PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Security & Risk Analysis
wordpress.org/plugins/capability-manager-enhancedPublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.
Is PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Safe to Use in 2026?
Generally Safe
Score 96/100PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus has a strong security track record. Known vulnerabilities have been patched promptly.
The capability-manager-enhanced plugin v2.40.0 exhibits a mixed security posture, with several positive indicators but also notable areas of concern. The plugin demonstrates a good understanding of secure coding practices with a high percentage of SQL queries using prepared statements and a strong adherence to output escaping. The significant number of nonce and capability checks (42 and 84 respectively) also suggests an effort to protect against common WordPress attacks. However, the presence of 4 AJAX handlers without authentication checks is a significant vulnerability that could allow unauthorized users to perform actions. Furthermore, the taint analysis reveals 3 high-severity flows with unsanitized paths, indicating potential for logic flaws or injection vulnerabilities if not carefully handled. The plugin's vulnerability history is a major red flag. With 4 previously disclosed CVEs, including one critical and two high-severity, the plugin has a track record of security issues. The common vulnerability types also point to recurring problems like deserialization, XSS, authorization bypass, and SQL injection. While there are currently no unpatched vulnerabilities, the past indicates a persistent need for vigilance and thorough auditing. Overall, while the plugin has implemented some good security practices, the identified unprotected AJAX endpoints, critical taint flows, and historical vulnerability patterns necessitate a cautious approach and prompt updates.
Key Concerns
- Unprotected AJAX handlers
- High severity unsanitized paths (taint analysis)
- History of 4 CVEs (1 critical, 2 high)
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Security Vulnerabilities
CVEs by Year
Severity Breakdown
4 total CVEs
PublishPress Capabilities <= 2.5.1 - Authenticated (Administrator+) PHP Object Injection
PublishPress Capabilities <= 2.3.2 - Reflected Cross-Site Scripting
PublishPress Capabilities <= 2.3 - Unauthenticated Arbitrary Options Update
PublishPress Capabilities <= 1.5.8 - Authenticated SQL Injection
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Code Analysis
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Attack Surface
AJAX Handlers 12
WordPress Hooks 181
Maintenance & Trust
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Maintenance & Trust
Maintenance Signals
Community Trust
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Alternatives
Editorial Access Manager
editorial-access-manager
Allow for granular editorial access control for all post types in WordPress
Members – Membership & User Role Editor Plugin
members
The best WordPress membership and user role editor plugin. User Roles & Capabilities editor helps you restrict content in just a few clicks.
PublishPress Permissions: Control User Access for Posts, Pages, Categories, Tags
press-permit-core
The permissions plugin for posts, pages, categories, tags and more. You can control permissions for roles, individual users, and even custom groups.
User Roles and Capabilities
user-roles-and-capabilities
Manage user roles and Capabilities, create new roles and change default role.
Roles & Capabilities
leira-roles
Take full control of user roles and capabilities in WordPress with an intuitive, powerful interface.
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus Developer Profile
11 plugins · 272K total installs
How We Detect PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/capability-manager-enhanced/assets/css/capability-manager-enhanced.css/wp-content/plugins/capability-manager-enhanced/assets/js/capability-manager-enhanced.js/wp-content/plugins/capability-manager-enhanced/assets/js/editor-helpers.js/wp-content/plugins/capability-manager-enhanced/assets/js/post-editor-helpers.js/wp-content/plugins/capability-manager-enhanced/assets/js/capability-manager-enhanced.js/wp-content/plugins/capability-manager-enhanced/assets/js/editor-helpers.js/wp-content/plugins/capability-manager-enhanced/assets/js/post-editor-helpers.jscapability-manager-enhanced/assets/css/capability-manager-enhanced.css?ver=capability-manager-enhanced/assets/js/capability-manager-enhanced.js?ver=capability-manager-enhanced/assets/js/editor-helpers.js?ver=capability-manager-enhanced/assets/js/post-editor-helpers.js?ver=HTML / DOM Fingerprints
pp-capabilities-admin-uiPublishPress Capabilities [Free]Admin execution controller: menu registration and other filters and actions that need to be loaded for every wp-admin URLThis module should not include full functions related to our own plugin screens.Instead, use these filter and action handlers to load other classes when needed.data-capability-manager-enhancedPP_Capabilities_Admin_UIcme_publishpress_capabilities_capabilities