Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Security & Risk Analysis

Restrict content based on login status, user roles, device type & more. Monetize your content with a paywall or members-only content.

40K active installs v2.6.5 PHP 7.4+ WP 6.2+ Updated May 27, 2025

access-controlcontent-restrictionmaintenance-modemembers-onlymembership

A · Safe

CVEs total4

Unpatched0

Last CVEMay 7, 2025

Plugin page Download

Safety Verdict

Is Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Safe to Use in 2026?

Generally Safe

Score 96/100

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: May 7, 2025Updated 10mo ago

Risk Assessment

The "content-control" plugin v2.6.5 exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of SQL queries using prepared statements and proper output escaping, and a good number of capability checks, there are significant concerns regarding its attack surface. A notable portion of its AJAX handlers lack authentication checks, presenting a potential entry point for unauthorized actions. Furthermore, the plugin has a history of documented vulnerabilities, specifically Cross-site Scripting and Information Exposure, with four medium-severity CVEs in its past. Although there are no currently unpatched vulnerabilities, this history suggests a recurring pattern of security weaknesses that require careful monitoring and prompt patching.

The static analysis reveals that 4 out of 7 total entry points are unprotected, specifically AJAX handlers, which is a critical finding. The absence of taint analysis results for unsanitized paths is positive, but the lack of detail on raw SQL queries and the specific nature of file operations and external HTTP requests leaves some room for potential hidden risks. The presence of nonce checks is positive, but their effectiveness is diminished by the unprotected AJAX endpoints.

In conclusion, while the plugin has strengths in its SQL handling and output escaping, the unprotected AJAX endpoints represent a clear and present danger. The historical vulnerability data, though currently unpatched, indicates a need for vigilance. A robust security strategy for this plugin would involve addressing the authentication gaps in its AJAX handlers and maintaining a proactive stance on patching any future discovered vulnerabilities.

Key Concerns

Unprotected AJAX handlers
History of medium severity CVEs

Vulnerabilities

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-47501medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Control <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.6.2 (7d)

CVE-2024-11153medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More <= 2.5.0 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Mar 4, 2025 Patched in 2.6.0 (14d)

CVE-2024-0615medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Content Control <= 2.1.0 - Missing Authorization to Sensitive Information Exposure

Apr 16, 2024 Patched in 2.2.0 (105d)

CVE-2022-4509medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Control <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 29, 2022 Patched in 1.1.10 (390d)

Code Analysis

Analyzed Mar 16, 2026

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

164 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

88% prepared8 total queries

Output Escaping

91% escaped180 total outputs

Attack Surface

4 unprotected

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Attack Surface

Entry Points7

Unprotected4

AJAX Handlers 6

authwp_ajax_content_control_review_actionclasses\Controllers\Admin\Reviews.php:54

authwp_ajax_content_control_connect_verify_connectionclasses\Controllers\Admin\SettingsPage.php:28

noprivwp_ajax_content_control_connect_verify_connectionclasses\Controllers\Admin\SettingsPage.php:29

authwp_ajax_content_control_connect_webhookclasses\Controllers\Admin\SettingsPage.php:30

noprivwp_ajax_content_control_connect_webhookclasses\Controllers\Admin\SettingsPage.php:31

authwp_ajax_content_control_upgradesclasses\Controllers\Admin\Upgrades.php:44

Shortcodes 1

[content_control] classes\Controllers\Shortcodes.php:28

WordPress Hooks 93

actioninitclasses\Controllers\Admin\Reviews.php:53

actionadmin_noticesclasses\Controllers\Admin\Reviews.php:65

actionnetwork_admin_noticesclasses\Controllers\Admin\Reviews.php:66

actionuser_admin_noticesclasses\Controllers\Admin\Reviews.php:67

actionadmin_menuclasses\Controllers\Admin\SettingsPage.php:25

actionadmin_enqueue_scriptsclasses\Controllers\Admin\SettingsPage.php:26

actionadmin_initclasses\Controllers\Admin\Upgrades.php:43

filtercontent_control/settings-page_localized_varsclasses\Controllers\Admin\Upgrades.php:45

actioncontent_control/update_versionclasses\Controllers\Admin\Upgrades.php:46

actionadmin_noticesclasses\Controllers\Admin\Upgrades.php:56

actionnetwork_admin_noticesclasses\Controllers\Admin\Upgrades.php:57

actionuser_admin_noticesclasses\Controllers\Admin\Upgrades.php:58

filterplugin_action_linksclasses\Controllers\Admin\UserExperience.php:24

actionadmin_enqueue_scriptsclasses\Controllers\Admin\WidgetEditor.php:30

actionin_widget_formclasses\Controllers\Admin\WidgetEditor.php:31

filterwidget_update_callbackclasses\Controllers\Admin\WidgetEditor.php:32

actionwp_enqueue_scriptsclasses\Controllers\Assets.php:29

actionadmin_enqueue_scriptsclasses\Controllers\Assets.php:30

actionwp_print_scriptsclasses\Controllers\Assets.php:31

actionadmin_print_scriptsclasses\Controllers\Assets.php:32

actionenqueue_block_editor_assetsclasses\Controllers\BlockEditor.php:28

actionenqueue_block_assetsclasses\Controllers\BlockEditor.php:29

filtercontent_control/get_rest_api_intentclasses\Controllers\Compatibility\BetterDocs.php:23

filtercontent_control/protection_is_disabledclasses\Controllers\Compatibility\Divi.php:24

filtercontent_control/post_types_to_ignoreclasses\Controllers\Compatibility\Elementor.php:24

filtercontent_control/protection_is_disabledclasses\Controllers\Compatibility\Elementor.php:25

filterqm/outputter/htmlclasses\Controllers\Compatibility\QueryMonitor.php:29

actioncontent_control/restrict_main_queryclasses\Controllers\Compatibility\TheEventsCalendar.php:24

filterwp_redirectclasses\Controllers\Compatibility\TheEventsCalendar.php:45

filtertec_events_views_v2_redirectedclasses\Controllers\Compatibility\TheEventsCalendar.php:47

actionwp_loadedclasses\Controllers\Frontend\Blocks.php:32

filterpre_render_blockclasses\Controllers\Frontend\Blocks.php:33

filterrender_blockclasses\Controllers\Frontend\Blocks.php:34

filtercontent_control/should_hide_blockclasses\Controllers\Frontend\Blocks.php:35

actionwp_print_stylesclasses\Controllers\Frontend\Blocks.php:36

actiontemplate_redirectclasses\Controllers\Frontend\Restrictions\MainQuery.php:39

filterthe_contentclasses\Controllers\Frontend\Restrictions\PostContent.php:39

filterget_the_excerptclasses\Controllers\Frontend\Restrictions\PostContent.php:40

actioninitclasses\Controllers\Frontend\Restrictions\QueryPosts.php:34

filterthe_postsclasses\Controllers\Frontend\Restrictions\QueryPosts.php:80

actioninitclasses\Controllers\Frontend\Restrictions\QueryTerms.php:35

filterget_termsclasses\Controllers\Frontend\Restrictions\QueryTerms.php:81

filterrest_pre_dispatchclasses\Controllers\Frontend\Restrictions\RestAPI.php:32

filtersidebars_widgetsclasses\Controllers\Frontend\Widgets.php:31

filtercontent_control/restricted_post_contentclasses\Controllers\Frontend.php:45

filtercontent_control/restricted_post_excerptclasses\Controllers\Frontend.php:46

actioninitclasses\Controllers\PostTypes.php:24

actioninitclasses\Controllers\PostTypes.php:25

actionsave_post_cc_restrictionclasses\Controllers\PostTypes.php:26

filterrest_pre_dispatchclasses\Controllers\PostTypes.php:27

filtercontent_control/sanitize_restriction_settingsclasses\Controllers\PostTypes.php:28

filtercontent_control/validate_restriction_settingsclasses\Controllers\PostTypes.php:29

actionrest_api_initclasses\Controllers\RestAPI.php:26

filterregister_post_type_argsclasses\Controllers\RestAPI.php:29

filterregister_taxonomy_argsclasses\Controllers\RestAPI.php:30

actionadmin_menuclasses\Controllers\TrustedLogin.php:29

actioninitclasses\Controllers\TrustedLogin.php:30

actionadmin_noticesclasses\Plugin\Autoloader.php:67

actioninitclasses\Plugin\Core.php:58

actioninitclasses\Plugin\License.php:65

actioncontent_control_license_status_checkclasses\Plugin\License.php:66

actionadmin_initclasses\Plugin\License.php:67

actionshutdownclasses\Plugin\Logging.php:71

actionadmin_noticesclasses\Plugin\Prerequisites.php:118

filterpre_site_transient_update_pluginsclasses\Plugin\Upgrader.php:165

filtercontent_control/user_can_view_contentclasses\QueryMonitor\Collector.php:54

actioncontent_control/restrict_main_queryclasses\QueryMonitor\Collector.php:55

actioncontent_control/restrict_main_query_postclasses\QueryMonitor\Collector.php:56

filterqm/output/menusclasses\QueryMonitor\Output.php:38

filterqm/output/titleclasses\QueryMonitor\Output.php:39

filterqm/output/menu_classclasses\QueryMonitor\Output.php:40

actionplugins_loadedcontent-control.php:107

filtercontent_control/rule_engine/deprecated_rulesinc\deprecated.php:38

filtercontent_control/user_rolesinc\deprecated.php:54

filtercontent_control/restricted_post_contentinc\deprecated.php:70

filtercontent_control/should_exclude_widgetinc\deprecated.php:86

filtercontent_control/excerpt_lengthinc\deprecated.php:102

actioncontent_control/update_versioninc\functions\options.php:103

filterallowed_redirect_hostsinc\functions\protections.php:30

filteruser_row_actionsvendor-prefixed\trustedlogin\client\src\Admin.php:125

actionadmin_bar_menuvendor-prefixed\trustedlogin\client\src\Admin.php:134

actionadmin_menuvendor-prefixed\trustedlogin\client\src\Admin.php:145

actionadmin_enqueue_scriptsvendor-prefixed\trustedlogin\client\src\Admin.php:156

actionlogin_form_trustedloginvendor-prefixed\trustedlogin\client\src\Admin.php:183

actionlogin_enqueue_scriptsvendor-prefixed\trustedlogin\client\src\Admin.php:193

actionadmin_noticesvendor-prefixed\trustedlogin\client\src\Admin.php:342

actioninitvendor-prefixed\trustedlogin\client\src\Endpoint.php:121

actiontemplate_redirectvendor-prefixed\trustedlogin\client\src\Endpoint.php:124

actioninitvendor-prefixed\trustedlogin\client\src\Endpoint.php:125

actionadmin_initvendor-prefixed\trustedlogin\client\src\Endpoint.php:126

filterlogin_headertitlevendor-prefixed\trustedlogin\client\src\Form.php:170

filterlogin_headertextvendor-prefixed\trustedlogin\client\src\Form.php:172

filterlogin_headerurlvendor-prefixed\trustedlogin\client\src\Form.php:175

Scheduled Events 1

content_control_license_status_check

Maintenance & Trust

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 27, 2025

PHP min version7.4

Downloads871K

Community Trust

Rating98/100

Number of ratings575

Active installs40K

Alternatives

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Alternatives

Restrict User Access – Ultimate Membership & Content Protection

restrict-user-access

Create Access Levels and restrict any post, page, category, etc. Supports bbPress, BuddyPress, WooCommerce, WPML, and more.

10K 2 CVEs

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

s2member

❤️ Excellent membership plugin! Easy, quick, flexible. Monetize your site with memberships and subscriptions. Protect content instantly and securely.

9K 12 CVEs

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Build membership sites with tiered plans, content restriction, drag-&-drop custom registration & login form builder, and built-in payment system.

60K 29 CVEs

Simple Membership

simple-membership

Simple membership plugin adds membership functionality to your site. Protect members only content using content protection easily.

40K 24 CVEs

Groups

groups

Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.

10K 2 CVEs

Developer Profile

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More Developer Profile

Daniel Iser

7 plugins · 828K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

588 days

View full developer profile

Detection Fingerprints

How We Detect Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/content-control/assets/css/admin-settings.css/wp-content/plugins/content-control/assets/js/admin-settings.js/wp-content/plugins/content-control/assets/css/widget-editor.css/wp-content/plugins/content-control/assets/js/widget-editor.js

Script Paths

/wp-content/plugins/content-control/assets/js/admin-settings.js/wp-content/plugins/content-control/assets/js/widget-editor.js

Version Parameters

content-control-widget-editor-csscontent-control-widget-editor-js

HTML / DOM Fingerprints

CSS Classes

content-control-root-container

Data Attributes

data-content-control-iddata-content-control-widget

JS Globals

contentControl.settingsPage.init

REST Endpoints

/wp-json/content-control/v1/settings

FAQ