WP-Safety

Atarim – Visual Feedback, Review & AI Collaboration Security & Risk Analysis

wordpress.org/plugins/atarim-visual-collaboration

Make collecting feedback on WordPress sites MUCH faster and easier, with the visual collaboration tool used on over 120,000 websites worldwide.

1K active installs v4.3.4 PHP 7.4+ WP 5.0+ Updated Mar 5, 2026
ai-feedbackclient-feedbackdesign-reviewproject-managementvisual-feedback
76
B · Generally Safe
CVEs total18
Unpatched0
Last CVEFeb 9, 2026
Download
Safety Verdict

Is Atarim – Visual Feedback, Review & AI Collaboration Safe to Use in 2026?

Mostly Safe

Score 76/100

Atarim – Visual Feedback, Review & AI Collaboration is generally safe to use. 18 past CVEs were resolved. Keep it updated.

18 known CVEsLast CVE: Feb 9, 2026Updated 29d ago
Risk Assessment

The 'atarim-visual-collaboration' plugin v4.3.4 presents a mixed security posture. While it demonstrates good practices in SQL query handling and a majority of output escaping, significant concerns are raised by its attack surface and vulnerability history. The presence of two AJAX handlers without authentication checks is a critical vulnerability, directly exposing potential attack vectors. This, combined with four taint flows involving unsanitized paths, even if not rated critical or high, suggests a concerning lack of input validation and sanitization in key areas.

The plugin's historical vulnerability data is alarming, with 18 known CVEs, including 3 critical and 3 high. The common vulnerability types such as 'Exposure of Sensitive Information', 'Unrestricted Upload', 'Incorrect Privilege Assignment', and 'Missing Authorization' indicate a recurring pattern of fundamental security flaws. The fact that all previous vulnerabilities are currently patched is a positive sign, but the sheer volume and severity of past issues, coupled with the current code analysis findings, point to a history of insecure development practices. The most recent vulnerability being in 2026 also suggests a potential for future discoveries, or perhaps a typo in the data provided.

In conclusion, while the plugin shows some positive security attributes like prepared SQL statements and partial output escaping, the identified unprotected AJAX handlers and the extensive, severe vulnerability history far outweigh these strengths. The plugin should be considered high risk until further improvements are made to its authorization mechanisms and input sanitization processes.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths
  • Total known CVEs (18)
  • Critical severity CVEs (3)
  • High severity CVEs (3)
  • Missing authorization vulnerability type history
  • Exposure of sensitive information vuln type history
  • Improper neutralization of input (XSS) vuln type history
Vulnerabilities
18

Atarim – Visual Feedback, Review & AI Collaboration Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
6 CVEs in 2024
2024
7 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
3
High
3
Medium
12

18 total CVEs

CVE-2025-67993medium · 5.3Missing Authorization

Atarim <= 4.2.1 - Missing Authorization

Feb 9, 2026 Patched in 4.2.2 (9d)
CVE-2026-25019medium · 5.3Missing Authorization

Atarim <= 4.3.1 - Missing Authorization

Jan 30, 2026 Patched in 4.3.2 (12d)
CVE-2025-62895medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Atarim <= 4.2.1 - Unauthenticated Information Exposure

Sep 15, 2025 Patched in 4.2.2 (89d)
CVE-2025-60187critical · 9.8Unrestricted Upload of File with Dangerous Type

Atarim <= 4.2.1 - Unauthenticated Arbitrary File Upload

Jul 29, 2025 Patched in 4.2.2 (137d)
CVE-2025-60188medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Atarim <= 4.2.1 - Unauthenticated Information Exposure

Jul 29, 2025 Patched in 4.2.2 (137d)
CVE-2025-60195critical · 9.8Incorrect Privilege Assignment

Atarim <= 4.2.1 - Unauthenticated Privilege Escalation

Jul 27, 2025 Patched in 4.2.2 (139d)
CVE-2025-26993medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Atarim <= 4.1.0 - Reflected Cross-Site Scripting

Feb 23, 2025 Patched in 4.1.1 (9d)
CVE-2025-24570high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Atarim <= 4.0.8 - Unauthenticated Stored Cross-Site Scripting

Jan 24, 2025 Patched in 4.0.9 (5d)
CVE-2024-12104medium · 5.3Missing Authorization

Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion

Jan 20, 2025 Patched in 4.1.0 (38d)
CVE-2024-43290medium · 5.3Missing Authorization

Atarim <= 4.0.1 - Missing Authorization via remove_feedbacktool_notice()

Aug 16, 2024 Patched in 4.0.2 (4d)
CVE-2024-7621medium · 5.4Missing Authorization

Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Aug 9, 2024 Patched in 4.0.3 (1d)
CVE-2024-38771medium · 5.3Missing Authorization

Atarim <= 4.0 - Missing Authorization

Jul 19, 2024 Patched in 4.0.1 (7d)
CVE-2024-37434medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Atarim <= 3.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 28, 2024 Patched in 3.32 (5d)
CVE-2024-2793high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.30 - Unauthenticated Stored Cross-Site Scripting

May 30, 2024 Patched in 3.31 (1d)
CVE-2024-2038high · 7.5Use of Hard-coded Password

Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials

May 22, 2024 Patched in 3.30 (1d)
CVE-2023-47544medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Atarim <= 3.12 - Unauthenticated Cross-Site Scripting

Nov 7, 2023 Patched in 3.13 (77d)
CVE-2023-37393medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Atarim <= 3.9.3 - Reflected Cross-Site Scripting

Aug 10, 2023 Patched in 3.9.4 (166d)
WF-15f3a6e1-6126-4825-b2b1-e40dc5694f43-atarim-visual-collaborationcritical · 9.1Missing Authorization

Atarim - Client Interface <= 3.9.1 - Missing Authorization via AJAX actions

Jul 7, 2023 Patched in 3.9.2 (200d)
Code Analysis
Analyzed Mar 16, 2026

Atarim – Visual Feedback, Review & AI Collaboration Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
16 escaped
Nonce Checks
3
Capability Checks
4
File Operations
1
External Requests
3
Bundled Libraries
0

Output Escaping

76% escaped21 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
avcf_accept_invitation (includes\inject-script.php:193)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Atarim – Visual Feedback, Review & AI Collaboration Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 4

authwp_ajax_avcf_deactivate_collabincludes\class-ajax-functions.php:19
authwp_ajax_avcf_user_consentincludes\class-ajax-functions.php:50
authwp_ajax_avcf_set_user_consent_statusincludes\class-ajax-functions.php:64
authwp_ajax_avcf_save_settingsincludes\class-ajax-functions.php:100
WordPress Hooks 17
actionadmin_initadmin\class-avcf-settings.php:19
actionadmin_menuadmin\class-avcf-settings.php:21
actionadmin_enqueue_scriptsadmin\class-avcf-settings.php:22
actioninitadmin\class-avcf-settings.php:25
actioninitadmin\class-avcf-settings.php:28
actionshow_user_profileadmin\class-user-meta.php:9
actionedit_user_profileadmin\class-user-meta.php:10
actionpersonal_options_updateadmin\class-user-meta.php:13
actionedit_user_profile_updateadmin\class-user-meta.php:14
actionplugins_loadedatarim-visual-collaboration.php:37
actionwp_headincludes\inject-script.php:24
actionadmin_headincludes\inject-script.php:25
actionwp_enqueue_scriptsincludes\inject-script.php:29
actionadmin_enqueue_scriptsincludes\inject-script.php:30
actionwp_footerincludes\inject-script.php:33
actionadmin_footerincludes\inject-script.php:34
actioninitincludes\inject-script.php:37
Maintenance & Trust

Atarim – Visual Feedback, Review & AI Collaboration Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version7.4
Downloads117K

Community Trust

Rating98/100
Number of ratings127
Active installs1K
Alternatives

Atarim – Visual Feedback, Review & AI Collaboration Alternatives

Supernifty Bublz

Supernifty Bublz

supernifty-bublz

A
100

Click anything on your site. Pin a task to it. Track it on a kanban board. Bug reporting and feedback built into WordPress.

0 No CVEs
Webvizio

Webvizio

webvizio

A
100

The Ultimate Visual Feedback, Collaboration & Productivity Tool for Web Professionals.

100 No CVEs
Simple Commenter – Website Feedback tool

Simple Commenter – Website Feedback tool

simple-commenter

A
100

The website feedback tool your clients will actually use. Collect visual feedback directly on your site—no training required.

40 No CVEs
SureFeedback Cloud

SureFeedback Cloud

surefeedback-cloud

A
100

SureFeedback Cloud helps teams collect visual feedback on WordPress sites and designs. Fast client sharing, zero hosting needed.

10 No CVEs
Annotatr – Bug Reporting, Bug Tracking, Kanban Board and Project Management

Annotatr – Bug Reporting, Bug Tracking, Kanban Board and Project Management

annotatr

A
100

Visual feedback and bug tracking for WordPress. Capture, assign, and fix issues without leaving your site — no more chasing reports.

0 No CVEs
Developer Profile

Atarim – Visual Feedback, Review & AI Collaboration Developer Profile

Vito Peleg

1 plugin · 1K total installs

71
trust score
Avg Security Score
76/100
Avg Patch Time
58 days
View full developer profile
Detection Fingerprints

How We Detect Atarim – Visual Feedback, Review & AI Collaboration

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/atarim-visual-collaboration/assets/css/settings.css/wp-content/plugins/atarim-visual-collaboration/assets/build/index.js/wp-content/plugins/atarim-visual-collaboration/assets/js/admin.js
Script Paths
assets/build/index.jsassets/js/admin.js
Version Parameters
atarim-visual-collaboration/assets/css/settings.css?ver=atarim-visual-collaboration/assets/build/index.js?ver=atarim-visual-collaboration/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
avc-settings-root
Data Attributes
id="avc-settings-root"
JS Globals
AVCF_PLUGIN_URLAVCF_VERSIONAVCF_HOME_URLAVCF_SITE_URL
FAQ

Frequently Asked Questions about Atarim – Visual Feedback, Review & AI Collaboration