WP-Safety

ActiveDEMAND Security & Risk Analysis

wordpress.org/plugins/activedemand

ActiveDEMAND, the easy way to add Web Forms, Dynamic Content, and Popups to your WordPress site.

1K active installs v0.2.47 PHP + WP 2.8+ Updated Oct 15, 2025
dynamic-contentgeo-ipopt-in-formspopup-buildertracking-script
88
A · Safe
CVEs total4
Unpatched0
Last CVEApr 16, 2025
Plugin page Download
Safety Verdict

Is ActiveDEMAND Safe to Use in 2026?

Generally Safe

Score 88/100

ActiveDEMAND has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Apr 16, 2025Updated 5mo ago
Risk Assessment

The "activedemand" plugin v0.2.47 exhibits a concerning security posture, largely due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in using prepared statements for SQL queries (81%) and proper output escaping (88%), the presence of 5 unprotected AJAX entry points creates a substantial attack surface that could be exploited for unauthorized actions. Furthermore, the taint analysis revealed one high-severity flow with unsanitized paths, indicating a potential for attackers to manipulate data or execute unintended operations. The plugin's vulnerability history is also a major red flag, with 4 known CVEs, including 2 critical ones, and a recent vulnerability in April 2025. This historical pattern of critical vulnerabilities, particularly around Cross-Site Request Forgery, Unrestricted File Uploads, and Missing Authorization, suggests recurring security flaws that have not been fully addressed. While the current version has no unpatched CVEs and the static analysis shows some positive indicators like minimal file operations and external HTTP requests, the combination of unprotected entry points, a critical taint flow, and a history of severe vulnerabilities points to a plugin that requires immediate attention and rigorous security scrutiny before widespread deployment.

Key Concerns

  • 5 unprotected AJAX handlers
  • High severity taint flow with unsanitized paths
  • 2 critical CVEs historically
  • 2 medium CVEs historically
  • Recent vulnerability (2025-04-16)
  • Common vulnerability type: Missing Authorization
  • Common vulnerability type: Unrestricted Upload of File with Dangerous Type
  • Common vulnerability type: Cross-Site Request Forgery (CSRF)
Vulnerabilities
4

ActiveDEMAND Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
Medium
2

4 total CVEs

CVE-2025-39513medium · 5.3Missing Authorization

ActiveDEMAND <= 0.2.46 - Missing Authorization

Apr 16, 2025 Patched in 0.2.47 (185d)
CVE-2024-35638medium · 4.3Cross-Site Request Forgery (CSRF)

ActiveDEMAND <= 0.2.43 - Cross-Site Request Forgery

May 30, 2024 Patched in 0.2.44 (33d)
CVE-2024-32809critical · 10Unrestricted Upload of File with Dangerous Type

ActiveDEMAND <= 0.2.41 - Unauthenticated Arbitrary File Upload

Apr 22, 2024 Patched in 0.2.42 (8d)
CVE-2022-36296critical · 9.8Missing Authorization

ActiveDEMAND <= 0.2.27 - Missing Authorization Checks

Aug 2, 2022 Patched in 0.2.28 (539d)
Code Analysis
Analyzed Mar 16, 2026

ActiveDEMAND Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
22 prepared
Unescaped Output
12
87 escaped
Nonce Checks
8
Capability Checks
12
File Operations
0
External Requests
4
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

81% prepared27 total queries

Output Escaping

88% escaped99 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
<ActiveDEMAND> (ActiveDEMAND.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

ActiveDEMAND Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

authwp_ajax_activedemand_access_rules_saveActiveDEMAND.php:993
authwp_ajax_activedemand_delete_custom_url_contentActiveDEMAND.php:1083
authwp_ajax_reset_ad_form_linkagelinked-forms.php:658
authwp_ajax_update_ad_form_linkagelinked-forms.php:659
authwp_ajax_show_form_mapperlinked-forms.php:660
WordPress Hooks 36
actioninitActiveDEMAND.php:45
filterblock_categories_allActiveDEMAND.php:205
actioninitActiveDEMAND.php:209
actioninitActiveDEMAND.php:364
actionadmin_initActiveDEMAND.php:449
filtermce_external_pluginsActiveDEMAND.php:538
filtermce_buttonsActiveDEMAND.php:539
actionwoocommerce_cart_updatedActiveDEMAND.php:591
actionwoocommerce_cart_emptiedActiveDEMAND.php:603
filterclean_urlActiveDEMAND.php:761
actionwp_enqueue_scriptsActiveDEMAND.php:762
actionadmin_enqueue_scriptsActiveDEMAND.php:764
actionadmin_menuActiveDEMAND.php:766
filterplugin_action_linksActiveDEMAND.php:767
filterthe_excerpt_rssActiveDEMAND.php:769
filterthe_content_feedActiveDEMAND.php:771
actioninitActiveDEMAND.php:777
actionin_admin_footerActiveDEMAND.php:778
actionwoocommerce_after_checkout_formActiveDEMAND.php:781
actionrss2_itemActiveDEMAND.php:805
actioninitActiveDEMAND.php:850
actioninitActiveDEMAND.php:909
actionwoocommerce_add_to_cartActiveDEMAND.php:982
actionwoocommerce_thankyouActiveDEMAND.php:990
actioninitActiveDEMAND.php:1103
actionwp_enqueue_scriptsclass-SCCollector.php:174
filterthe_contentclass-SCCollector.php:216
filterwidget_textclass-SCCollector.php:219
actionwp_footerclass-SCCollector.php:235
actionadmin_enqueue_scriptslanding-pages.php:12
actionwplanding-pages.php:49
actionadd_meta_boxeslanding-pages.php:142
actionsave_postlanding-pages.php:182
actioninitlinked-forms.php:655
actionplugins_loadedlinked-forms.php:656
actionadmin_enqueue_scriptslinked-forms.php:735
Maintenance & Trust

ActiveDEMAND Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 15, 2025
PHP min version
Downloads41K

Community Trust

Rating100/100
Number of ratings6
Active installs1K
Alternatives

ActiveDEMAND Alternatives

Popup Builder – Create highly converting, mobile friendly marketing popups.

Popup Builder – Create highly converting, mobile friendly marketing popups.

popup-builder

B
76

Increase Sales, Lead Generation, Conversion rates and receive good Call to Action rates with smart WordPress popup plugin.

200K 23 CVEs
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

popup-builder-block

C
60

Powerful Popup Builder Block for Gutenberg block editor.

60K 1 unpatched
Block Visibility — Conditional Visibility Control for the Block Editor

Block Visibility — Conditional Visibility Control for the Block Editor

block-visibility

A
100

Easily show or hide any WordPress block. Schedule block visibility. Restrict blocks to specific screen sizes, user roles, post types, and more.

40K No CVEs
Visual Composer Website Builder

Visual Composer Website Builder

visualcomposer

A
96

Drag and drop page builder that gives the freedom to design WordPress websites, landing pages, custom themes, maintenance mode & coming soon pages.

40K 9 CVEs
WP Popups – WordPress Popup builder

WP Popups – WordPress Popup builder

wp-popups-lite

A
95

WP Popups is the best popup maker for WordPress. Easy but powerful plugin with display filters, scroll-triggered popups, and Gutenberg block editor.

30K 6 CVEs
Developer Profile

ActiveDEMAND Developer Profile

70
trust score
Avg Security Score
87/100
Avg Patch Time
191 days
View full developer profile
Detection Fingerprints

How We Detect ActiveDEMAND

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/activedemand/gutenberg-blocks/dynamic-content-blocks/block.build.js/wp-content/plugins/activedemand/gutenberg-blocks/forms/block.build.js/wp-content/plugins/activedemand/gutenberg-blocks/storyboard/block.build.js

HTML / DOM Fingerprints

JS Globals
activedemand_blocksactivedemand_vendoractivedemand_formsactivedemand_storyboard
REST Endpoints
/wp-json/activedemand/v1/get_data
Shortcode Output
[activedemand_block id=
FAQ

Frequently Asked Questions about ActiveDEMAND