Checklist Security & Risk Analysis
wordpress.org/plugins/checklistTurn any list in your blog to a beautiful interactive checklist. Print, Use, Share, Download to Mobile and more. 100% Free.
Is Checklist Safe to Use in 2026?
Use With Caution
Score 63/100Checklist has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The "checklist" plugin v1.1.9 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and avoiding dangerous functions and file operations, significant concerns exist regarding output escaping and its vulnerability history. The static analysis reveals that 100% of outputs are not properly escaped, presenting a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. This is further amplified by the taint analysis, which shows two flows with unsanitized paths, indicating potential for malicious input to reach sensitive functions.
The plugin's vulnerability history is particularly concerning, with two known CVEs, one of which remains unpatched. The common vulnerability type reported is Cross-Site Scripting, directly correlating with the unescaped output identified in the static analysis. The presence of an unpatched medium severity vulnerability is a critical issue that requires immediate attention. While the plugin has a limited attack surface and no apparent unprotected entry points, the combination of widespread output escaping issues and a history of XSS vulnerabilities, including an unpatched one, paints a picture of a plugin that, despite some good practices, carries a significant and ongoing risk to WordPress installations.
Key Concerns
- Unpatched CVEs
- Unescaped output detected
- Taint flows with unsanitized paths
- No nonce checks
- No capability checks
Checklist Security Vulnerabilities
CVEs by Year
Severity Breakdown
2 total CVEs
Checklist <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Checklist <= 1.1.8 - Cross-Site Scripting
Checklist Code Analysis
Bundled Libraries
Output Escaping
Data Flow Analysis
Checklist Attack Surface
Shortcodes 2
WordPress Hooks 8
Maintenance & Trust
Checklist Maintenance & Trust
Maintenance Signals
Community Trust
Checklist Alternatives
To Do List Member
todo-lists-for-membership-sites
To Do List Member adds todolists and tasks using custom taxonomy and post type to your blog.
Checklist in Post
checklist-in-post
Allow creating checklists in posts based on bulleted list.
Docket WP
docket-wp
The Docket WP plugin connects your Docket WP account into any WordPress installation. You will need a Docket WP account in order to use the plugin.
Todo Block
todo-block
Adds ToDo list block that shows checkboxes on frontend and backend of your site.
Lists Shortcode and Widget
lists-shortcode-and-widget
Create Lists. Nice and easy interface. Insert anywhere in your site - page/post editor, sidebars, template files.
Checklist Developer Profile
2 plugins · 410 total installs
How We Detect Checklist
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/checklist/images/ic_print_white_24px.php/wp-content/plugins/checklist/images/checklist-icon.php/wp-content/plugins/checklist/css/checklist.css/wp-content/plugins/checklist/js/checklist.jsHTML / DOM Fingerprints
checklist-buttonchecklist-imagechecklist-buttonschecklist-boxchecklist-titlechecklist-poweredonclick<div class="checklist-buttons" id="checklist-id-<div id="checklist-id-class="checklist-box"class="checklist-title">