Advanced Access Manager – Access Governance for WordPress Security & Risk Analysis
wordpress.org/plugins/advanced-access-managerAccess Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.
Is Advanced Access Manager – Access Governance for WordPress Safe to Use in 2026?
Generally Safe
Score 95/100Advanced Access Manager – Access Governance for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.
The "advanced-access-manager" v7.1.0 plugin presents a mixed security posture. While it shows strengths in its use of prepared statements for SQL queries (94%) and a significant number of capability checks (66), several concerning areas exist. The static analysis reveals a substantial attack surface, with 3 out of 6 entry points lacking proper authorization checks. Furthermore, only 45% of output operations are properly escaped, leaving a significant risk of Cross-Site Scripting (XSS) vulnerabilities. The absence of taint analysis results and the lack of dangerous function calls are positive indicators, but the unprotected entry points and output escaping issues are critical oversight areas.
The plugin's vulnerability history is a major concern, with a total of 11 known CVEs, including a critical severity vulnerability. The historical prevalence of vulnerabilities such as Open Redirect, XSS, sensitive information exposure, authentication bypass, path traversal, and improper authorization suggests recurring security weaknesses in how user input is handled and access controls are implemented. While there are currently no unpatched vulnerabilities, the sheer number and variety of past issues, particularly the critical one, indicate a pattern of insecure coding practices that could resurface or be exploited.
In conclusion, the "advanced-access-manager" plugin v7.1.0 has some good foundational security practices like robust SQL sanitization and capability checks. However, the significant number of unprotected entry points, insufficient output escaping, and a history of numerous and severe vulnerabilities, including a critical one, collectively point to a high-risk plugin. Users should exercise extreme caution and prioritize patching and monitoring for any potential exploits.
Key Concerns
- High number of unprotected REST API routes
- High number of unprotected AJAX handlers
- Low percentage of properly escaped outputs
- History of 1 critical vulnerability
- History of 3 high severity vulnerabilities
- History of 7 medium severity vulnerabilities
- History of authentication bypass vulnerabilities
- History of path traversal vulnerabilities
- History of improper authorization vulnerabilities
- History of XSS vulnerabilities
- History of open redirect vulnerabilities
- History of sensitive information exposure
Advanced Access Manager – Access Governance for WordPress Security Vulnerabilities
CVEs by Year
Severity Breakdown
11 total CVEs
Advanced Access Manager <= 6.9.20 - Reflected Cross-Site Scripting
Advanced Access Manager <= 6.9.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Advanced Access Manager <= 6.9.18 - Authenticated (Author+) Open Redirect
Advanced Access Manager <= 6.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Advanced Access Manager <= 6.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting
Advanced Access Manager <= 6.7.9 - Admin+ Stored Cross-Site Scripting
Advanced Access Manager <= 6.6.1 - Authenticated Information Disclosure
Advanced Access Manager <= 6.6.1 - Authenticated Authorization Bypass and Privilege Escalation
Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read
Advanced Access Manager <= 3.2.1 - Unrestricted AJAX Actions allowing Privilege Escalation
Advanced Access Manager <= 2.8.2 - Arbitrary File Overwrite
Advanced Access Manager – Access Governance for WordPress Code Analysis
SQL Query Safety
Output Escaping
Advanced Access Manager – Access Governance for WordPress Attack Surface
AJAX Handlers 1
REST API Routes 3
Shortcodes 2
WordPress Hooks 175
Scheduled Events 1
Maintenance & Trust
Advanced Access Manager – Access Governance for WordPress Maintenance & Trust
Maintenance Signals
Community Trust
Advanced Access Manager – Access Governance for WordPress Alternatives
Login Gatekeeper
login-gatekeeper
Protect your login page by requiring a secret key and value in the login URL.
Wordfence Security – Firewall, Malware Scan, and Login Security
wordfence
Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.
Hostinger Tools
hostinger
Simplified WordPress management. Manage site info, maintenance, security, & redirects.
Jetpack – WP Security, Backup, Speed, & Growth
jetpack
Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)
really-simple-ssl
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
Advanced Access Manager – Access Governance for WordPress Developer Profile
5 plugins · 101K total installs
How We Detect Advanced Access Manager – Access Governance for WordPress
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/advanced-access-manager/app/core/base.css/wp-content/plugins/advanced-access-manager/app/core/base.js/wp-content/plugins/advanced-access-manager/app/core/helpers.js/wp-content/plugins/advanced-access-manager/app/core/vendors/vue.min.js/wp-content/plugins/advanced-access-manager/app/js/common.js/wp-content/plugins/advanced-access-manager/app/js/components/AAMInput.js/wp-content/plugins/advanced-access-manager/app/js/components/AAMList.js/wp-content/plugins/advanced-access-manager/app/js/components/AAMModal.js+29 more/wp-content/plugins/advanced-access-manager/app/core/base.js/wp-content/plugins/advanced-access-manager/app/core/helpers.js/wp-content/plugins/advanced-access-manager/app/core/vendors/vue.min.js/wp-content/plugins/advanced-access-manager/app/js/common.js/wp-content/plugins/advanced-access-manager/app/js/components/AAMInput.js/wp-content/plugins/advanced-access-manager/app/js/components/AAMList.js+24 more/wp-content/plugins/advanced-access-manager/css/aam.css?ver=/wp-content/plugins/advanced-access-manager/css/aam-backend.css?ver=/wp-content/plugins/advanced-access-manager/css/aam-frontend.css?ver=/wp-content/plugins/advanced-access-manager/js/aam-backend.js?ver=/wp-content/plugins/advanced-access-manager/js/aam-frontend.js?ver=/wp-content/plugins/advanced-access-manager/js/aam.js?ver=/wp-content/plugins/advanced-access-manager/app/core/base.js?ver=/wp-content/plugins/advanced-access-manager/app/core/helpers.js?ver=/wp-content/plugins/advanced-access-manager/app/core/vendors/vue.min.js?ver=/wp-content/plugins/advanced-access-manager/app/js/common.js?ver=/wp-content/plugins/advanced-access-manager/app/js/components/AAMInput.js?ver=/wp-content/plugins/advanced-access-manager/app/js/components/AAMList.js?ver=/wp-content/plugins/advanced-access-manager/app/js/components/AAMModal.js?ver=/wp-content/plugins/advanced-access-manager/app/js/components/AAMSelect.js?ver=/wp-content/plugins/advanced-access-manager/app/js/components/AAMUser.js?ver=/wp-content/plugins/advanced-access-manager/app/js/main.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/access.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/capabilities.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/content.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/global.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/hooks.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/identity.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/login.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/policies.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/rest.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/security.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/users.js?ver=/wp-content/plugins/advanced-access-manager/app/js/modules/widgets.js?ver=HTML / DOM Fingerprints
aam-input-wrapperaam-list-wrapperaam-modal-wrapperaam-select-wrapperaam-user-wrapperaam-backend-pageaam-settings-pageaam-access-page+11 more<!-- AAM --><!-- AAM: END --><!-- AAM_Backend_Manager --><!-- AAM_Backend_Manager: END -->+4 moredata-aam-iddata-aam-labeldata-aam-typedata-aam-valuedata-aam-disableddata-aam-required+1 moreAAMAAM_ConfigAAM_Vars/wp-json/aam/v1/items/wp-json/aam/v1/items/(?P<id>\d+)/wp-json/aam/v1/capabilities/wp-json/aam/v1/capabilities/(?P<id>\d+)/wp-json/aam/v1/users/wp-json/aam/v1/users/(?P<id>\d+)/wp-json/aam/v1/policies/wp-json/aam/v1/policies/(?P<id>\d+)/wp-json/aam/v1/hooks/wp-json/aam/v1/hooks/(?P<id>\d+)/wp-json/aam/v1/widgets/wp-json/aam/v1/widgets/(?P<id>\d+)