Ajax Filter Search Security & Risk Analysis

wordpress.org/plugins/ajax-filter-search

Displays posts or custom post types in a friendly, filterable format using ajax so there's no page reload!

70 active installs v1.0.3 PHP + WP 3.6+ Updated Aug 6, 2016
ajax-filterajax-searchfilter-posts-by-yearsearch-postssearch-using-ajax
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Ajax Filter Search Safe to Use in 2026?

Generally Safe

Score 85/100

Ajax Filter Search has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The plugin "ajax-filter-search" v1.0.3 exhibits a concerning security posture primarily due to a significant portion of its attack surface lacking authentication and authorization checks. With 4 out of 6 entry points being unprotected AJAX handlers, there's a high risk of unauthorized access and manipulation of plugin functionalities. While the plugin demonstrates good practices by not using dangerous functions, avoiding file operations and external HTTP requests, and utilizing prepared statements for its SQL queries, these strengths are overshadowed by the lack of fundamental security controls on its AJAX endpoints. The absence of nonce checks and capability checks on these handlers is a critical oversight, potentially exposing the plugin to Cross-Site Request Forgery (CSRF) and privilege escalation vulnerabilities.

The taint analysis reveals two flows with unsanitized paths, which is a notable concern. Although the static analysis did not classify these as critical or high severity, unsanitized paths can lead to various injection-type vulnerabilities if user-supplied data is not properly handled before being used in operations. The low percentage of properly escaped output (19%) further amplifies this risk, suggesting that data displayed to users might be vulnerable to Cross-Site Scripting (XSS) attacks.

The plugin's vulnerability history is remarkably clean, with no recorded CVEs. This could indicate a well-maintained codebase or simply a lack of public disclosure of past vulnerabilities. However, the current static analysis findings, particularly the unprotected AJAX handlers and potential for XSS, present immediate and significant risks that should be addressed regardless of historical data. The overall security posture is weakened by these identified weaknesses, despite the positive aspects of its SQL handling and controlled external interactions.

Key Concerns

  • Unprotected AJAX handlers
  • Unsanitized paths in taint flows
  • Low percentage of properly escaped output
  • Missing nonce checks on AJAX handlers
  • Missing capability checks on AJAX handlers
Vulnerabilities
None known

Ajax Filter Search Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Ajax Filter Search Release Timeline

v1.0.3Current
v1.0.2
v1.0.1
Code Analysis
Analyzed Apr 16, 2026

Ajax Filter Search Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
25
6 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

19% escaped31 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
my_action_callback (core/includes/functions.php:156)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Ajax Filter Search Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 4

authwp_ajax_my_actioncore/includes/functions.php:175
noprivwp_ajax_my_actioncore/includes/functions.php:176
authwp_ajax_get_selectedcore/includes/functions.php:210
noprivwp_ajax_get_selectedcore/includes/functions.php:211

Shortcodes 2

[ajax_filter_search] core/includes/shortcodes.php:259
[afs_feed] core/includes/shortcodes.php:392
WordPress Hooks 5
actionadmin_menuadmin/settings.php:130
actionadmin_initadmin/settings.php:131
actionadmin_enqueue_scriptsadmin/settings.php:132
actionwp_enqueue_scriptsadmin/settings.php:138
actionwp_headcore/includes/functions.php:143
Maintenance & Trust

Ajax Filter Search Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedAug 6, 2016
PHP min version
Downloads6K

Community Trust

Rating90/100
Number of ratings2
Active installs70
Developer Profile

Ajax Filter Search Developer Profile

Thomas J Dintrone

1 plugin · 70 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Ajax Filter Search

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ajax-filter-search/admin/js/admin.js/wp-content/plugins/ajax-filter-search/core/js/afs-init.js/wp-content/plugins/ajax-filter-search/core/js/afs-scripts.js/wp-content/plugins/ajax-filter-search/core/css/afs-styles.css
Script Paths
admin/js/admin.jscore/js/afs-init.jscore/js/afs-scripts.js
Version Parameters
ajax-filter-search/core/css/afs-styles.css?ver=ajax-filter-search/admin/js/admin.js?ver=ajax-filter-search/core/js/afs-scripts.js?ver=ajax-filter-search/core/js/afs-init.js?ver=

HTML / DOM Fingerprints

CSS Classes
afs-filter-containerafs-grid-viewafs-list-viewafs-paginationafs-search-form
HTML Comments
<!-- Admin Settings, Styles & Scripts --><!-- Adds Settings Link to Plugins Page --><!-- Core Styles & Scripts --><!-- Set Up Admin Area -->+11 more
Data Attributes
data-afs-post-typedata-afs-taxonomydata-afs-posts-per-pagedata-afs-show-filtersdata-afs-views
JS Globals
afs_vars
Shortcode Output
[ajax_filter_search]
FAQ

Frequently Asked Questions about Ajax Filter Search