WP-Safety

Better WishList API Security & Risk Analysis

wordpress.org/plugins/better-wlm-api

A better version of the WishList Member API. Created to make the connection to external services like ActiveCampaign and Autorespond a lot easier.

200 active installs v1.1.5 PHP + WP 4.0+ Updated Mar 8, 2025
apiautorespondwishlist-member
90
A · Safe
CVEs total2
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is Better WishList API Safe to Use in 2026?

Generally Safe

Score 90/100

Better WishList API has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 27, 2025Updated 1yr ago
Risk Assessment

The "better-wlm-api" plugin v1.1.5 presents a mixed security posture. While it shows strengths such as a lack of external HTTP requests and no bundled outdated libraries, significant concerns emerge from the static analysis. The presence of an unprotected AJAX handler creates a substantial attack vector. The taint analysis indicates that all analyzed flows involve unsanitized paths, and a concerningly low percentage (34%) of output is properly escaped, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history reveals a pattern of past security issues, including a high-severity vulnerability and a medium-severity one, with the last recorded vulnerability being quite recent. This suggests a recurring struggle with secure coding practices within the plugin. Although there are currently no unpatched CVEs, the historical trend and the findings from the static analysis indicate a need for considerable improvement in security.

In conclusion, despite some positive aspects, the "better-wlm-api" plugin v1.1.5 is currently considered a high-risk plugin due to the unprotected entry point, pervasive unsanitized taint flows, inadequate output escaping, and a history of past vulnerabilities. Users should exercise extreme caution and prioritize updating to a version that addresses these identified weaknesses.

Key Concerns

  • Unprotected AJAX handler
  • Flows with unsanitized paths
  • Low output escaping percentage
  • SQL queries without prepared statements
  • Missing nonce checks
  • Missing capability checks
  • High severity historical vulnerability
  • Medium severity historical vulnerability
Vulnerabilities
2

Better WishList API Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-30798medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better WishList API <= 1.1.4 - Reflected Cross-Site Scripting

Mar 27, 2025 Patched in 1.1.5 (7d)
CVE-2025-24641high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better WishList API <= 1.1.3 - Unauthenticated Stored Cross-Site Scripting

Jan 14, 2025 Patched in 1.1.4 (39d)
Code Analysis
Analyzed Mar 16, 2026

Better WishList API Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
2 prepared
Unescaped Output
63
32 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

50% prepared4 total queries

Output Escaping

34% escaped95 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
bwa_show_log (better-wlm-api.php:323)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Better WishList API Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_bwa_download_log_csvbetter-wlm-api.php:82
WordPress Hooks 6
actionadmin_menubetter-wlm-api.php:66
actionadmin_initbetter-wlm-api.php:69
actionadmin_headbetter-wlm-api.php:72
actioninitbetter-wlm-api.php:75
actionplugins_loadedbetter-wlm-api.php:79
filterplugin_action_linksbetter-wlm-api.php:85
Maintenance & Trust

Better WishList API Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 8, 2025
PHP min version
Downloads14K

Community Trust

Rating100/100
Number of ratings1
Active installs200
Alternatives

Better WishList API Alternatives

Better OM API

Better OM API

better-om-api

A
92

A better version of the OptimizeMember API, specially tailored for the Dutch service Autorespond.

10 No CVEs
Meta for WooCommerce

Meta for WooCommerce

facebook-for-woocommerce

A
93

Get the Official Meta for WooCommerce plugin for powerful ways to help grow your business.

500K 3 CVEs
PixelYourSite – Your smart PIXEL (TAG) & API Manager

PixelYourSite – Your smart PIXEL (TAG) & API Manager

pixelyoursite

A
89

Add Meta Pixel with Conversion API, Google Analytics (GA4) + Consent Mode, Google Tag Manager, and Head & Footer scripts.

500K 11 CVEs
Meta pixel for WordPress

Meta pixel for WordPress

official-facebook-pixel

A
98

Grow your business with Meta for WordPress!

400K 2 CVEs
WooCommerce Legacy REST API

WooCommerce Legacy REST API

woocommerce-legacy-rest-api

A
92

The WooCommerce Legacy REST API, which is now part of WooCommerce itself but will be removed in WooCommerce 9.0.

400K No CVEs
Developer Profile

Better WishList API Developer Profile

rickonline_nl

2 plugins · 210 total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
23 days
View full developer profile
Detection Fingerprints

How We Detect Better WishList API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/better-wlm-api/assets/css/style-admin.css

HTML / DOM Fingerprints

HTML Comments
<!-- hint: register our custom menus --><!-- hint: register plugin options --><!-- hint: register custom css --><!-- hint: put the API in the loop -->+13 more
FAQ

Frequently Asked Questions about Better WishList API