ace-user-management.php:218

WordPress Hooks 23

actionplugins_loadedincludes\class-ace-user-management.php:145

actionadmin_enqueue_scriptsincludes\class-ace-user-management.php:160

actionadmin_enqueue_scriptsincludes\class-ace-user-management.php:161

actionadmin_menuincludes\class-ace-user-management.php:162

actioninitincludes\class-ace-user-management.php:170

actionshow_user_profileincludes\class-ace-user-management.php:172

actionedit_user_profileincludes\class-ace-user-management.php:173

actionpersonal_options_updateincludes\class-ace-user-management.php:175

actionedit_user_profile_updateincludes\class-ace-user-management.php:176

actionuser_registerincludes\class-ace-user-management.php:178

actionwp_enqueue_scriptsincludes\class-ace-user-management.php:197

actionwp_enqueue_scriptsincludes\class-ace-user-management.php:198

actionwp_logoutincludes\class-ace-user-management.php:199

filterlogin_redirectincludes\class-ace-user-management.php:200

actioninitincludes\class-ace-user-management.php:201

actiontemplate_redirectincludes\class-ace-user-management.php:202

filterregisterincludes\class-ace-user-management.php:203

filterwp_nav_menu_itemsincludes\class-ace-user-management.php:204

actionwp_authenticateincludes\class-ace-user-management.php:205

filtershow_admin_barincludes\class-ace-user-management.php:206

actioninitincludes\class-ace-user-management.php:208

filterquery_varsincludes\class-ace-user-management.php:209

actiontemplate_redirectincludes\class-ace-user-management.php:210

Maintenance & Trust

Ace User Management Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 18, 2025

PHP min version

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Ace User Management Alternatives

DRegister

dregister

Enhance your Registration Page. Require First Name, Last Name. Add custom fields. Require custom fields.

10 No CVEs

Advanced Custom Fields (ACF®)

advanced-custom-fields

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 9 CVEs

Meta Box

meta-box

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K 3 CVEs

ACF Content Analysis for Yoast SEO

acf-content-analysis-for-yoast-seo

100

WordPress plugin that adds the content of all ACF fields to the Yoast SEO score analysis.

100K No CVEs

Developer Profile

Ace User Management Developer Profile

Acewebx

7 plugins · 340 total installs

trust score

Avg Security Score

96/100

Avg Patch Time

330 days

View full developer profile

Detection Fingerprints

How We Detect Ace User Management

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ace-user-management/css/ace-user-management-admin.css/wp-content/plugins/ace-user-management/css/ace-fontawesome.css/wp-content/plugins/ace-user-management/css/bootstrap.min.css/wp-content/plugins/ace-user-management/js/ace-user-management-admin.js/wp-content/plugins/ace-user-management/js/ace-bootstrap.min.js

Script Paths

/wp-content/plugins/ace-user-management/js/ace-user-management-admin.js

Version Parameters

ace-user-management-admin.css?ver=ace-fontawesome.css?ver=bootstrap.min.css?ver=ace-bootstrap.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

ace-user-management-adminace-fontawesome

HTML Comments

Data Attributes

data-ace-user-management-nonce

JS Globals

ajax.urlajax.nonce

FAQ