Conditional Menus Security & Risk Analysis
wordpress.org/plugins/conditional-menusThis plugin enables you to set conditional menus per posts, pages, categories, archive pages, etc.
Is Conditional Menus Safe to Use in 2026?
Generally Safe
Score 100/100Conditional Menus has a strong security track record. Known vulnerabilities have been patched promptly.
The 'conditional-menus' plugin version 1.2.7 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and appears to have no unpatched known vulnerabilities. The static analysis also shows no critical or high-severity taint flows, and all identified entry points (AJAX handlers) have nonce checks, indicating an effort to protect against CSRF attacks.
However, there are notable concerns. A significant portion of output (83%) is not properly escaped, creating a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. While there are no critical taint flows identified, unescaped output is a direct pathway for XSS. Furthermore, the plugin lacks capability checks on its AJAX handlers, meaning any authenticated user, regardless of their role, can potentially trigger these handlers. The vulnerability history shows a past medium severity XSS vulnerability, which aligns with the current code analysis finding of widespread unescaped output. This suggests a recurring pattern of insufficient output sanitization.
In conclusion, while the plugin has strengths in its SQL handling and lack of unpatched CVEs, the prevalent issue of unescaped output represents a significant security weakness. The absence of capability checks on AJAX handlers further exacerbates this risk by lowering the barrier to exploitation for authenticated users. These issues necessitate attention to improve the overall security of the plugin.
Key Concerns
- High percentage of unescaped output
- AJAX handlers lack capability checks
Conditional Menus Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Conditional Menus <= 1.2.0 - Reflected Cross-Site Scripting
Conditional Menus Code Analysis
Output Escaping
Data Flow Analysis
Conditional Menus Attack Surface
AJAX Handlers 2
WordPress Hooks 15
Maintenance & Trust
Conditional Menus Maintenance & Trust
Maintenance Signals
Community Trust
Conditional Menus Alternatives
Widget Manager Light
widget-manager-light
Widget Manager lets you control on which pages widgets appear via nice and easy interface. Show or hide widgets. Display relevant content on your page …
Widget Logic Visual
widget-logic-visual
Widget Logic Visual Version lets you control on which pages widgets appear using WP's conditional tags without having to know how conditional tag …
Missing Menu Items
missing-menu-items
Adds missing menu items into your Appearance menu in the WordPress admin area to make maneuvering to useful WordPress editor features easy.
Admin Menu Editor
admin-menu-editor
Lets you edit the WordPress admin menu. You can re-order, hide or rename menus, add custom menus and more.
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus
capability-manager-enhanced
PublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.
Conditional Menus Developer Profile
10 plugins · 140K total installs
How We Detect Conditional Menus
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/conditional-menus/assets/admin.css/wp-content/plugins/conditional-menus/assets/admin.js/wp-content/plugins/conditional-menus/assets/admin.jsconditional-menus/assets/admin.css?ver=conditional-menus/assets/admin.js?ver=HTML / DOM Fingerprints
themify_conditional_menus_wrapperdata-themify-cm-menu-idthemify_cm_noncethemify_cm_admin_url