Does Dynamic User Directory have any unpatched vulnerabilities?

No. All known vulnerabilities in Dynamic User Directory have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Dynamic User Directory compatible with WordPress 6.8.5?

According to WordPress.org data, Dynamic User Directory 2.4 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Dynamic User Directory updated?

Dynamic User Directory was last updated on Nov 11, 2025. Frequent updates are generally a positive security signal.

What is Dynamic User Directory's security score?

Dynamic User Directory has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Dynamic User Directory Security & Risk Analysis

wordpress.org/plugins/dynamic-user-directory

Powerful and feature-rich user directory based on user profile meta fields.

1K active installs v2.4 PHP + WP 3.0.1+ Updated Nov 11, 2025

buddypressmember-directorymemberpressuser-directoryuser-registration

A · Safe

CVEs total1

Unpatched0

Last CVEOct 21, 2025

Plugin page Download

Safety Verdict

Is Dynamic User Directory Safe to Use in 2026?

Generally Safe

Score 99/100

Dynamic User Directory has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 21, 2025Updated 4mo ago

Risk Assessment

The dynamic-user-directory plugin v2.4 exhibits a mixed security posture. While it benefits from having no unpatched CVEs and a relatively small attack surface with a single shortcode entry point, significant concerns arise from the code analysis. The presence of the `unserialize` function without clear context regarding its input source is a critical red flag, as unserialization vulnerabilities can lead to remote code execution. Furthermore, the low percentage of properly escaped output (37%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially considering the plugin's past vulnerability history, which includes an XSS issue. The taint analysis, while showing no critical or high severity flows, did reveal unsanitized paths, which, combined with the unescaped output and `unserialize` function, increases the attack surface for potential exploits.

Despite the absence of unpatched CVEs and the use of prepared statements for a majority of SQL queries, the identified code signals and past vulnerability patterns suggest a need for caution. The lack of nonce checks and capability checks (only one present) on potential entry points, coupled with the `unserialize` function, presents a tangible risk. The plugin's history of XSS vulnerabilities, even if previously patched, highlights a recurring weakness that, if not meticulously addressed, could resurface. Therefore, while the plugin has some good practices in place, the identified risks warrant careful consideration and potential remediation.

Key Concerns

Dangerous function: unserialize detected
Low output escaping percentage (37%)
Taint analysis: unsanitized paths detected (2 flows)
No nonce checks detected
Only 1 capability check detected
Past vulnerability history (XSS)

Vulnerabilities

Dynamic User Directory Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62982medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic User Directory <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 21, 2025 Patched in 2.4 (24d)

Code Analysis

Analyzed Mar 16, 2026

Dynamic User Directory Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

284

164 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$list_items = unserialize(stripslashes_deep($user_meta_fld));includes\core.php:2094

SQL Query Safety

65% prepared23 total queries

Output Escaping

37% escaped448 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

DynamicUserDirectoryAdminSettings (includes\admin.php:20)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Dynamic User Directory Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[DynamicUserDirectory] includes\core.php:1837

WordPress Hooks 3

actionadmin_menuincludes\admin.php:16

filterplugin_action_linksincludes\admin.php:2661

actionadmin_initincludes\admin.php:2675

Maintenance & Trust

Dynamic User Directory Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 11, 2025

PHP min version

Downloads83K

Community Trust

Rating96/100

Number of ratings38

Active installs1K

Alternatives

Dynamic User Directory Alternatives

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

wp-user-frontend

Create forms, guest posts, subscriptions, user directory, user registration, membership, frontend posts, profile builder, content restriction rules.

20K 14 CVEs

JSON API User

json-api-user

Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.

1K 1 CVE

Hide Member Visibility for BuddyPress

hide-member-visibility-for-buddypress

Hide Member Visibility for Buddypress allows administrator to hide any buddypress member from appearing in the members' directory.

30 No CVEs

Buddypress User Registration Auto Group

buddypress-user-registration-auto-group

This plugin create a new Group when a new user sign up.

10 No CVEs

Cross Registration Integration

cross-registration-integration

Integrates with the WordPress registration process to assist with the registration process for other systems.

10 No CVEs

Developer Profile

Dynamic User Directory Developer Profile

Sarah Giles

1 plugin · 1K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

24 days

View full developer profile

Detection Fingerprints

How We Detect Dynamic User Directory

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/dynamic-user-directory/js/jquery.user-directory.js/wp-content/plugins/dynamic-user-directory/css/user-directory-admin.css/wp-content/plugins/dynamic-user-directory/css/user-directory-public.css

Script Paths

https://kit.fontawesome.com/2e95a9bac3.jshttps://cdnjs.cloudflare.com/ajax/libs/select2/4.0.3/js/select2.min.js

Version Parameters

dynamic-user-directory/js/jquery.user-directory.js?ver=dynamic-user-directory/css/user-directory-admin.css?ver=dynamic-user-directory/css/user-directory-public.css?ver=

HTML / DOM Fingerprints

CSS Classes

dud-directory-listdud-listingdud-alpha-linksdud-letter-dividerdud-search-formdud-admin-settings-page

HTML Comments

Data Attributes

data-dud-sortdata-dud-directory-typedata-dud-letter-dividerdata-dud-avatar-styledata-dud-border-styledata-dud-meta-field-+5 more

JS Globals

dud_plugin_settingsdud_optionsdynamic_user_directory_url

Shortcode Output

[dynamic_user_directory][dynamic-user-directory][user-directory]

FAQ