WP-Safety

Advanced Settings 3 Security & Risk Analysis

wordpress.org/plugins/advanced-settings

Adds settings that you might expect to find in the WordPress core.

200 active installs v3.3.0 PHP 7.4+ WP 5.0.0+ Updated Feb 7, 2026
admindashboardeditingfrontendsettings
96
A · Safe
CVEs total3
Unpatched0
Last CVESep 24, 2025
Plugin page Download
Safety Verdict

Is Advanced Settings 3 Safe to Use in 2026?

Generally Safe

Score 96/100

Advanced Settings 3 has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Sep 24, 2025Updated 1mo ago
Risk Assessment

The "advanced-settings" v3.3.0 plugin exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and having a substantial number of capability checks, significant concerns remain. The static analysis reveals a notable attack surface, with one AJAX handler lacking authentication checks, which is a direct entry point for potential unauthorized actions.

Furthermore, the plugin's vulnerability history is a serious red flag, with three known CVEs, including one high-severity and two medium-severity vulnerabilities. The common types of vulnerabilities, such as Unrestricted Upload of File with Dangerous Type and Cross-Site Request Forgery (CSRF), indicate recurring security weaknesses. The fact that the last vulnerability was as recent as September 2025 suggests a pattern of security issues that may not be fully addressed or reoccurring.

Overall, while the plugin shows some positive security implementations, the presence of an unprotected AJAX endpoint and a history of significant vulnerabilities necessitate caution. The potential for exploitation due to the unprotected entry point, combined with past occurrences of serious vulnerabilities, makes this plugin a moderate to high-risk component until these issues are thoroughly remediated and validated.

Key Concerns

  • Unprotected AJAX handler
  • History of 1 High Severity CVE
  • History of 2 Medium Severity CVEs
  • 57% of outputs properly escaped
Vulnerabilities
3

Advanced Settings 3 Security Vulnerabilities

CVEs by Year

3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-58996high · 8.8Unrestricted Upload of File with Dangerous Type

Advanced Settings <= 3.1.1 - Authenticated (Author+) Arbitrary File Upload

Sep 24, 2025 Patched in 3.2.0 (7d)
CVE-2025-58975medium · 4.3Cross-Site Request Forgery (CSRF)

Advanced Settings <= 3.1.1 - Cross-Site Request Forgery

Sep 9, 2025 Patched in 3.2.0 (7d)
CVE-2025-49865medium · 4.3Cross-Site Request Forgery (CSRF)

Advanced Settings <= 3.0.1 - Cross-Site Request Forgery

Jun 12, 2025 Patched in 3.0.2 (6d)
Code Analysis
Analyzed Mar 16, 2026

Advanced Settings 3 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
52
69 escaped
Nonce Checks
4
Capability Checks
15
File Operations
19
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

57% escaped121 total outputs
Attack Surface
1 unprotected

Advanced Settings 3 Attack Surface

Entry Points6
Unprotected1

AJAX Handlers 3

authwp_ajax_advset_mark_guide_shownadmin-ui\admin-ui.php:243
authwp_ajax_advset_filtersfeature-setup\features\developer.php:183
authwp_ajax_advset_track_choiceincludes\class.tracksettings.php:18

REST API Routes 3

POST/wp-json/advset_posttypes/v1/check-typefeature-setup\features\includes\developer.settings_pages.post_types--init.php:180
GET/wp-json/advanced-settings/v1/featuresincludes\api-endpoints.php:14
POST/wp-json/advanced-settings/v1/settingsincludes\api-endpoints.php:23
WordPress Hooks 85
actionadmin_bar_menuadmin-ui\admin-ui.php:46
actionadd_admin_bar_menusadmin-ui\admin-ui.php:49
filterplugin_action_linksadmin-ui\admin-ui.php:61
actionadmin_enqueue_scriptsadmin-ui\admin-ui.php:136
actionwp_enqueue_scriptsadmin-ui\admin-ui.php:137
actionwp_enqueue_scriptsadmin-ui\admin-ui.php:156
actionadmin_enqueue_scriptsadmin-ui\admin-ui.php:157
actionadmin_footeradmin-ui\admin-ui.php:219
actionwp_footeradmin-ui\admin-ui.php:220
actionplugins_loadedadvanced-settings.php:64
actioninitadvanced-settings.php:92
actionrest_api_initadvanced-settings.php:106
actionplugins_loadedadvanced-settings.php:116
actionadvset_register_categoriesfeature-setup\categories.php:12
filtershow_admin_barfeature-setup\features\adminarea.php:31
actionadmin_menufeature-setup\features\adminarea.php:57
actionadmin_menufeature-setup\features\adminarea.php:83
actionwp_dashboard_setupfeature-setup\features\adminarea.php:110
filteradmin_footer_textfeature-setup\features\adminarea.php:192
actionlogin_headfeature-setup\features\adminarea.php:197
filterlogin_headertextfeature-setup\features\adminarea.php:211
actionwp_before_admin_bar_renderfeature-setup\features\adminarea.php:217
filterlogin_headerurlfeature-setup\features\adminarea.php:230
actioninitfeature-setup\features\advset.php:95
actionwp_footerfeature-setup\features\developer.php:31
actionadmin_menufeature-setup\features\developer.php:73
actionadmin_menufeature-setup\features\developer.php:117
actionadmin_menufeature-setup\features\developer.php:171
filterwp_revisions_to_keepfeature-setup\features\editing.php:84
filterupload_mimesfeature-setup\features\editing.php:124
filterwp_handle_upload_prefilterfeature-setup\features\editing.php:130
actionwp_handle_uploadfeature-setup\features\editing.php:240
filterjpeg_qualityfeature-setup\features\editing.php:294
actionafter_setup_themefeature-setup\features\editing.php:326
actiontransition_post_statusfeature-setup\features\editing.php:357
actionsend_headersfeature-setup\features\frontend.php:65
actionwp_headfeature-setup\features\frontend.php:99
actionwp_headfeature-setup\features\frontend.php:136
actionwp_headfeature-setup\features\frontend.php:270
actiontemplate_redirectfeature-setup\features\frontend.php:303
filterwp_sitemaps_add_providerfeature-setup\features\frontend.php:311
filterwp_titlefeature-setup\features\frontend.php:342
filterrun_wptexturizefeature-setup\features\frontend.php:388
filterembed_oembed_discoverfeature-setup\features\frontend.php:424
filterexcerpt_lengthfeature-setup\features\frontend.php:461
filterexcerpt_morefeature-setup\features\frontend.php:500
filterget_comments_numberfeature-setup\features\frontend.php:528
filterthe_contentfeature-setup\features\frontend.php:563
actionparse_requestfeature-setup\features\frontend.php:651
actionwp_footerfeature-setup\features\frontend.php:760
actionfeed_linkfeature-setup\features\frontend.php:803
filteremoji_svg_urlfeature-setup\features\frontend.php:906
actionadmin_initfeature-setup\features\includes\developer.settings_pages.php:48
actioninitfeature-setup\features\includes\developer.settings_pages.post_types--init.php:13
actionrest_api_initfeature-setup\features\includes\developer.settings_pages.post_types--init.php:14
actionadmin_menufeature-setup\features\includes\developer.settings_pages.post_types--init.php:15
actionadmin_enqueue_scriptsfeature-setup\features\includes\developer.settings_pages.post_types--init.php:16
actionadmin_noticesfeature-setup\features\includes\developer.settings_pages.post_types--init.php:63
filterscript_loader_srcfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:17
filterprint_scripts_arrayfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:33
filterprint_scripts_arrayfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:55
filterscript_loader_tagfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:78
actionwp_enqueue_scriptsfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:85
actioninitfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:153
filterpre_update_option_advset_scriptsfeature-setup\features\includes\developer.settings_pages.scripts--actions-scripts.php:154
filterprint_styles_arrayfeature-setup\features\includes\developer.settings_pages.styles--actions-styles.php:11
filterprint_styles_arrayfeature-setup\features\includes\developer.settings_pages.styles--actions-styles.php:30
actionwp_loadedfeature-setup\features\includes\developer.settings_pages.styles--actions-styles.php:51
actioninitfeature-setup\features\includes\developer.settings_pages.styles--actions-styles.php:130
filterpre_update_option_advset_stylesfeature-setup\features\includes\developer.settings_pages.styles--actions-styles.php:131
actioninitfeature-setup\features\system.php:33
filtercomments_openfeature-setup\features\system.php:66
filtercomments_arrayfeature-setup\features\system.php:67
actionadmin_menufeature-setup\features\system.php:70
actionwp_before_admin_bar_renderfeature-setup\features\system.php:73
filterxmlrpc_enabledfeature-setup\features\system.php:102
filterrest_authentication_errorsfeature-setup\features\system.php:128
filterauto_core_update_send_emailfeature-setup\features\system.php:218
filterauto_plugin_update_send_emailfeature-setup\features\system.php:244
filterauto_theme_update_send_emailfeature-setup\features\system.php:270
actionadvset_register_featuresfeature-setup\features.php:12
actioninitincludes\class.feature-manager.php:35
actionadmin_enqueue_scriptsincludes\class.tracksettings.php:20
actionadmin_footerincludes\class.tracksettings.php:48
actionplugins_loadedindex.php:9
Maintenance & Trust

Advanced Settings 3 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 7, 2026
PHP min version7.4
Downloads33K

Community Trust

Rating78/100
Number of ratings7
Active installs200
Alternatives

Advanced Settings 3 Alternatives

Frontend Admin by DynamiApps

Frontend Admin by DynamiApps

acf-frontend-form-element

B
76

This awesome plugin allows you to easily display frontend forms on your site so your clients can easily edit content by themselves from the frontend.

10K 12 CVEs
Multiple Admin Email Addresses

Multiple Admin Email Addresses

multiple-admin-email-addresses

A
85

Multiple Admin Email Addresses allows you to replace the blog's admin email with a comma separated list of admin emails

1K No CVEs
DevBrothers Admin Panel

DevBrothers Admin Panel

devbrothers-admin-panel

A
100

Centralized admin panel for all DevBrothers plugins.

20 No CVEs
Adminimal

Adminimal

adminimal

A
85

A toolbar for WordPress front-end.

10 No CVEs
PZ Frontend Manager

PZ Frontend Manager

pz-frontend-manager

A
91

PZ Frontend Manager allows your clients to manage their platform without accessing the wp-admin dashboard.

10 1 CVE
Developer Profile

Advanced Settings 3 Developer Profile

Helmut Wandl

5 plugins · 300 total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect Advanced Settings 3

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/advanced-settings/admin-ui/images/admin-bar-icon.svg

HTML / DOM Fingerprints

CSS Classes
advset-admin-icon
HTML Comments
Admin UI functionality for Advanced Settings * * This file handles the admin bar icon and modal dialog for administrators
Data Attributes
onclick
JS Globals
advset_open_modal
REST Endpoints
/wp-json/advanced-settings/
FAQ

Frequently Asked Questions about Advanced Settings 3