WP-Safety

CoSchedule Security & Risk Analysis

wordpress.org/plugins/coschedule-by-todaymade

The only marketing suite that helps you organize all of your marketing in one place.

3K active installs v3.4.1 PHP + WP 3.5+ Updated Oct 17, 2025
content-marketingcontent-marketing-calendardrag-and-drop-editorial-calendar-plugineditorial-calendar-pluginsocial-media-scheduling
97
A · Safe
CVEs total3
Unpatched0
Last CVENov 4, 2025
Plugin page Download
Safety Verdict

Is CoSchedule Safe to Use in 2026?

Generally Safe

Score 97/100

CoSchedule has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Nov 4, 2025Updated 7mo ago
Risk Assessment

The coschedule-by-todaymade plugin v3.4.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, utilizing prepared statements exclusively, and a high percentage of output escaping. The absence of dangerous functions, file operations, and external HTTP requests is also commendable. However, a significant concern arises from the attack surface, with 10 out of 13 AJAX handlers lacking authentication checks, creating a broad entry point for potential attackers. The taint analysis reveals one high-severity flow with unsanitized paths, which, despite not being a critical vulnerability, warrants attention as it represents a potential avenue for exploitation if not properly handled. The plugin's vulnerability history shows a pattern of medium-severity issues, including missing authorization and information exposure, suggesting a recurring need for careful review of access controls and data handling. While there are no currently unpatched CVEs, the historical presence of these vulnerability types indicates a potential for future weaknesses if not addressed proactively.

Key Concerns

  • 10 unprotected AJAX handlers
  • 1 high severity taint flow with unsanitized paths
  • 3 medium severity historical CVEs (Missing Auth, Info Exposure, CSRF)
  • 3 nonce checks for 13 entry points
Vulnerabilities
3 published

CoSchedule Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-49913medium · 5.3Missing Authorization

CoSchedule <= 3.4.0 - Missing Authorization

Nov 4, 2025 Patched in 3.4.1 (1d)
CVE-2025-60119medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

CoSchedule <= 3.3.11 - Unauthenticated Sensitive Information Exposure

Sep 26, 2025 Patched in 3.4.0 (13d)
CVE-2022-47165medium · 4.3Cross-Site Request Forgery (CSRF)

CoSchedule <= 3.3.8 - Cross-Site Request Forgery

Apr 13, 2023 Patched in 3.3.9 (285d)
Version History

CoSchedule Release Timeline

v3.4.1Current
v3.4.01 CVE
CVE-2025-49913
v3.3.112 CVEs
CVE-2025-60119 CVE-2025-49913
v3.3.102 CVEs
CVE-2025-60119 CVE-2025-49913
v3.3.92 CVEs
CVE-2025-60119 CVE-2025-49913
v3.3.83 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.73 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.63 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.53 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.43 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.33 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.23 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.13 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.3.03 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.93 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.83 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.73 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.63 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.53 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
v3.2.43 CVEs
CVE-2025-60119 CVE-2025-49913 CVE-2022-47165
Code Analysis
Analyzed Mar 16, 2026

CoSchedule Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
38 escaped
Nonce Checks
3
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

86% escaped44 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
<frame> (frame.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

CoSchedule Attack Surface

Entry Points13
Unprotected10

AJAX Handlers 13

authwp_ajax_tm_aj_trigger_crontm-scheduler.php:201
noprivwp_ajax_tm_aj_trigger_crontm-scheduler.php:202
authwp_ajax_tm_aj_get_bloginfotm-scheduler.php:206
noprivwp_ajax_tm_aj_get_bloginfotm-scheduler.php:207
authwp_ajax_tm_aj_set_tokentm-scheduler.php:210
authwp_ajax_tm_aj_check_tokentm-scheduler.php:213
noprivwp_ajax_tm_aj_check_tokentm-scheduler.php:214
authwp_ajax_tm_aj_set_custom_post_typestm-scheduler.php:217
noprivwp_ajax_tm_aj_set_custom_post_typestm-scheduler.php:218
authwp_ajax_tm_aj_actiontm-scheduler.php:221
noprivwp_ajax_tm_aj_actiontm-scheduler.php:222
authwp_ajax_tm_aj_deactivationtm-scheduler.php:225
noprivwp_ajax_tm_aj_deactivationtm-scheduler.php:226
WordPress Hooks 29
actioninittm-scheduler.php:157
actionload-post.phptm-scheduler.php:160
actionsave_posttm-scheduler.php:161
actiondelete_posttm-scheduler.php:162
actioncreate_categorytm-scheduler.php:165
actionedited_categorytm-scheduler.php:166
actiondelete_categorytm-scheduler.php:167
actionuser_registertm-scheduler.php:170
actionprofile_updatetm-scheduler.php:171
actiondelete_usertm-scheduler.php:172
actionupdate_option_timezone_stringtm-scheduler.php:175
actionupdate_option_gmt_offsettm-scheduler.php:176
actionupdate_option_blognametm-scheduler.php:179
actionwp_insert_post_datatm-scheduler.php:182
filterwp_insert_post_datatm-scheduler.php:185
filterposts_resultstm-scheduler.php:188
actionload-post.phptm-scheduler.php:196
actionload-post-new.phptm-scheduler.php:197
actionadmin_menutm-scheduler.php:229
actionadmin_menutm-scheduler.php:230
actionadmin_menutm-scheduler.php:231
actionadmin_menutm-scheduler.php:232
actionadmin_inittm-scheduler.php:235
actionadd_meta_boxestm-scheduler.php:331
filtertm_coschedule_save_post_callback_filtertm-scheduler.php:589
filtercomments_opentm-scheduler.php:682
filterpings_opentm-scheduler.php:683
filterhttps_ssl_verifytm-scheduler.php:1736
filterhttps_local_ssl_verifytm-scheduler.php:1737
Maintenance & Trust

CoSchedule Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 17, 2025
PHP min version
Downloads511K

Community Trust

Rating92/100
Number of ratings188
Active installs3K
Alternatives

CoSchedule Alternatives

StoryChief

StoryChief

story-chief

A
93

All-in-one Content Marketing Workspace

1K 3 CVEs
Jetpack Social

Jetpack Social

jetpack-social

A
100

Write once, publish everywhere. Reach your target audience by sharing your content with Jetpack Social!

30K No CVEs
Featured Images in RSS for Mailchimp & More

Featured Images in RSS for Mailchimp & More

featured-images-for-rss-feeds

A
100

Send images to RSS instantly for free. Output blog or WooCommerce photos to Mailchimp RSS email campaigns, ActiveCampaign, Hubspot, Feedly and more.

20K No CVEs
Revive Social – Social Media Auto Post and Scheduling Automation Plugin

Revive Social – Social Media Auto Post and Scheduling Automation Plugin

tweet-old-post

A
96

Automatically share your WordPress posts on multiple social networks like Facebook, X (Twitter), LinkedIn, Instagram and more.

20K 3 CVEs
Semrush SEO Writing Assistant

Semrush SEO Writing Assistant

semrush-seo-writing-assistant

A
100

The Semrush SEO Writing Assistant provides instant recommendations for content optimization based on the best-performing articles in Google's top 10.

9K No CVEs
Developer Profile

CoSchedule Developer Profile

CoSchedule

3 plugins · 6K total installs

82
trust score
Avg Security Score
91/100
Avg Patch Time
81 days
View full developer profile
Detection Fingerprints

How We Detect CoSchedule

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/coschedule-by-todaymade/css/coschedule.min.css/wp-content/plugins/coschedule-by-todaymade/css/coschedule-editor-compat.css/wp-content/plugins/coschedule-by-todaymade/css/coschedule-wordpress-admin.css/wp-content/plugins/coschedule-by-todaymade/js/coschedule.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-admin.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-editor-compat.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-editor.min.js
Generator Patterns
CoSchedule
Script Paths
/wp-content/plugins/coschedule-by-todaymade/js/coschedule.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-admin.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-editor-compat.min.js/wp-content/plugins/coschedule-by-todaymade/js/coschedule-wordpress-editor.min.js
Version Parameters
coschedule-by-todaymade/css/coschedule.min.css?ver=coschedule-by-todaymade/css/coschedule-editor-compat.css?ver=coschedule-by-todaymade/css/coschedule-wordpress-admin.css?ver=coschedule-by-todaymade/js/coschedule.min.js?ver=coschedule-by-todaymade/js/coschedule-wordpress-admin.min.js?ver=coschedule-by-todaymade/js/coschedule-wordpress-editor-compat.min.js?ver=coschedule-by-todaymade/js/coschedule-wordpress-editor.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
coschedule-calendar-viewcoschedule-post-listcoschedule-editor-toolbarcoschedule-modalcoschedule-sync-button
HTML Comments
<!-- CoSchedule -->
Data Attributes
data-coschedule-iddata-coschedule-post-iddata-coschedule-sync-status
JS Globals
CoSchedulecoschedule
REST Endpoints
/wp-json/coschedule/v1/sync/wp-json/coschedule/v1/post/wp-json/coschedule/v1/calendar
Shortcode Output
[coschedule_calendar][coschedule_tasks]
FAQ

Frequently Asked Questions about CoSchedule