WP-Safety

Experience Manager Security & Risk Analysis

wordpress.org/plugins/experience-manager

Do not treat all your customers the same, create a digital experience!

0 active installs v4.4.0 PHP + WP 4.4.1+ Updated Jun 23, 2020
behaviour-targetspersonalizationproduct-targetingtargetinguser-experience
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Experience Manager Safe to Use in 2026?

Generally Safe

Score 85/100

Experience Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The 'experience-manager' plugin v4.4.0 presents a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and has no known past or current CVEs, suggesting a generally well-maintained codebase. The absence of dangerous functions and critical or high-severity taint flows are also reassuring signs.

However, significant concerns arise from the large, unprotected attack surface. A notable 18 out of 20 entry points, including all AJAX handlers and REST API routes, lack proper authentication or permission checks. This creates a substantial risk of unauthorized access and manipulation. Additionally, the low percentage of properly escaped output (25%) indicates a high likelihood of cross-site scripting (XSS) vulnerabilities. The presence of file operations and external HTTP requests, while not inherently problematic, become more risky when combined with the lack of input validation on these entry points.

Overall, while the plugin has avoided historical vulnerabilities and uses secure database practices, the current version's open attack surface and prevalent output escaping issues pose serious risks. These factors significantly outweigh the positive aspects, making the plugin's security posture weak and requiring immediate attention to secure its entry points and improve output sanitization.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Low output escaping percentage
  • Low number of capability checks
  • Low number of nonce checks
  • Flows with unsanitized paths
Vulnerabilities
None known

Experience Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Experience Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
15 prepared
Unescaped Output
89
29 escaped
Nonce Checks
1
Capability Checks
3
File Operations
10
External Requests
5
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared15 total queries

Output Escaping

25% escaped118 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<class.request> (includes\class.request.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

Experience Manager Attack Surface

Entry Points20
Unprotected18

AJAX Handlers 15

authwp_ajax_tma_post_typesincludes\backend\class.tma_ajax.php:19
authwp_ajax_tma_post_searchincludes\backend\class.tma_ajax.php:20
authwp_ajax_tma_product_categoriesincludes\backend\class.tma_ajax.php:21
authwp_ajax_tma_categoriesincludes\backend\class.tma_ajax.php:22
authwp_ajax_exm_dashboard_mainincludes\backend\class.tma_ajax.php:24
authwp_ajax_exm_dashboard_kpiincludes\backend\class.tma_ajax.php:25
authwp_ajax_exm_userincludes\backend\content\class.content-ajax.php:32
noprivwp_ajax_exm_userincludes\backend\content\class.content-ajax.php:33
authwp_ajax_exm_contentincludes\backend\content\class.content-ajax.php:35
noprivwp_ajax_exm_contentincludes\backend\content\class.content-ajax.php:36
authwp_ajax_exm_content_popupsincludes\backend\content\class.content-ajax.php:38
noprivwp_ajax_exm_content_popupsincludes\backend\content\class.content-ajax.php:39
authwp_ajax_exm_random_productsincludes\backend\content\class.content-ajax.php:41
noprivwp_ajax_exm_ecom_load_productsincludes\modules\ecommerce\class.ecommerce.php:13
authwp_ajax_exm_ecom_load_productsincludes\modules\ecommerce\class.ecommerce.php:14

REST API Routes 3

GET/wp-json/experience-manager/v1/segmentsincludes\class.tma_rest.php:23
GET/wp-json/experience-manager/v1/eventsincludes\class.tma_rest.php:28
GET/wp-json/experience-manager/v1/category-pathincludes\class.tma_rest.php:33

Shortcodes 2

[exm_content] includes\backend\content\class.content-shortcode.php:28
[tma_content] includes\frontend\class.shortcode_tma_content.php:57
WordPress Hooks 88
actionadmin_enqueue_scriptsdependencies\class.settings-api.php:30
actionplugins_loadedexperience-manager.php:33
actioninitexperience-manager.php:46
actionrest_api_initexperience-manager.php:47
actionplugins_loadedexperience-manager.php:48
actioninitexperience-manager.php:49
filterplugin_row_metaexperience-manager.php:88
filtertma_configexperience-manager.php:111
actionwp_headexperience-manager.php:124
actionadmin_headexperience-manager.php:125
filterposts_whereincludes\backend\class.tma_ajax.php:250
actionsave_postincludes\backend\class.tma_hooks.php:29
actionload-post.phpincludes\backend\class.tma_metabox.php:31
actionload-post-new.phpincludes\backend\class.tma_metabox.php:32
actionadd_meta_boxesincludes\backend\class.tma_metabox.php:40
actionsave_postincludes\backend\class.tma_metabox.php:42
actionadmin_initincludes\backend\class.tma_settings.php:16
actionadmin_menuincludes\backend\class.tma_settings.php:17
actionadmin_initincludes\backend\class.tma_shortcodes_plugin.php:30
filtermce_buttonsincludes\backend\class.tma_shortcodes_plugin.php:36
filtermce_external_pluginsincludes\backend\class.tma_shortcodes_plugin.php:37
actionwp_enqueue_scriptsincludes\backend\class.tma_wpadminbar.php:31
actionadmin_bar_menuincludes\backend\class.tma_wpadminbar.php:33
actionwp_enqueue_scriptsincludes\backend\class.tma_wpadminbar.php:36
actionadd_meta_boxesincludes\backend\content\class.content-editor-metabox.php:27
actionsave_post_exm_contentincludes\backend\content\class.content-editor.php:28
filtergutenberg_can_edit_post_typeincludes\backend\content\class.content-editor.php:29
actionadmin_enqueue_scriptsincludes\backend\content\class.content-editor.php:30
filter_wp_post_revision_field_exm_content_editor_htmlincludes\backend\content\class.content-editor.php:89
filter_wp_post_revision_field_exm_content_editor_jsincludes\backend\content\class.content-editor.php:90
filter_wp_post_revision_field_exm_content_editor_cssincludes\backend\content\class.content-editor.php:91
filter_wp_post_revision_field_exm_content_settingsincludes\backend\content\class.content-editor.php:92
actionsave_postincludes\backend\content\class.content-editor.php:93
actionwp_restore_post_revisionincludes\backend\content\class.content-editor.php:94
filter_wp_post_revision_fieldsincludes\backend\content\class.content-editor.php:95
actionadd_meta_boxesincludes\backend\content\class.content-settings-metabox.php:27
actioninitincludes\backend\content\class.content-type.php:76
actionedit_form_after_titleincludes\backend\content\class.content-type.php:78
actionadmin_enqueue_scriptsincludes\backend\segment\class.segment-editor-help.php:27
actionedit_form_topincludes\backend\segment\class.segment-editor-help.php:29
actionadmin_footerincludes\backend\segment\class.segment-editor-help.php:31
actionadd_meta_boxesincludes\backend\segment\class.segment-editor-metabox.php:27
actionsave_post_tma_segmentincludes\backend\segment\class.segment-editor.php:27
actiondelete_postincludes\backend\segment\class.segment-editor.php:29
actiontransition_post_statusincludes\backend\segment\class.segment-editor.php:34
actionpost_updatedincludes\backend\segment\class.segment-editor.php:35
filtergutenberg_can_edit_post_typeincludes\backend\segment\class.segment-editor.php:37
actionadmin_enqueue_scriptsincludes\backend\segment\class.segment-editor.php:40
actionpost_submitbox_startincludes\backend\segment\class.segment-editor.php:42
actionadmin_noticesincludes\backend\segment\class.segment-editor.php:44
actioninitincludes\backend\segment\class.segment-type.php:76
filteradvanced-ads-visitor-conditionsincludes\modules\ads\advanced\class.advanced_ads.php:30
filterexperience-manager/settings/fieldsincludes\modules\class.integrations.php:32
filterexperience-manager/settings/sectionsincludes\modules\class.integrations.php:33
filterfl_builder_ui_bar_buttonsincludes\modules\editors\beaver\class.beaverbuilder.preview.php:28
actionwp_enqueue_scriptsincludes\modules\editors\beaver\class.beaverbuilder.preview.php:45
filterfl_builder_register_settings_formincludes\modules\editors\beaver\class.beaverbuilder_integration.php:33
filterfl_builder_row_attributesincludes\modules\editors\beaver\class.beaverbuilder_integration.php:35
filterfl_builder_column_attributesincludes\modules\editors\beaver\class.beaverbuilder_integration.php:36
filterfl_builder_module_attributesincludes\modules\editors\beaver\class.beaverbuilder_integration.php:37
filterwp_enqueue_scriptsincludes\modules\editors\divi\class.divibuilder_integration.php:52
filterget_termsincludes\modules\editors\divi\class.divibuilder_integration.php:60
actionelementor/element/after_section_endincludes\modules\editors\elementor\class.elementor_integration.php:40
actionelementor/frontend/before_renderincludes\modules\editors\elementor\class.elementor_integration.php:42
actionelementor/element/post/document_settings/after_section_endincludes\modules\editors\elementor\class.elementor_preview.php:37
actionelementor/frontend/after_register_scriptsincludes\modules\editors\elementor\class.elementor_preview.php:39
actionelementor/widget/render_contentincludes\modules\editors\elementor\class.elementor_preview.php:41
actionenqueue_block_editor_assetsincludes\modules\editors\gutenberg\class.gutenberg_integration.php:29
filterexperience-manager/settings/fieldsincludes\modules\events\class.ecommerce_events.php:73
filterexperience-manager/settings/sectionsincludes\modules\events\class.ecommerce_events.php:74
actionedd_update_payment_statusincludes\modules\events\class.edd_tracker.php:54
actionedd_post_add_to_cartincludes\modules\events\class.edd_tracker.php:55
actionedd_post_remove_from_cartincludes\modules\events\class.edd_tracker.php:56
actionwoocommerce_order_status_changedincludes\modules\events\class.woocommerce_tracker.php:44
actionwoocommerce_add_to_cartincludes\modules\events\class.woocommerce_tracker.php:46
actionwoocommerce_remove_cart_itemincludes\modules\events\class.woocommerce_tracker.php:47
actionelementor/element/before_section_endincludes\modules\messages\elementor\class.elementor-popup.php:28
actionwp_footerincludes\modules\messages\elementor\class.elementor-popup.php:30
actionwp_enqueue_scriptsincludes\modules\messages\popup-maker\class.popup-maker.php:28
filterpum_registered_conditionsincludes\modules\messages\popup-maker\class.popup-maker.php:31
filterwppopups/rules/optionsincludes\modules\messages\wp-popups\class.wp-popups.php:22
filterwppopups_rules/rule_values/exm_audienceincludes\modules\messages\wp-popups\class.wp-popups.php:24
filterwppopups_rules_rule_match_exm_audienceincludes\modules\messages\wp-popups\class.wp-popups.php:26
filterin_widget_formincludes\widgets\class.widget_targeting.php:37
filterwidget_update_callbackincludes\widgets\class.widget_targeting.php:38
filterwidget_display_callbackincludes\widgets\class.widget_targeting.php:40
actionadmin_enqueue_scriptstma-scripts.php:7
actionwp_enqueue_scriptstma-scripts.php:9
Maintenance & Trust

Experience Manager Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedJun 23, 2020
PHP min version
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Experience Manager Alternatives

TMA-Signature

TMA-Signature

tma-signature

A
85

The plugins adds a signature under every post.

0 No CVEs
If-So Dynamic Content Personalization

If-So Dynamic Content Personalization

if-so

A
96

Personalize any content! Add or replace content according to the visitor's profile and interaction with the site. No coding required!

8K 8 CVEs
FORTVISION

FORTVISION

fortvision-platform

A
100

ABOUT

10 No CVEs
Dynamic Content Replacer

Dynamic Content Replacer

dynamic-content-replacer

A
100

Personalize website content based on UTM parameters, Geolocation, and Device Type using simple shortcodes.

0 No CVEs
Internal Links Manager

Internal Links Manager

seo-automated-link-building

A
97

Boost your SEO and get better rankings with our automated link building plugin. With this plugin you can link any keyword to any URL - internal or ext &hellip;

10K 3 CVEs
Developer Profile

Experience Manager Developer Profile

thmarx

2 plugins · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Experience Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/experience-manager/css/experience-manager.css

HTML / DOM Fingerprints

CSS Classes
tma_webtools_option
HTML Comments
<!-- This script has to be in page as early as possible, so usage of wp_enqueue_script is not an option -->
JS Globals
TMA_CONFIG
REST Endpoints
/wp-json/tma_experience_manager/
FAQ

Frequently Asked Questions about Experience Manager