WP-Safety

Changeloger – Release Notes & Changelog Manager Security & Risk Analysis

wordpress.org/plugins/changeloger

The all-in-one changelog, release notes, public roadmap, and user feedback plugin for WordPress. Beautiful visual designs out of the box.

300 active installs v1.7.0 PHP 7.4+ WP 6.0+ Updated Mar 9, 2026
changelogfeedbackproduct-updatesrelease-notesroadmap
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Changeloger – Release Notes & Changelog Manager Safe to Use in 2026?

Generally Safe

Score 100/100

Changeloger – Release Notes & Changelog Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 25d ago
Risk Assessment

The "changeloger" plugin v1.7.0 presents a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and a high percentage of properly escaped outputs. The absence of known vulnerabilities (CVEs) and a clean vulnerability history is also a significant strength, suggesting the developers have historically prioritized security. However, the static analysis reveals several areas of concern.

A notable risk lies in the plugin's attack surface. With 13 REST API routes, a substantial 7 of these lack permission callbacks, meaning they are accessible without proper authentication or authorization checks. This creates a significant entry point for potential attackers. Furthermore, the presence of the "unserialize" function is a red flag, as it can be a source of critical vulnerabilities if not handled with extreme care, especially when dealing with user-supplied data. While the taint analysis did not reveal critical or high severity issues, the presence of "flows with unsanitized paths" warrants caution, as this could potentially lead to vulnerabilities if combined with other insecure code patterns.

In conclusion, while the plugin benefits from a clean vulnerability history and good practices in SQL and output handling, the unprotected REST API routes and the use of "unserialize" represent tangible risks that require attention. The taint analysis, though not critical, highlights a need for careful review of data handling. Addressing these specific areas would significantly improve the plugin's overall security.

Key Concerns

  • Unprotected REST API routes
  • Use of unserialize function
  • Flows with unsanitized paths
Vulnerabilities
None known

Changeloger – Release Notes & Changelog Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Changeloger – Release Notes & Changelog Manager Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
14 prepared
Unescaped Output
21
337 escaped
Nonce Checks
5
Capability Checks
8
File Operations
1
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$val = unserialize( $val );includes\class-changeloger-demo-importer.php:253

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared14 total queries

Output Escaping

94% escaped358 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
ajax_dismiss_content (includes\class-remote-notice-client.php:358)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Changeloger – Release Notes & Changelog Manager Attack Surface

Entry Points13
Unprotected7

REST API Routes 13

POST/wp-json/changeloger/v1/setup/completeadmin\class-changeloger-setup-wizard.php:211
POST/wp-json/changeloger/v1/setup/save-settingsadmin\class-changeloger-setup-wizard.php:219
GET/wp-json/changeloger/v1/fetch-txtincludes\rest-api.php:44
GET/wp-json/changeloger/v1/preview-urlincludes\rest-api.php:51
GET/wp-json/changeloger/v1/create-release-pageincludes\rest-api.php:64
GET/wp-json/changeloger/v1/releasesincludes\rest-api.php:81
GET/wp-json/changeloger/v1/releases/(?P<id>\d+)includes\rest-api.php:116
GET/wp-json/changeloger/v1/releases/statsincludes\rest-api.php:134
GET/wp-json/changeloger/v1/productsincludes\rest-api.php:147
GET/wp-json/changeloger/v1/products/(?P<id>\d+)includes\rest-api.php:160
GET/wp-json/changeloger/v1/import-sampleincludes\rest-api.php:174
GET/wp-json/changeloger/v1/badgesincludes\rest-api.php:186
GET/wp-json/changeloger/v1/badges/(?P<id>\d+)includes\rest-api.php:199
WordPress Hooks 33
actionadmin_menuadmin\class-changeloger-admin.php:36
actionadmin_enqueue_scriptsadmin\class-changeloger-admin.php:37
actionadmin_initadmin\class-changeloger-admin.php:309
actionadmin_enqueue_scriptsadmin\class-changeloger-block-analytics.php:32
actionadmin_enqueue_scriptsadmin\class-changeloger-dashboard.php:22
actionadmin_enqueue_scriptsadmin\class-changeloger-releases.php:18
actionadmin_menuadmin\class-changeloger-setup-wizard.php:53
actionadmin_enqueue_scriptsadmin\class-changeloger-setup-wizard.php:54
actionadmin_initadmin\class-changeloger-setup-wizard.php:55
actionrest_api_initadmin\class-changeloger-setup-wizard.php:56
filterhide_freemius_powered_bychangeloger.php:68
actioninitchangeloger.php:106
filtercontent_save_prechangeloger.php:110
filterthe_postchangeloger.php:111
actioninitchangeloger.php:113
actionafter_setup_themechangeloger.php:222
actionplugins_loadedchangeloger.php:228
actionadmin_initincludes\class-remote-notice-client.php:115
actionadmin_noticesincludes\class-remote-notice-client.php:118
actionenqueue_block_editor_assetsincludes\enqueue-assets.php:23
actionenqueue_block_assetsincludes\enqueue-assets.php:24
filtertemplate_includeincludes\frontend.php:30
filtersingle_templateincludes\frontend.php:31
filtertheme_page_templatesincludes\frontend.php:32
actionwp_enqueue_scriptsincludes\frontend.php:33
actioninitincludes\frontend.php:34
actionenqueue_block_editor_assetsincludes\frontend.php:35
actionsave_postincludes\frontend.php:36
actioninitincludes\meta.php:33
actionadd_meta_boxesincludes\meta.php:34
actioninitincludes\post-types.php:58
actioninitincludes\post-types.php:59
actionrest_api_initincludes\rest-api.php:34
Maintenance & Trust

Changeloger – Release Notes & Changelog Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads4K

Community Trust

Rating100/100
Number of ratings5
Active installs300
Alternatives

Changeloger – Release Notes & Changelog Manager Alternatives

WP Roadmap – Product Feedback Board

WP Roadmap – Product Feedback Board

wp-roadmap

A
98

WP Roadmap plugin is a perfect feedback and roadmap plugin tool that make adding roadmap and feedback easily to your WordPress website.

200 2 CVEs
Simple Feature Requests Free – User Feedback Board

Simple Feature Requests Free – User Feedback Board

simple-feature-requests

A
100

Collect and manage user feedback using your existing WordPress website. Prioritize the product features important to you and your customers.

100 No CVEs
Roadmap

Roadmap

roadmap

A
85

Easily add a product roadmap and feedback form to your WordPress site, blog or members area. Keep your users up to date on your progress, product idea &hellip;

20 No CVEs
Product Roadmap

Product Roadmap

product-roadmap

A
100

Create public product roadmaps to share your vision, collect user feedback, and build products your customers actually want.

10 No CVEs
WP Mantis

WP Mantis

wp-mantis

A
100

Extended Version of "WP Mantis Table". Allows to view Changelogs, Roadmaps and Buglists from MantisBT in Wordpress Pages and Post.

10 No CVEs
Developer Profile

Changeloger – Release Notes & Changelog Manager Developer Profile

Spider Themes

7 plugins · 14K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
109 days
View full developer profile
Detection Fingerprints

How We Detect Changeloger – Release Notes & Changelog Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/changeloger/assets/css/frontend.css/wp-content/plugins/changeloger/assets/js/frontend.js/wp-content/plugins/changeloger/assets/css/changeloger.css/wp-content/plugins/changeloger/assets/js/changeloger.js
Script Paths
/wp-content/plugins/changeloger/assets/js/frontend.js/wp-content/plugins/changeloger/assets/js/changeloger.js
Version Parameters
changeloger/assets/css/frontend.css?ver=changeloger/assets/js/frontend.js?ver=changeloger/assets/css/changeloger.css?ver=changeloger/assets/js/changeloger.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-block-changeloger-changelog-block
HTML Comments
<!-- wp:block/changeloger<!-- wp:cha/changeloger
JS Globals
changelogerBlocks
REST Endpoints
/wp-json/changeloger/v1/changelog
FAQ

Frequently Asked Questions about Changeloger – Release Notes & Changelog Manager