WP-Safety

WOLF – WordPress Posts Bulk Editor and Manager Professional Security & Risk Analysis

wordpress.org/plugins/bulk-editor

WOLF (formerly WPBE) - a WordPress plugin for managing posts, pages, and custom types easily. Perfect for real estate, cars, etc.

4K active installs v1.0.9 PHP 7.4+ WP 4.9+ Updated Mar 2, 2026
bulkbulk-deletebulk-editbulk-editorposts-editor
94
A · Safe
CVEs total13
Unpatched0
Last CVEMar 12, 2026
Plugin page Download
Safety Verdict

Is WOLF – WordPress Posts Bulk Editor and Manager Professional Safe to Use in 2026?

Generally Safe

Score 94/100

WOLF – WordPress Posts Bulk Editor and Manager Professional has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

13 known CVEsLast CVE: Mar 12, 2026Updated 2mo ago
Risk Assessment

The 'bulk-editor' v1.0.9 plugin presents a mixed security posture. While it shows strengths like a lack of dangerous functions, no external HTTP requests, and a reasonable percentage of SQL queries using prepared statements, significant concerns arise from its attack surface and historical vulnerability patterns. The presence of 14 AJAX handlers without authentication checks is a critical vulnerability, exposing core plugin functionality to unauthorized access. This, coupled with a history of 12 known CVEs, including medium and low severity issues like Path Traversal, CSRF, Missing Authorization, and XSS, indicates a recurring struggle with secure coding practices.

The taint analysis, while showing no critical or high severity unsanitized paths, did identify one flow with an unsanitized path, which warrants attention. The high number of AJAX entry points without proper authorization is the most immediate and severe risk. The plugin's history of diverse vulnerability types suggests a pattern of insecure input handling and authorization flaws that have not been fully remediated over time. While the plugin has no currently unpatched CVEs and a decent rate of output escaping, the fundamental issues with access control on its AJAX endpoints and the historical context of vulnerabilities necessitate a cautious approach.

Key Concerns

  • Unprotected AJAX handlers
  • Known CVEs (12 total)
  • Taint flow with unsanitized path
  • Low percentage of prepared SQL statements
  • Limited capability checks
Vulnerabilities
13 published

WOLF – WordPress Posts Bulk Editor and Manager Professional Security Vulnerabilities

CVEs by Year

5 CVEs in 2023
2023
7 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
11
Low
2

13 total CVEs

CVE-2026-32458medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.7 - Authenticated (Editor+) SQL Injection

Mar 12, 2026 Patched in 1.0.9 (8d)
CVE-2025-24605low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.5 - Authenticated (Editor+) Path Traversal

Dec 27, 2024 Patched in 1.0.8.6 (61d)
CVE-2024-52396low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WOLF <= 1.0.8.3 - Authenticated (Editor+) CSV Path Traversal

Nov 11, 2024 Patched in 1.0.8.4 (11d)
CVE-2024-34558medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting

May 7, 2024 Patched in 1.0.8.3 (9d)
CVE-2024-31430medium · 5.3Cross-Site Request Forgery (CSRF)

BEAR <= 1.1.4.1 & WOLF <= 1.0.8.1 - Cross-Site Request Forgery to Notice Dismissal

Apr 10, 2024 Patched in 1.0.8.2 (8d)
CVE-2024-0791medium · 4.3Missing Authorization

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 - Missing Authorization

Jan 30, 2024 Patched in 1.0.8.2 (7d)
CVE-2024-0790medium · 5.4Cross-Site Request Forgery (CSRF)

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 - Cross-Site Request Forgery

Jan 30, 2024 Patched in 1.0.8.2 (182d)
CVE-2024-22159medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WOLF <= 1.0.8 - Unauthenticated Stored Cross-Site Scripting via profile_title

Jan 16, 2024 Patched in 1.0.8.1 (7d)
CVE-2023-46152medium · 4.3Cross-Site Request Forgery (CSRF)

WOLF <= 1.0.7.1 - Cross-Site Request Forgery

Oct 17, 2023 Patched in 1.0.7.2 (98d)
CVE-2023-44990medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WOLF <= 1.0.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 2, 2023 Patched in 1.0.7.2 (113d)
CVE-2023-34028medium · 4.3Cross-Site Request Forgery (CSRF)

WOLF <= 1.0.7 - Cross-Site Request Forgery via create_profile

May 29, 2023 Patched in 1.0.7.1 (239d)
CVE-2023-31218medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WOLF <= 1.0.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field

May 3, 2023 Patched in 1.0.7 (265d)
WF-a39ca182-981b-4636-acd5-4c8a269858dd-bulk-editormedium · 4.3Cross-Site Request Forgery (CSRF)

WOLF <= 1.0.6 - Cross-Site Request Forgery via wpbe_update_page_field

May 3, 2023 Patched in 1.0.7 (265d)
Version History

WOLF – WordPress Posts Bulk Editor and Manager Professional Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

WOLF – WordPress Posts Bulk Editor and Manager Professional Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
6 prepared
Unescaped Output
180
504 escaped
Nonce Checks
28
Capability Checks
1
File Operations
4
External Requests
0
Bundled Libraries
2

Bundled Libraries

jQueryDataTables

SQL Query Safety

32% prepared19 total queries

Output Escaping

74% escaped684 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

9 flows1 with unsanitized paths
get_post_field (index.php:691)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
14 unprotected

WOLF – WordPress Posts Bulk Editor and Manager Professional Attack Surface

Entry Points35
Unprotected14

AJAX Handlers 35

authwp_ajax_wpbe_bulk_posts_countext\bulk\bulk.php:21
authwp_ajax_wpbe_bulk_postsext\bulk\bulk.php:22
authwp_ajax_wpbe_bulk_finishext\bulk\bulk.php:23
authwp_ajax_wpbe_bulk_get_att_termsext\bulk\bulk.php:26
authwp_ajax_wpbe_bulk_delete_posts_countext\bulk\bulk.php:28
authwp_ajax_wpbe_bulk_delete_postsext\bulk\bulk.php:29
authwp_ajax_wpbe_export_posts_countext\export\export.php:16
authwp_ajax_wpbe_export_postsext\export\export.php:17
authwp_ajax_wpbe_filter_postsext\filters\filters.php:16
authwp_ajax_wpbe_reset_filterext\filters\filters.php:17
authwp_ajax_wpbe_get_filter_profile_dataext\fprofiles\models\profiles.php:18
authwp_ajax_wpbe_history_revert_postext\history\history.php:20
authwp_ajax_wpbe_history_get_bulk_countext\history\history.php:21
authwp_ajax_wpbe_history_revert_bulk_portionext\history\history.php:22
authwp_ajax_wpbe_get_history_listext\history\history.php:23
authwp_ajax_wpbe_history_clearext\history\history.php:24
authwp_ajax_wpbe_history_delete_soloext\history\history.php:25
authwp_ajax_wpbe_history_delete_bulkext\history\history.php:26
authwp_ajax_wpbe_save_metaext\meta\meta.php:19
authwp_ajax_wpbe_meta_get_keysext\meta\meta.php:20
authwp_ajax_wpbe_get_postsindex.php:222
authwp_ajax_wpbe_update_page_fieldindex.php:223
authwp_ajax_wpbe_redraw_table_rowindex.php:224
authwp_ajax_wpbe_get_post_fieldindex.php:225
authwp_ajax_wpbe_get_galleryindex.php:226
authwp_ajax_wpbe_get_upsellsindex.php:227
authwp_ajax_wpbe_create_new_postindex.php:229
authwp_ajax_wpbe_duplicate_postsindex.php:230
authwp_ajax_wpbe_delete_postsindex.php:231
authwp_ajax_wpbe_create_new_termindex.php:233
authwp_ajax_wpbe_update_tax_termindex.php:234
authwp_ajax_wpbe_delete_tax_termindex.php:235
authwp_ajax_wpbe_set_active_post_typeindex.php:237
authwp_ajax_wpbe_title_autocompleteindex.php:245
authwp_ajax_wpbe_save_optionsindex.php:246
WordPress Hooks 45
filterwpbe_print_plugin_optionsclasses\models\profiles.php:31
actionwpbe_page_endclasses\models\profiles.php:32
filterwpbe_apply_query_filter_dataext\author_area\author_area.php:13
filterwpbe_user_can_editext\author_area\author_area.php:15
actionwpbe_ext_scriptsext\bulk\bulk.php:17
actionwpbe_tools_panel_buttons_endext\bulk\bulk.php:18
actionwpbe_bulk_goingext\bulk\bulk.php:31
actionwpbe_ext_scriptsext\calculator\calculator.php:13
actionwpbe_page_endext\calculator\calculator.php:14
actionwpbe_ext_scriptsext\export\export.php:13
actionwpbe_ext_scriptsext\filters\filters.php:13
filterwpbe_print_plugin_optionsext\filters\filters.php:20
filterwpbe_apply_query_filter_dataext\filters\filters.php:21
actionwpbe_tools_panel_buttons_endext\filters\filters.php:27
filterposts_whereext\filters\filters.php:467
filterposts_whereext\filters\filters.php:475
filterposts_whereext\filters\filters.php:539
actionwpbe_ext_scriptsext\fprofiles\fprofiles.php:16
actionwpbe_tools_panel_buttonsext\fprofiles\fprofiles.php:17
actionwpbe_page_endext\fprofiles\fprofiles.php:18
actionwpbe_ext_scriptsext\history\history.php:17
actionwpbe_bulk_startedext\history\history.php:33
actionwpbe_bulk_goingext\history\history.php:34
actionwpbe_bulk_finishedext\history\history.php:35
actionwpbe_before_update_page_fieldext\history\history.php:36
actionwpbe_ext_scriptsext\meta\meta.php:16
filterwpbe_extend_fieldsext\meta\meta.php:34
filterwpbe_filter_textext\meta\meta.php:35
filterwpbe_filter_numbersext\meta\meta.php:36
filterwpbe_filter_otherext\meta\meta.php:37
filterwpbe_bulk_textext\meta\meta.php:39
filterwpbe_bulk_numberext\meta\meta.php:40
filterwpbe_bulk_otherext\meta\meta.php:41
actionadmin_noticesindex.php:24
actionadmin_enqueue_scriptsindex.php:80
filterwpbe_post_statusesindex.php:81
actionadmin_footerindex.php:90
filterwpbe_current_languageindex.php:104
actionadmin_noticesindex.php:115
actionadmin_initindex.php:136
actionadmin_menuindex.php:146
actionadmin_bar_menuindex.php:153
filterposts_whereindex.php:815
actionadmin_noticesindex.php:1371
actioninitindex.php:1461
Maintenance & Trust

WOLF – WordPress Posts Bulk Editor and Manager Professional Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.4
Downloads69K

Community Trust

Rating98/100
Number of ratings25
Active installs4K
Alternatives

WOLF – WordPress Posts Bulk Editor and Manager Professional Alternatives

WPC Variation Bulk Editor for WooCommerce

WPC Variation Bulk Editor for WooCommerce

wpc-variation-bulk-editor

A
100

WPC Variation Bulk Editor helps you save precious time working on variations.

1K No CVEs
FlexStock – Product Stock Sync with Google Sheets for WooCommerce

FlexStock – Product Stock Sync with Google Sheets for WooCommerce

stock-sync-with-google-sheet-for-woocommerce

A
99

WooCommerce inventory and stock management plugin with real-time Google Sheets sync. Track, manage, and bulk edit products instantly.

800 1 CVE
Sync Master Sheet – Product Sync with Google Sheet for WooCommerce

Sync Master Sheet – Product Sync with Google Sheet for WooCommerce

product-sync-master-sheet

A
99

Help you to connect your WooCommerce website with Google Sheet as well as Manage your Stock easy from one menu with Advance Filter

400 1 CVE
SEO Editor

SEO Editor

seo-editor

A
85

Edit SEO Data in bulk to save time. Includes meta title, description, and keyword editing for all post types, taxonomies, and users.

400 No CVEs
VBULKiT – Bulk Edit WooCommerce Variations

VBULKiT – Bulk Edit WooCommerce Variations

ithemeland-bulk-variation-editing-for-woocommerce

A
100

Stop wasting days editing product variations one-by-one. Bulk edit thousands of WooCommerce variations in a few simple clicks.

100 No CVEs
Developer Profile

WOLF – WordPress Posts Bulk Editor and Manager Professional Developer Profile

RealMag777

12 plugins · 188K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
196 days
View full developer profile
Detection Fingerprints

How We Detect WOLF – WordPress Posts Bulk Editor and Manager Professional

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bulk-editor/assets/css/style.css/wp-content/plugins/bulk-editor/assets/js/bulk-editor.js/wp-content/plugins/bulk-editor/assets/js/fields.js/wp-content/plugins/bulk-editor/assets/js/settings.js/wp-content/plugins/bulk-editor/assets/js/posts.js/wp-content/plugins/bulk-editor/assets/js/accounts.js/wp-content/plugins/bulk-editor/assets/js/users.js/wp-content/plugins/bulk-editor/assets/js/terms.js+21 more
Script Paths
wp-content/plugins/bulk-editor/assets/js/bulk-editor.jswp-content/plugins/bulk-editor/assets/js/fields.jswp-content/plugins/bulk-editor/assets/js/settings.jswp-content/plugins/bulk-editor/assets/js/posts.jswp-content/plugins/bulk-editor/assets/js/accounts.jswp-content/plugins/bulk-editor/assets/js/users.js+10 more
Version Parameters
bulk-editor/assets/css/style.css?ver=bulk-editor/assets/js/bulk-editor.js?ver=bulk-editor/assets/js/fields.js?ver=bulk-editor/assets/js/settings.js?ver=bulk-editor/assets/js/posts.js?ver=bulk-editor/assets/js/accounts.js?ver=bulk-editor/assets/js/users.js?ver=bulk-editor/assets/js/terms.js?ver=bulk-editor/assets/js/comments.js?ver=bulk-editor/assets/js/users_roles.js?ver=bulk-editor/assets/js/stats.js?ver=bulk-editor/assets/js/languages.js?ver=bulk-editor/assets/js/plugins.js?ver=bulk-editor/assets/js/themes.js?ver=bulk-editor/assets/js/options.js?ver=bulk-editor/assets/js/editor.js?ver=bulk-editor/assets/js/helpers.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpbe-notice-dismissed
HTML Comments
<!--wpbe_ext - include extensions from wp-content folder-->
Data Attributes
data-wpbe-id
JS Globals
WPBE
FAQ

Frequently Asked Questions about WOLF – WordPress Posts Bulk Editor and Manager Professional