WP-Safety

CiviCRM Member Sync Security & Risk Analysis

wordpress.org/plugins/civicrm-wp-member-sync

Keep WordPress Users in sync with CiviCRM Memberships by granting either a Role or Capabilities to Users with that Membership.

800 active installs v0.6.4 PHP 7.4+ WP 4.9+ Updated Jan 30, 2026
civicrmmembermembershipsync
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is CiviCRM Member Sync Safe to Use in 2026?

Generally Safe

Score 100/100

CiviCRM Member Sync has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The civicrm-wp-member-sync plugin v0.6.4 demonstrates several positive security practices, including the absence of dangerous functions, all SQL queries utilizing prepared statements, and no file operations or external HTTP requests. The plugin also has a clean vulnerability history with zero known CVEs, indicating a generally well-maintained codebase. The presence of nonce and capability checks, along with a relatively small number of entry points, further contribute to a reasonable security posture.

However, there are notable areas of concern. The plugin exposes one AJAX handler without any authentication checks, creating a significant attack vector that could be exploited by unauthenticated users. While taint analysis found no issues, the limited scope of analysis (0 flows analyzed) means this finding should be taken with caution and deeper inspection might be warranted. The output escaping, while present, is not fully comprehensive, with 37% of outputs not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully.

In conclusion, the plugin has a good foundation with secure SQL practices and a clear history. The primary weakness lies in the unprotected AJAX endpoint, which requires immediate attention. The partially unescaped output is a secondary concern that also merits remediation. Given the lack of known vulnerabilities, proactive patching isn't an immediate issue, but addressing the identified code weaknesses will significantly strengthen the plugin's overall security.

Key Concerns

  • AJAX handler without authentication
  • Improper output escaping
Vulnerabilities
None known

CiviCRM Member Sync Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

CiviCRM Member Sync Release Timeline

v0.6.4Current
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.5
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5
v0.4.7
v0.4.6
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4
v0.3.8
Code Analysis
Analyzed Mar 16, 2026

CiviCRM Member Sync Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
13
22 escaped
Nonce Checks
6
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared8 total queries

Output Escaping

63% escaped35 total outputs
Attack Surface
1 unprotected

CiviCRM Member Sync Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 3

authwp_ajax_civi_wp_member_sync_get_bp_groupsincludes\civi-wp-ms-buddypress.php:134
authwp_ajax_civi_wp_member_sync_get_groupsincludes\civi-wp-ms-groups.php:136
authwp_ajax_sync_membershipsincludes\civi-wp-ms-members.php:129
WordPress Hooks 94
actioncivicrm_instance_loadedcivicrm-wp-member-sync.php:171
actionplugins_loadedcivicrm-wp-member-sync.php:174
filternetwork_admin_plugin_action_linkscivicrm-wp-member-sync.php:177
filterplugin_action_linkscivicrm-wp-member-sync.php:178
actioncwms/admin/loadedincludes\civi-wp-ms-admin-cau.php:95
filtercau/single_users/user_table/query_argsincludes\civi-wp-ms-admin-cau.php:122
filtercau/single_users/user_table/query_argsincludes\civi-wp-ms-admin-cau.php:123
filtercau/single_users/user_table/query_argsincludes\civi-wp-ms-admin-cau.php:124
actioncau/single_users/user_table/prepared_itemsincludes\civi-wp-ms-admin-cau.php:127
filtercau/single_users/user_table/get_viewsincludes\civi-wp-ms-admin-cau.php:130
filtercau/single_users/user_table/columnsincludes\civi-wp-ms-admin-cau.php:133
filtercau/single_users/user_table/custom_columnincludes\civi-wp-ms-admin-cau.php:134
filtercau/single_users/user_table/columnsincludes\civi-wp-ms-admin-cau.php:137
filtercau/single_users/user_table/custom_columnincludes\civi-wp-ms-admin-cau.php:138
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-admin.php:166
actionnetwork_admin_menuincludes\civi-wp-ms-admin.php:323
actionadmin_menuincludes\civi-wp-ms-admin.php:325
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-buddypress.php:58
actioninitincludes\civi-wp-ms-buddypress.php:70
filtercivi_wp_member_sync_rules_css_dependenciesincludes\civi-wp-ms-buddypress.php:130
filtercivi_wp_member_sync_rules_js_dependenciesincludes\civi-wp-ms-buddypress.php:131
actioncivi_wp_member_sync_rule_pre_saveincludes\civi-wp-ms-buddypress.php:137
actioncivi_wp_member_sync_rule_apply_caps_currentincludes\civi-wp-ms-buddypress.php:140
actioncivi_wp_member_sync_rule_apply_caps_expiredincludes\civi-wp-ms-buddypress.php:141
actioncivi_wp_member_sync_rule_apply_roles_currentincludes\civi-wp-ms-buddypress.php:142
actioncivi_wp_member_sync_rule_apply_roles_expiredincludes\civi-wp-ms-buddypress.php:143
actioncivi_wp_member_sync_rule_undo_rolesincludes\civi-wp-ms-buddypress.php:146
actioncivi_wp_member_sync_rule_undo_capsincludes\civi-wp-ms-buddypress.php:147
actioncivi_wp_member_sync_list_caps_th_after_currentincludes\civi-wp-ms-buddypress.php:150
actioncivi_wp_member_sync_list_caps_td_after_currentincludes\civi-wp-ms-buddypress.php:151
actioncivi_wp_member_sync_list_caps_th_after_expiryincludes\civi-wp-ms-buddypress.php:152
actioncivi_wp_member_sync_list_caps_td_after_expiryincludes\civi-wp-ms-buddypress.php:153
actioncivi_wp_member_sync_list_roles_th_after_currentincludes\civi-wp-ms-buddypress.php:154
actioncivi_wp_member_sync_list_roles_td_after_currentincludes\civi-wp-ms-buddypress.php:155
actioncivi_wp_member_sync_list_roles_th_after_expiryincludes\civi-wp-ms-buddypress.php:156
actioncivi_wp_member_sync_list_roles_td_after_expiryincludes\civi-wp-ms-buddypress.php:157
actioncivi_wp_member_sync_cap_add_after_currentincludes\civi-wp-ms-buddypress.php:160
actioncivi_wp_member_sync_cap_add_after_expiryincludes\civi-wp-ms-buddypress.php:161
actioncivi_wp_member_sync_role_add_after_currentincludes\civi-wp-ms-buddypress.php:162
actioncivi_wp_member_sync_role_add_after_expiryincludes\civi-wp-ms-buddypress.php:163
actioncivi_wp_member_sync_cap_edit_after_currentincludes\civi-wp-ms-buddypress.php:166
actioncivi_wp_member_sync_cap_edit_after_expiryincludes\civi-wp-ms-buddypress.php:167
actioncivi_wp_member_sync_role_edit_after_currentincludes\civi-wp-ms-buddypress.php:168
actioncivi_wp_member_sync_role_edit_after_expiryincludes\civi-wp-ms-buddypress.php:169
actioncwms/manual_sync/feedback/thincludes\civi-wp-ms-buddypress.php:172
actioncwms/manual_sync/feedback/tdincludes\civi-wp-ms-buddypress.php:173
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-groups.php:66
actioninitincludes\civi-wp-ms-groups.php:78
actioncivi_wp_member_sync_rule_add_capabilitiesincludes\civi-wp-ms-groups.php:112
actioncivi_wp_member_sync_rule_edit_capabilitiesincludes\civi-wp-ms-groups.php:115
actioncivi_wp_member_sync_rule_delete_capabilitiesincludes\civi-wp-ms-groups.php:118
actioncivi_wp_member_sync_pre_sync_allincludes\civi-wp-ms-groups.php:121
filtercivi_wp_member_sync_rules_css_dependenciesincludes\civi-wp-ms-groups.php:132
filtercivi_wp_member_sync_rules_js_dependenciesincludes\civi-wp-ms-groups.php:133
actioncivi_wp_member_sync_rule_pre_saveincludes\civi-wp-ms-groups.php:139
actioncivi_wp_member_sync_rule_apply_caps_currentincludes\civi-wp-ms-groups.php:142
actioncivi_wp_member_sync_rule_apply_caps_expiredincludes\civi-wp-ms-groups.php:143
actioncivi_wp_member_sync_rule_apply_roles_currentincludes\civi-wp-ms-groups.php:144
actioncivi_wp_member_sync_rule_apply_roles_expiredincludes\civi-wp-ms-groups.php:145
actioncivi_wp_member_sync_rule_undo_rolesincludes\civi-wp-ms-groups.php:148
actioncivi_wp_member_sync_rule_undo_capsincludes\civi-wp-ms-groups.php:149
actioncivi_wp_member_sync_list_caps_th_after_currentincludes\civi-wp-ms-groups.php:152
actioncivi_wp_member_sync_list_caps_td_after_currentincludes\civi-wp-ms-groups.php:153
actioncivi_wp_member_sync_list_caps_th_after_expiryincludes\civi-wp-ms-groups.php:154
actioncivi_wp_member_sync_list_caps_td_after_expiryincludes\civi-wp-ms-groups.php:155
actioncivi_wp_member_sync_list_roles_th_after_currentincludes\civi-wp-ms-groups.php:156
actioncivi_wp_member_sync_list_roles_td_after_currentincludes\civi-wp-ms-groups.php:157
actioncivi_wp_member_sync_list_roles_th_after_expiryincludes\civi-wp-ms-groups.php:158
actioncivi_wp_member_sync_list_roles_td_after_expiryincludes\civi-wp-ms-groups.php:159
actioncivi_wp_member_sync_cap_add_after_currentincludes\civi-wp-ms-groups.php:162
actioncivi_wp_member_sync_cap_add_after_expiryincludes\civi-wp-ms-groups.php:163
actioncivi_wp_member_sync_role_add_after_currentincludes\civi-wp-ms-groups.php:164
actioncivi_wp_member_sync_role_add_after_expiryincludes\civi-wp-ms-groups.php:165
actioncivi_wp_member_sync_cap_edit_after_currentincludes\civi-wp-ms-groups.php:168
actioncivi_wp_member_sync_cap_edit_after_expiryincludes\civi-wp-ms-groups.php:169
actioncivi_wp_member_sync_role_edit_after_currentincludes\civi-wp-ms-groups.php:170
actioncivi_wp_member_sync_role_edit_after_expiryincludes\civi-wp-ms-groups.php:171
actioncwms/manual_sync/feedback/thincludes\civi-wp-ms-groups.php:174
actioncwms/manual_sync/feedback/tdincludes\civi-wp-ms-groups.php:175
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-members.php:78
actionwp_loginincludes\civi-wp-ms-members.php:98
actionclear_auth_cookieincludes\civi-wp-ms-members.php:101
actioncivicrm_postProcessincludes\civi-wp-ms-members.php:112
actioncivicrm_preincludes\civi-wp-ms-members.php:115
actioncivicrm_postincludes\civi-wp-ms-members.php:118
actioncivicrm_postincludes\civi-wp-ms-members.php:121
filtercivi_wp_member_sync_memberships_getincludes\civi-wp-ms-members.php:134
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-schedule.php:45
actioncivi_wp_member_sync_refreshincludes\civi-wp-ms-schedule.php:71
actioncivi_wp_member_sync_initialisedincludes\civi-wp-ms-users.php:56
actionuser_registerincludes\civi-wp-ms-users.php:994
actionprofile_updateincludes\civi-wp-ms-users.php:995
actionuser_registerincludes\civi-wp-ms-users.php:1000
actionprofile_updateincludes\civi-wp-ms-users.php:1001

Scheduled Events 1

civi_wp_member_sync_refresh
Maintenance & Trust

CiviCRM Member Sync Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 30, 2026
PHP min version7.4
Downloads28K

Community Trust

Rating100/100
Number of ratings4
Active installs800
Alternatives

CiviCRM Member Sync Alternatives

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

wp-fusion-lite

A
98

WP Fusion Lite synchronizes your WordPress users with contact records in your CRM or marketing automation system.

5K 4 CVEs
Export Posts to Brilliant Directories

Export Posts to Brilliant Directories

export-posts-to-brilliant-directories

A
100

Seamlessly migrate WordPress blog posts to Brilliant Directories with the 'Export Posts to Brilliant Directories' plugin.

10 No CVEs
Mailchimp Sync for WooCommerce Memberships

Mailchimp Sync for WooCommerce Memberships

true-mailchimp-sync-for-woo-memberships

A
100

Allows to sync users with every status of your WooCommerce Memberships plans with Mailchimp lists.

10 No CVEs
HarmonyUser Sync – Sync Users & Customers Across Multiple Sites

HarmonyUser Sync – Sync Users & Customers Across Multiple Sites

wowown-harmony-user-sync

A
100

Effortlessly synchronize WordPress users and WooCommerce customers across multiple websites securely and reliably.

10 No CVEs
Brilliant Directories Sync for WooCommerce

Brilliant Directories Sync for WooCommerce

brilliant-directories-sync-for-woocommerce

A
100

Sync WooCommerce customers seamlessly with Brilliant Directories using this integration plugin.

0 No CVEs
Developer Profile

CiviCRM Member Sync Developer Profile

Christian Wach

8 plugins · 2K total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CiviCRM Member Sync

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/civicrm-wp-member-sync/css/civi-wp-ms-admin.css/wp-content/plugins/civicrm-wp-member-sync/css/civi-wp-ms-members.css/wp-content/plugins/civicrm-wp-member-sync/css/civi-wp-ms-schedule.css/wp-content/plugins/civicrm-wp-member-sync/css/civi-wp-ms-users.css/wp-content/plugins/civicrm-wp-member-sync/js/civi-wp-ms-admin.js/wp-content/plugins/civicrm-wp-member-sync/js/civi-wp-ms-members.js/wp-content/plugins/civicrm-wp-member-sync/js/civi-wp-ms-schedule.js/wp-content/plugins/civicrm-wp-member-sync/js/civi-wp-ms-users.js
Version Parameters
civicrm-wp-member-sync/css/civi-wp-ms-admin.css?ver=civicrm-wp-member-sync/css/civi-wp-ms-members.css?ver=civicrm-wp-member-sync/css/civi-wp-ms-schedule.css?ver=civicrm-wp-member-sync/css/civi-wp-ms-users.css?ver=civicrm-wp-member-sync/js/civi-wp-ms-admin.js?ver=civicrm-wp-member-sync/js/civi-wp-ms-members.js?ver=civicrm-wp-member-sync/js/civi-wp-ms-schedule.js?ver=civicrm-wp-member-sync/js/civi-wp-ms-users.js?ver=

HTML / DOM Fingerprints

CSS Classes
civi-wp-ms-admincivi-wp-ms-memberscivi-wp-ms-schedulecivi-wp-ms-users
HTML Comments
<!-- CiviCRM Member Sync --><!-- Civi_WP_Member_Sync --><!-- Civi-WP_Member_Sync_Admin --><!-- Civi_WP_Member_Sync_Members -->+2 more
Data Attributes
data-civi-wp-ms-admin-noncedata-civi-wp-ms-members-noncedata-civi-wp-ms-schedule-noncedata-civi-wp-ms-users-nonce
JS Globals
CiviWpMemberSyncAdminCiviWpMemberSyncMembersCiviWpMemberSyncScheduleCiviWpMemberSyncUsers
REST Endpoints
/wp-json/civicrm-wp-member-sync/
FAQ

Frequently Asked Questions about CiviCRM Member Sync