Does Category Subscriptions have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Category Subscriptions compatible with WordPress 3.1.4?

According to WordPress.org data, Category Subscriptions 1.1 has been tested up to WordPress 3.1.4. Check the plugin's changelog for the latest compatibility information.

How often is Category Subscriptions updated?

Category Subscriptions was last updated on Jul 5, 2011. Frequent updates are generally a positive security signal.

What is Category Subscriptions's security score?

Category Subscriptions has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Category Subscriptions Security & Risk Analysis

wordpress.org/plugins/category-subscriptions

Allow registered users to subscribe to categories giving them control over delivery times (e.g. daily or weekly digests) and format (html or text).

10 active installs v1.1 PHP + WP 3.0.3+ Updated Jul 5, 2011

categoryemailnotificationnotifysubscription

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Category Subscriptions Safe to Use in 2026?

Generally Safe

Score 85/100

Category Subscriptions has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 14yr ago

Risk Assessment

The "category-subscriptions" plugin v1.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all SQL queries and has no recorded history of vulnerabilities, suggesting a generally secure development approach or diligent maintenance. There are also no external HTTP requests or file operations, which limits potential attack vectors.

However, several concerns arise from the static analysis. The presence of 12 instances of the deprecated `create_function` is a significant red flag, as this function is known to be a security risk and can lead to code injection vulnerabilities. The fact that 39% of output is not properly escaped also presents a risk of cross-site scripting (XSS) vulnerabilities. Furthermore, the complete absence of nonce checks across all entry points, coupled with only three capability checks for a plugin that might handle user subscriptions, suggests potential authorization bypass or unauthorized action vulnerabilities. The presence of 6 cron events also introduces a potential attack surface that requires careful review for proper authorization.

While the plugin's vulnerability history is clean, this does not negate the risks identified in the code. The absence of `create_function` and proper output escaping, along with robust nonce and capability checks on all relevant entry points, would significantly strengthen its security. The current configuration presents potential for exploitation despite a clean past.

Key Concerns

Presence of dangerous function create_function
Significant portion of output not escaped
Missing nonce checks on entry points
Limited capability checks for entry points

Vulnerabilities

None known

Category Subscriptions Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Category Subscriptions Release Timeline

v1.1Current

v1.0

Code Analysis

Analyzed Mar 17, 2026

Category Subscriptions Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

35 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_function$category_conditions = array_map(create_function('$a','return "category_ID = %d";'),$categories);includes\category_subscriptions_class.php:209

create_functionadd_filter('wp_mail_from_name', create_function('','return get_bloginfo("name");') );includes\category_subscriptions_message.php:35

create_functionadd_filter('wp_mail_content_type',create_function('', 'return "text/html"; '));includes\category_subscriptions_message.php:41

create_functionadd_filter('wp_mail_content_type',create_function('', 'return "text/plain"; '));includes\category_subscriptions_message.php:44

create_function'PROFILE_URL' => create_function( '', 'return admin_url("profile.php");' ),includes\category_subscriptions_template.php:19

create_function'SITE_TITLE' => create_function( '', 'return get_bloginfo("name");' ),includes\category_subscriptions_template.php:20

create_function'DESCRIPTION' => create_function( '', 'return get_bloginfo("description");'),includes\category_subscriptions_template.php:21

create_function'SITE_URL' => create_function( '', 'return get_bloginfo("url");' ),includes\category_subscriptions_template.php:22

create_function'ADMIN_EMAIL' => create_function('', 'return get_bloginfo("admin_email");' ),includes\category_subscriptions_template.php:23

create_function'DATE' => create_function('', 'return date(get_option("date_format"));'),includes\category_subscriptions_template.php:24

create_function'TIME' => create_function('', 'return date(get_option("time_format"));'),includes\category_subscriptions_template.php:25

create_function'STYLESHEET_DIRECTORY' => create_function( '', 'return get_bloginfo("stylesheet_directory");' )includes\category_subscriptions_template.php:26

SQL Query Safety

100% prepared32 total queries

Output Escaping

61% escaped57 total outputs

Attack Surface

Category Subscriptions Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 24

actionmy_cat_sub_send_individual_messagescategory_subscriptions.php:32

actionmy_cat_sub_prepare_daily_messagescategory_subscriptions.php:33

actionmy_cat_sub_prepare_weekly_messagescategory_subscriptions.php:34

actionmy_cat_sub_send_digested_messagescategory_subscriptions.php:36

filtermanage_users_columnscategory_subscriptions.php:44

filtermanage_users_custom_columncategory_subscriptions.php:45

actionadmin_headcategory_subscriptions.php:46

actionedit_user_profilecategory_subscriptions.php:53

actionedit_user_profile_updatecategory_subscriptions.php:54

actionprofile_personal_optionscategory_subscriptions.php:58

actionpersonal_options_updatecategory_subscriptions.php:59

actionsave_postcategory_subscriptions.php:62

actiontrashed_postcategory_subscriptions.php:65

actionadmin_menucategory_subscriptions.php:68

actiondelete_usercategory_subscriptions.php:73

actionwpmu_delete_usercategory_subscriptions.php:74

actionmake_spam_usercategory_subscriptions.php:77

actionremove_user_from_blogcategory_subscriptions.php:80

filterposts_whereincludes\category_subscriptions_class.php:343

filterposts_whereincludes\category_subscriptions_class.php:345

filterwp_mail_from_nameincludes\category_subscriptions_message.php:33

filterwp_mail_from_nameincludes\category_subscriptions_message.php:35

filterwp_mail_content_typeincludes\category_subscriptions_message.php:41

filterwp_mail_content_typeincludes\category_subscriptions_message.php:44

Scheduled Events 6

my_cat_sub_prepare_daily_messages

my_cat_sub_prepare_weekly_messages

my_cat_sub_send_individual_messages

my_cat_sub_send_digested_messages

my_cat_sub_send_individual_messages

Maintenance & Trust

Category Subscriptions Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4

Last updatedJul 5, 2011

PHP min version

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Category Subscriptions Alternatives

Subscribr

subscribr

Allows WordPress users to subscribe to notifications for new posts, pages, and custom types, filterable by taxonomies.

20 No CVEs

Customize WordPress Emails and Alerts – Better Notifications for WP

bnfw

Supercharge your WordPress email notifications using a WYSIWYG editor and shortcodes. Default and new notifications available. Add-ons available.

30K 2 CVEs

Notification – Custom Notifications and Alerts for WordPress

notification

100

Take full control of WordPress emails and notifications. Replace default messages, add custom triggers, and send alerts via email, webhook, Slack, and …

10K 1 CVE

Subscribe2 – Form, Email Subscribers & Newsletters

subscribe2

Sends a list of subscribers an email notification when you publish new posts.

10K 8 CVEs

Email Notification on Login

email-notification-on-login

Receive an email after each successful login with the user information

1K 1 unpatched

Developer Profile

Category Subscriptions Developer Profile

Dan Collis-Puro

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Category Subscriptions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/category-subscriptions/stylesheets/admin.css/wp-content/plugins/category-subscriptions/javascripts/jquery.cookie.js/wp-content/plugins/category-subscriptions/javascripts/admin.js

Version Parameters

category-subscriptions/stylesheets/admin.css?ver=category-subscriptions/javascripts/jquery.cookie.js?ver=category-subscriptions/javascripts/admin.js?ver=

HTML / DOM Fingerprints

HTML Comments

+11 more

FAQ