Does Better Rest Endpoints have any unpatched vulnerabilities?

No. All known vulnerabilities in Better Rest Endpoints have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Better Rest Endpoints compatible with WordPress 4.9.29?

According to WordPress.org data, Better Rest Endpoints 1.5.2 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is Better Rest Endpoints updated?

Better Rest Endpoints was last updated on Feb 13, 2019. Frequent updates are generally a positive security signal.

What is Better Rest Endpoints's security score?

Better Rest Endpoints has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Better Rest Endpoints Security & Risk Analysis

wordpress.org/plugins/better-rest-endpoints

A WordPress plugin that serves up slimmer WP Rest API endpoints.

200 active installs v1.5.2 PHP + WP 4.7.1+ Updated Feb 13, 2019

acfapiendpointsjsonrest

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Better Rest Endpoints Safe to Use in 2026?

Generally Safe

Score 85/100

Better Rest Endpoints has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "better-rest-endpoints" v1.5.2 plugin exhibits a significant security concern due to its entire REST API attack surface being exposed without any authentication or permission checks. While the static analysis indicates good practices in other areas, such as the absence of dangerous functions, 100% use of prepared statements for SQL queries, and proper output escaping, the lack of authorization on all 11 REST API routes presents a critical vulnerability.

This means any unauthenticated user can potentially access and interact with all functionalities exposed through these endpoints. The absence of taint analysis findings and a clean vulnerability history are positive signs, suggesting no known exploitable issues have been publicly disclosed or identified through code analysis. However, the broad exposure of the REST API without any safeguards creates a wide attack vector.

In conclusion, the plugin demonstrates strong code hygiene regarding data handling and output, but the fundamental security principle of authorization for its primary entry points (REST API routes) is completely missing. This oversight overshadows the positive aspects and presents a high-risk scenario that requires immediate attention to implement proper permission checks on all exposed REST API endpoints.

Key Concerns

11 REST API routes without permission callbacks
0 Nonce checks on entry points

Vulnerabilities

None known

Better Rest Endpoints Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Better Rest Endpoints Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped11 total outputs

Attack Surface

11 unprotected

Better Rest Endpoints Attack Surface

Entry Points11

Unprotected11

REST API Routes 11

GET/wp-json/better-rest-endpoints/v1/options/acfincludes\get_options_acf.php:46

GET/wp-json/better-rest-endpoints/v1/options/acf/(?P<field>\S+)includes\get_options_acf.php:50

GET/wp-json/better-rest-endpoints/v1/pages/includes\get_pages.php:169

GET/wp-json/better-rest-endpoints/v1/page/(?P<id>\d+)includes\get_page_by_id.php:110

GET/wp-json/better-rest-endpoints/v1/page/(?P<slug>\S+)includes\get_page_by_slug.php:144

GET/wp-json/better-rest-endpoints/v1/posts/includes\get_posts.php:189

GET/wp-json/better-rest-endpoints/v1/post/(?P<id>\d+)includes\get_post_by_id.php:130

GET/wp-json/better-rest-endpoints/v1/post/(?P<slug>\S+)includes\get_post_by_slug.php:132

GET/wp-json/better-rest-endpoints/v1/search/includes\get_search.php:181

GET/wp-json/better-rest-endpoints/v1/taxonomies/includes\get_taxonomies.php:37

GET/wp-json/better-rest-endpoints/v1/menus/location/(?P<location>\S+)includes\wp_nav_menus_by_location.php:38

WordPress Hooks 17

actionplugins_loadedbetter-rest-endpoints.php:144

actionrest_api_initincludes\create_cpt_endpoints.php:265

actionrest_api_initincludes\get_cpt_by_id.php:136

actionrest_api_initincludes\get_cpt_by_slug.php:136

actionrest_api_initincludes\get_options_acf.php:45

actionrest_api_initincludes\get_pages.php:168

actionrest_api_initincludes\get_page_by_id.php:109

actionrest_api_initincludes\get_page_by_slug.php:143

actionrest_api_initincludes\get_posts.php:188

actionrest_api_initincludes\get_posts_tax.php:287

actionrest_api_initincludes\get_post_by_id.php:129

actionrest_api_initincludes\get_post_by_slug.php:131

actionrest_api_initincludes\get_search.php:180

actionrest_api_initincludes\get_taxonomies.php:50

actionrest_api_initincludes\wp_nav_menus.php:65

actionrest_api_initincludes\wp_nav_menus_by_location.php:37

actionrest_api_initincludes\wp_nav_menus_by_name.php:65

Maintenance & Trust

Better Rest Endpoints Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedFeb 13, 2019

PHP min version

Downloads4K

Community Trust

Rating100/100

Number of ratings1

Active installs200

Alternatives

Better Rest Endpoints Alternatives

WP REST API POST/ PAGE CUSTOM FIELDS

wp-rest-api-post-page-custom-fields

Adds Custom Field output to the WP REST API for posts, pages, users, and taxonomies.

10 No CVEs

Disable REST API

disable-json-api

Disable the use of the REST API on your website to site users. Now with User Role support!

90K No CVEs

JWT Authentication for WP REST API

jwt-authentication-for-wp-rest-api

100

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

60K No CVEs

Disable WP REST API

disable-wp-rest-api

100

Disables the WP REST API for visitors not logged into WordPress.

30K No CVEs

WordPress REST API (Version 2)

rest-api

Access your site's data through an easy-to-use HTTP REST API. (Version 2)

10K No CVEs

Developer Profile

Better Rest Endpoints Developer Profile

matt adams

1 plugin · 200 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Better Rest Endpoints

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/better-rest-endpoints/includes/get_acf.php/wp-content/plugins/better-rest-endpoints/includes/get_yoast.php/wp-content/plugins/better-rest-endpoints/includes/get_post_by_id.php/wp-content/plugins/better-rest-endpoints/includes/get_post_by_slug.php/wp-content/plugins/better-rest-endpoints/includes/get_posts.php/wp-content/plugins/better-rest-endpoints/includes/get_pages.php/wp-content/plugins/better-rest-endpoints/includes/get_page_by_id.php/wp-content/plugins/better-rest-endpoints/includes/get_page_by_slug.php+11 more

HTML / DOM Fingerprints

HTML Comments

<!--
     Create Custom Post Type Endpoints

     @since 0.0.1
    -->

/*
     *
     * Register Rest API Endpoint
     *
     */

/*
     *
     * get the terms
     *
     */

/*
     *
     * return
     */

REST Endpoints

/better-rest-endpoints/v1//better-rest-endpoints/v1/acf//better-rest-endpoints/v1/yoast//better-rest-endpoints/v1/post//better-rest-endpoints/v1/posts//better-rest-endpoints/v1/page//better-rest-endpoints/v1/pages//better-rest-endpoints/v1/cpt//better-rest-endpoints/v1/cpt/(?P<id>\d+)//better-rest-endpoints/v1/cpt/(?P<slug>[-\w]+)//better-rest-endpoints/v1/menus/name/(?P<location>\w+)//better-rest-endpoints/v1/menus/location/(?P<location>\w+)//better-rest-endpoints/v1/tax//better-rest-endpoints/v1/tax/posts//better-rest-endpoints/v1/search//better-rest-endpoints/v1/taxonomies//better-rest-endpoints/v1/options/acf/

FAQ