WP-Safety

Bulk Fields Editor Security & Risk Analysis

wordpress.org/plugins/bulk-user-editor

Bulk edit : users meta fields | posts/CPT categories | Gravity Forms fields

30 active installs v1.8.0 PHP + WP 4.6+ Updated Feb 15, 2020
bulkcptmetapostusers
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is Bulk Fields Editor Safe to Use in 2026?

Use With Caution

Score 64/100

Bulk Fields Editor has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 6yr ago
Risk Assessment

The "bulk-user-editor" plugin v1.8.0 presents a significant security risk primarily due to its extensive unprotected entry points. All four identified AJAX handlers lack authorization checks, meaning any authenticated user could potentially trigger these actions, leading to unintended consequences or unauthorized operations.

While the code analysis shows no dangerous functions or external HTTP requests, the presence of unsanitized paths in the taint analysis (5 out of 5 flows) is a major concern, even if no critical or high severity vulnerabilities were found in this specific analysis. This indicates potential for path traversal or file manipulation vulnerabilities. The plugin's vulnerability history, including a currently unpatched medium severity CVE from April 2025, further reinforces the need for caution. This history, coupled with the common theme of missing authorization, suggests a recurring pattern of security oversight in the plugin's development.

In conclusion, while the absence of raw SQL queries, file operations, and external requests are positive signs, the lack of proper authentication on AJAX handlers and the identified taint flow issues create a weak security posture. Users should exercise extreme caution, and developers should prioritize implementing robust authorization and input sanitization.

Key Concerns

  • All AJAX handlers lack authentication
  • Taint flows with unsanitized paths
  • Currently unpatched medium severity CVE
  • Missing nonce checks on AJAX
  • Low output escaping coverage
  • Missing capability checks
Vulnerabilities
1

Bulk Fields Editor Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31752medium · 4.3Missing Authorization

Bulk Fields Editor <= 1.8.0 - Missing Authorization

Apr 1, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Bulk Fields Editor Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
1 prepared
Unescaped Output
26
25 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

50% prepared2 total queries

Output Escaping

49% escaped51 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
bue_modify_gf_fields (bulkUserEditor.php:98)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Bulk Fields Editor Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_bue_modify_metabulkUserEditor.php:58
authwp_ajax_bue_modify_categoriesbulkUserEditor.php:63
authwp_ajax_bue_get_gf_form_fieldsbulkUserEditor.php:68
authwp_ajax_bue_modify_gf_fieldsbulkUserEditor.php:73
WordPress Hooks 5
actionnetwork_admin_menubulkUserEditor.php:37
actionadmin_menubulkUserEditor.php:42
actionadmin_menubulkUserEditor.php:48
actionadmin_enqueue_scriptsbulkUserEditor.php:53
filtergform_addon_navigationbulkUserEditor.php:78
Maintenance & Trust

Bulk Fields Editor Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22
Last updatedFeb 15, 2020
PHP min version
Downloads4K

Community Trust

Rating86/100
Number of ratings3
Active installs30
Alternatives

Bulk Fields Editor Alternatives

User Import with meta – WP Ultimate CSV Importer Add-on

User Import with meta – WP Ultimate CSV Importer Add-on

import-users

A
100

Import and export WordPress and WooCommerce users with full user meta, custom fields, billing & shipping details, and membership data.

5K No CVEs
Debug User/Post/Options Meta Data

Debug User/Post/Options Meta Data

fm-debug-meta-data

A
85

Debug User/Post/Options Meta Data plugin lets administrators debug users and posts meta data in a friendly view.

10 No CVEs
Bulk Meta Fields Update

Bulk Meta Fields Update

bulk-meta-fields-update

A
100

Bulk update or add custom meta fields to any post type using a CSV file with security and logging features.

0 No CVEs
Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs
Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance

Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance

advanced-database-cleaner

A
89

Clean database by deleting orphaned data such as 'revisions', 'expired transients', optimize database and more...

100K 8 CVEs
Developer Profile

Bulk Fields Editor Developer Profile

termel

14 plugins · 800 total installs

83
trust score
Avg Security Score
84/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Bulk Fields Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bulk-user-editor/css/bulk-user-editor.css/wp-content/plugins/bulk-user-editor/js/bulk-user-editor.js
Script Paths
/wp-content/plugins/bulk-user-editor/js/bulk-user-editor.js
Version Parameters
bulk-user-editor/css/bulk-user-editor.css?ver=bulk-user-editor/js/bulk-user-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes
bue-bulk-editor-containerbue-dialogbue-editor-options
Data Attributes
data-bue-actiondata-bue-type
JS Globals
bue_ajax_object
FAQ

Frequently Asked Questions about Bulk Fields Editor