WP-Safety

Activities Security & Risk Analysis

wordpress.org/plugins/activities

A plugin for managing activities, activity reports and communication with participants. Comes with WooCommerce integration.

10 active installs v1.1.8 PHP 7.0.32+ WP 5.4+ Updated Feb 21, 2021
activitiesclassescourseseventsreport
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Activities Safe to Use in 2026?

Generally Safe

Score 85/100

Activities has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "activities" plugin v1.1.8 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of capability checks, several significant concerns are present. The substantial number of AJAX handlers, particularly the nine that lack authentication checks, represents a large and unprotected attack surface, posing a high risk of unauthorized actions being performed. Furthermore, the presence of four high-severity taint flows with unsanitized paths indicates a potential for cross-site scripting (XSS) or other injection vulnerabilities if user input is not properly validated and sanitized before use. The use of the `unserialize` function is also a notable risk factor, as it can lead to remote code execution if untrusted data is unserialized.

Despite the lack of documented CVEs, this does not guarantee the plugin's absolute security. The vulnerability history being empty could simply mean that vulnerabilities have not been discovered or publicly disclosed yet. The current static analysis findings, especially the unprotected AJAX endpoints and critical taint flows, are strong indicators of potential weaknesses that an attacker could exploit. Therefore, while the plugin shows some positive security habits, the identified attack surface and taint analysis results necessitate caution and prompt remediation.

Key Concerns

  • 9 unprotected AJAX handlers
  • 4 high severity unsanitized flows
  • Dangerous function: unserialize
  • Large attack surface (11 total, 9 unprotected)
  • 33% SQL queries not using prepared statements
  • 33% outputs not properly escaped
Vulnerabilities
None known

Activities Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Activities Release Timeline

v1.1.7
Code Analysis
Analyzed Mar 17, 2026

Activities Code Analysis

Dangerous Functions
6
Raw SQL Queries
20
51 prepared
Unescaped Output
139
282 escaped
Nonce Checks
13
Capability Checks
29
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$nice_settings = unserialize( $nice_settings );admin\activity-report\activities-admin-activity-report.php:43
unserialize$nice_settings = unserialize( $nice_settings );admin\class-activities-admin-utility.php:26
unserialize$val = @unserialize( $val );includes\class-activities-activity.php:425
unserialize$val = @unserialize( $val );includes\class-activities-activity.php:456
unserialize$default_settings = unserialize( $default_settings );includes\class-activities-activity.php:548
unserialize$default_settings = unserialize( $default_settings );includes\class-activities-activity.php:587

SQL Query Safety

72% prepared71 total queries

Output Escaping

67% escaped421 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

9 flows6 with unsanitized paths
activities_import_page_selected (admin\import-export\activities-admin-import.php:61)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Activities Attack Surface

Entry Points11
Unprotected9

AJAX Handlers 9

authwp_ajax_acts_get_member_infoincludes\class-activities.php:188
authwp_ajax_acts_get_user_infoincludes\class-activities.php:189
authwp_ajax_acts_quick_saveincludes\class-activities.php:190
authwp_ajax_acts_create_planincludes\class-activities.php:191
authwp_ajax_acts_update_plan_sessionincludes\class-activities.php:192
authwp_ajax_acts_insert_catincludes\class-activities.php:193
authwp_ajax_acts_update_catincludes\class-activities.php:194
authwp_ajax_acts_delete_catincludes\class-activities.php:195
authwp_ajax_acts_joinincludes\class-activities.php:229

Shortcodes 2

[acts] includes\class-activities.php:213
[acts] includes\class-activities.php:231
WordPress Hooks 39
actionwpmu_new_blogactivities.php:77
actionactivities_delete_locationincludes\class-activities-activity.php:121
actionactivities_delete_planincludes\class-activities-activity.php:122
actiondeleted_userincludes\class-activities-activity.php:123
actionremove_user_from_blogincludes\class-activities-activity.php:124
actioninitincludes\class-activities-category.php:22
actionactivities_archive_activityincludes\class-activities-responsible.php:20
actionactivities_activate_activityincludes\class-activities-responsible.php:21
actionplugins_loadedincludes\class-activities-updater.php:29
actiondeleted_userincludes\class-activities-user-activity.php:20
actionremove_user_from_blogincludes\class-activities-user-activity.php:21
filterwoocommerce_product_data_tabsincludes\class-activities-woocommerce.php:33
actionwoocommerce_product_data_panelsincludes\class-activities-woocommerce.php:34
actionwoocommerce_product_after_variable_attributesincludes\class-activities-woocommerce.php:35
actionsave_postincludes\class-activities-woocommerce.php:36
actionwoocommerce_save_product_variationincludes\class-activities-woocommerce.php:37
actionwoocommerce_order_status_completedincludes\class-activities-woocommerce.php:38
actionwoocommerce_update_new_customer_past_orderincludes\class-activities-woocommerce.php:39
actionactivities_archive_activityincludes\class-activities-woocommerce.php:40
filterwoocommerce_prevent_admin_accessincludes\class-activities-woocommerce.php:41
filtermanage_product_posts_columnsincludes\class-activities-woocommerce.php:42
actionmanage_product_posts_custom_columnincludes\class-activities-woocommerce.php:43
actionplugins_loadedincludes\class-activities.php:170
actionadmin_initincludes\class-activities.php:184
actionadmin_initincludes\class-activities.php:185
actionadmin_initincludes\class-activities.php:186
actionadmin_menuincludes\class-activities.php:197
actionshow_user_profileincludes\class-activities.php:199
actionedit_user_profileincludes\class-activities.php:200
actionpersonal_options_updateincludes\class-activities.php:201
actionedit_user_profile_updateincludes\class-activities.php:202
filterscreen_settingsincludes\class-activities.php:204
filterset-screen-optionincludes\class-activities.php:205
filteradmit-initincludes\class-activities.php:207
actionpre_user_queryincludes\class-activities.php:209
actionwp_loginincludes\class-activities.php:210
filteradmin_titleincludes\class-activities.php:211
actionwp_enqueue_scriptsincludes\class-activities.php:226
actionwp_enqueue_scriptsincludes\class-activities.php:227
Maintenance & Trust

Activities Maintenance & Trust

Maintenance Signals

WordPress version tested5.6.17
Last updatedFeb 21, 2021
PHP min version7.0.32
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Activities Alternatives

Events Manager – Ongoing Events

Events Manager – Ongoing Events

stonehenge-em-ongoing-events

A
85

Easy to use add-on for Events Manager for organizing multiday events with just one booking / sign-up. Perfect for courses, classes, seminars, etc.

10 No CVEs
EasyMe Connect

EasyMe Connect

easyme-connect

B
79

Connects your EasyMe account to Wordpress.

500 1 unpatched
WP School Calendar

WP School Calendar

wp-school-calendar-lite

A
100

Build your amazing school calendar in minutes using WP School Calendar. Perfect for your school and education website.

500 No CVEs
EduAdmin Booking

EduAdmin Booking

eduadmin-booking

A
90

EduAdmin plugin to allow visitors to book courses at your website. Requires EduAdmin-account.

50 1 CVE
EventAgent.ai

EventAgent.ai

event-agent

A
100

EventAgent.ai is the fully online native platform for virtual classes, retreats, concerts, drop-in events and certificate programs.

10 No CVEs
Developer Profile

Activities Developer Profile

Mikal Naustdal

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Activities

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/activities/admin/css/activities-admin.css/wp-content/plugins/activities/admin/css/report/activities-admin-report.css/wp-content/plugins/activities/admin/css/selectize/selectize.css/wp-content/plugins/activities/admin/js/activities-admin.js/wp-content/plugins/activities/admin/js/report/activities-admin-report.js/wp-content/plugins/activities/admin/js/report/activities-admin-report-plan.js/wp-content/plugins/activities/admin/js/selectize/selectize.min.js
Script Paths
/wp-content/plugins/activities/admin/js/activities-admin.js/wp-content/plugins/activities/admin/js/report/activities-admin-report.js/wp-content/plugins/activities/admin/js/report/activities-admin-report-plan.js/wp-content/plugins/activities/admin/js/selectize/selectize.min.js
Version Parameters
activities-admin-css?ver=activities-admin-report-css?ver=activities-admin-selectize-css?ver=activities-admin-js?ver=activities-admin-report-js?ver=activities-admin-report-plan-js?ver=activities-admin-selectize-js?ver=

HTML / DOM Fingerprints

CSS Classes
activities-admin-wrapactivities-admin-page
Data Attributes
data-activities-nonce
JS Globals
acts_i18n_adminacts_i18n_nice
FAQ

Frequently Asked Questions about Activities