Does Expire Users have any unpatched vulnerabilities?

Yes — Expire Users currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Expire Users compatible with WordPress 6.8.5?

According to WordPress.org data, Expire Users 1.2.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Expire Users compatible with PHP 7.4+?

Expire Users requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Expire Users updated?

Expire Users was last updated on Sep 19, 2025. Frequent updates are generally a positive security signal.

What is Expire Users's security score?

Expire Users has a WP-Safety security score of 75/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Expire Users Security & Risk Analysis

wordpress.org/plugins/expire-users

Set expiry dates for user logins.

4K active installs v1.2.2 PHP 7.4+ WP 5.4+ Updated Sep 19, 2025

expireloginpasswordrolesusers

B · Generally Safe

CVEs total1

Unpatched1

Last CVEMar 20, 2026

Plugin page Download

Safety Verdict

Is Expire Users Safe to Use in 2026?

Mostly Safe

Score 75/100

Expire Users is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Mar 20, 2026Updated 8mo ago

Risk Assessment

The "expire-users" plugin v1.2.2 exhibits a generally strong security posture based on the provided static analysis. The absence of dangerous functions, file operations, and external HTTP requests, coupled with a commendable 100% of SQL queries using prepared statements, indicates good development practices regarding core security vulnerabilities. Furthermore, the presence of nonce checks and capability checks on entry points, alongside a lack of critical or high-severity taint analysis findings, suggests a well-sanitized codebase. The plugin's vulnerability history is also clear, with no known CVEs, which is a positive indicator of its stability and security over time.

However, the analysis does highlight a minor area for improvement: output escaping. With 79% of outputs properly escaped, there's a small percentage (21%) that remains unescaped. While not a critical flaw, this could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is handled improperly in those specific instances. The attack surface, while small and reported as entirely protected, consists of two shortcodes, which are often areas where improper input handling can occur. Despite this minor concern, the plugin's overall security is robust, with a strong emphasis on preventing common and severe attack vectors.

Key Concerns

Outputs not properly escaped

Vulnerabilities

1 published

Expire Users Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2026-4261high · 8.8Missing Authorization

Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields

Mar 20, 2026Unpatched

Version History

Expire Users Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

Expire Users Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

59 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

79% escaped75 total outputs

Attack Surface

Expire Users Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[expire_users_current_user_expire_date] includes\shortcodes.php:3

[expire_users_current_user_expire_countdown] includes\shortcodes.php:4

WordPress Hooks 42

actionadmin_initadmin\expire-user.php:17

actionshow_user_profileadmin\expire-user.php:20

actionedit_user_profileadmin\expire-user.php:21

actionuser_new_formadmin\expire-user.php:22

actionpersonal_options_updateadmin\expire-user.php:25

actionedit_user_profile_updateadmin\expire-user.php:26

actionuser_registeradmin\expire-user.php:27

actionadmin_print_stylesadmin\expire-user.php:30

actionadmin_enqueue_scriptsadmin\expire-user.php:31

filtermanage_users_columnsadmin\expire-user.php:34

actionmanage_users_custom_columnadmin\expire-user.php:35

filtermanage_users_sortable_columnsadmin\expire-user.php:38

actionpre_get_usersadmin\expire-user.php:39

filteruser_row_actionsadmin\expire-user.php:41

actionadmin_menuadmin\help.php:3

actionexpire_users_help_tabsadmin\help.php:4

actionload-users_page_expire_usersadmin\help.php:12

actionload-user-edit.phpadmin\help.php:13

filterplugin_row_metaadmin\plugin.php:3

filterplugin_action_links_expire-users/expire-users.phpadmin\plugin.php:4

actionadmin_initadmin\settings.php:6

actionadmin_menuadmin\settings.php:7

actionplugins_loadedexpire-users.php:40

actionexpire_user_cronincludes\cron.php:6

actionwpincludes\cron.php:7

filterauthenticateincludes\expire-users.php:13

filterallow_password_resetincludes\expire-users.php:14

filtershake_error_codesincludes\expire-users.php:15

actioninitincludes\expire-users.php:16

actionregister_formincludes\expire-users.php:17

actionuser_registerincludes\expire-users.php:18

actionexpire_users_expiredincludes\expire-users.php:19

actionexpire_users_expiredincludes\expire-users.php:20

actionexpire_users_expiredincludes\expire-users.php:21

actionexpire_users_expiredincludes\expire-users.php:22

actionexpire_users_expiredincludes\expire-users.php:23

filterexpire_users_email_notification_messageincludes\expire-users.php:24

filterexpire_users_email_admin_notification_messageincludes\expire-users.php:25

filterexpire_users_email_notification_subjectincludes\expire-users.php:26

filterexpire_users_email_admin_notification_subjectincludes\expire-users.php:27

filteroption_expire_users_notification_messageincludes\expire-users.php:28

filteroption_expire_users_notification_admin_messageincludes\expire-users.php:29

Scheduled Events 1

expire_user_cron

Maintenance & Trust

Expire Users Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 19, 2025

PHP min version7.4

Downloads53K

Community Trust

Rating96/100

Number of ratings25

Active installs4K

Alternatives

Expire Users Alternatives

Expire User Passwords

expire-user-passwords

100

Require certain users to change their passwords on a regular basis.

3K No CVEs

Magic Login Mail or QR Code

magic-login-mail

Enter your email address, and send you an email with a magic link or QR Code to login without a password.

100 1 CVE

Simple Require Login

simple-require-login

Require login for content on a per page/post/custom post type basis. You can also select a specific role required to view the content.

100 No CVEs

Skeleton Key

skeleton-key

Gives administrators a skeleton key (their own password) to login as any user they'd like.

40 No CVEs

SafeTemp Login – Temporary Access with Approval

safetemplogin-tawa

100

Create temporary users with any role. When a temporary user is an administrator, sensitive actions require approval from a real administrator.

0 No CVEs

Developer Profile

Expire Users Developer Profile

Ben Huson

18 plugins · 21K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

2 days

View full developer profile

Detection Fingerprints

How We Detect Expire Users

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/expire-users/admin/css/expire-user.css/wp-content/plugins/expire-users/admin/js/expire-user.js

Version Parameters

expire-users/admin/css/expire-user.css?ver=expire-users/admin/js/expire-user.js?ver=

HTML / DOM Fingerprints

CSS Classes

expire-user-expiredsubmitexpire

HTML Comments

+1 more

Data Attributes

data-expire-user-id

JS Globals

expire_users

FAQ