Does CrowdSec have any unpatched vulnerabilities?

No. All known vulnerabilities in CrowdSec have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is CrowdSec compatible with WordPress 6.9.4?

According to WordPress.org data, CrowdSec 2.13.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is CrowdSec compatible with PHP 7.2+?

CrowdSec requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is CrowdSec updated?

CrowdSec was last updated on Jan 9, 2026. Frequent updates are generally a positive security signal.

What is CrowdSec's security score?

CrowdSec has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CrowdSec Security & Risk Analysis

wordpress.org/plugins/crowdsec

This plugin blocks detected attackers or displays them a captcha to check they are not bots.

2K active installs v2.13.1 PHP 7.2+ WP 4.9+ Updated Jan 9, 2026

captchacrowdsechacker-protectionip-blockersecurity

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is CrowdSec Safe to Use in 2026?

Generally Safe

Score 100/100

CrowdSec has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The CrowdSec plugin v2.13.1 exhibits a generally strong security posture based on the static analysis provided. The absence of any direct entry points like AJAX handlers, REST API routes, shortcodes, or cron events, coupled with a lack of known CVEs, is highly positive. The code signals also indicate good practices, such as 100% of SQL queries using prepared statements and a significant number of nonce and capability checks. The plugin also avoids bundled libraries and external HTTP requests, further reducing its attack surface.

However, there are areas that warrant attention. The taint analysis revealed one flow with an unsanitized path. While this did not result in a critical or high severity vulnerability according to the report, it represents a potential risk that should be investigated. Furthermore, a notable concern is the low percentage of properly escaped output (31%), which could expose the site to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled correctly in these instances. The presence of file operations, while not inherently risky, always demands careful scrutiny.

In conclusion, the CrowdSec plugin demonstrates a commendable commitment to security by minimizing its attack surface and following best practices in areas like SQL query handling. The vulnerability history being clean is a significant strength. Nevertheless, the identified unsanitized path in the taint analysis and the high number of unescaped outputs are genuine weaknesses that could be exploited. Addressing these specific issues should be a priority to further bolster the plugin's security.

Key Concerns

Taint flow with unsanitized path identified
Low percentage of properly escaped output

Vulnerabilities

None known

CrowdSec Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

CrowdSec Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

26 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

31% escaped83 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<settings> (inc\templates\settings.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

CrowdSec Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actionplugins_loadedcrowdsec.php:33

actionupgrader_process_completecrowdsec.php:34

actionnetwork_admin_edit_crowdsec_advanced_settingsinc\Admin\advanced-settings.php:15

actionnetwork_admin_noticesinc\Admin\init.php:16

actionadmin_noticesinc\Admin\init.php:18

actionupdated_optioninc\Admin\init.php:29

actionadmin_post_crowdsec_clear_cacheinc\Admin\init.php:344

actionadmin_post_crowdsec_refresh_cacheinc\Admin\init.php:353

actionadmin_post_crowdsec_push_usage_metricsinc\Admin\init.php:362

actionadmin_post_crowdsec_prune_cacheinc\Admin\init.php:371

actionadmin_post_crowdsec_test_connectioninc\Admin\init.php:380

actionadmin_post_crowdsec_test_geolocationinc\Admin\init.php:391

actionadmin_enqueue_scriptsinc\Admin\init.php:403

actionadmin_initinc\Admin\init.php:540

actionnetwork_admin_edit_crowdsec_settingsinc\Admin\settings.php:10

actionnetwork_admin_edit_crowdsec_theme_settingsinc\Admin\theme.php:6

filtercron_schedulesinc\scheduling.php:15

Maintenance & Trust

CrowdSec Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 9, 2026

PHP min version7.2

Downloads58K

Community Trust

Rating100/100

Number of ratings5

Active installs2K

Alternatives

CrowdSec Alternatives

SiteGuard WP Plugin

siteguard

SiteGurad WP Plugin is the plugin specialized for the protection against the attack to the management page and login.

600K 1 unpatched

reCaptcha by BestWebSoft

google-captcha

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs

Wordfence Login Security

wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs

Login No Captcha reCAPTCHA

Adds a Google No Captcha ReCaptcha checkbox to your Wordpress and Woocommerce login, forgot password, and user registration pages.

60K 1 CVE

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms

captcha-bws

1 The Ultimate Spam Protection Plugin Using Captcha for WordPress Forms.

10K 2 CVEs

Developer Profile

CrowdSec Developer Profile

CrowdSec - lightweight and collaborative security engine

1 plugin · 2K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect CrowdSec

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/crowdsec-wp/assets/css/admin.css/wp-content/plugins/crowdsec-wp/assets/js/crowdsec-admin.js

Script Paths

/wp-content/plugins/crowdsec-wp/assets/js/crowdsec-admin.js

Version Parameters

crowdsec-wp/assets/css/admin.css?ver=crowdsec-wp/assets/js/crowdsec-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

crowdsec-admin-pagecrowdsec-admin-notice

HTML Comments

Data Attributes

data-crowdsec-clear-cache-urldata-crowdsec-refresh-cache-urldata-crowdsec-push-metrics-urldata-crowdsec-display-metrics-url

JS Globals

crowdsec_admin_params

REST Endpoints

/wp-json/crowdsec/v1/admin/clear_cache/wp-json/crowdsec/v1/admin/refresh_cache/wp-json/crowdsec/v1/admin/push_metrics/wp-json/crowdsec/v1/admin/display_metrics

FAQ