Does FeedWordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in FeedWordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is FeedWordPress compatible with WordPress 6.9.4?

According to WordPress.org data, FeedWordPress 2025.1211 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is FeedWordPress updated?

FeedWordPress was last updated on Dec 11, 2025. Frequent updates are generally a positive security signal.

What is FeedWordPress's security score?

FeedWordPress has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FeedWordPress Security & Risk Analysis

wordpress.org/plugins/feedwordpress

FeedWordPress syndicates content from feeds you choose into your WordPress weblog.

10K active installs v2025.1211 PHP + WP 4.5+ Updated Dec 11, 2025

aggregationatomfeedrsssyndication

A · Safe

CVEs total5

Unpatched0

Last CVEMar 4, 2024

Plugin page Download

Safety Verdict

Is FeedWordPress Safe to Use in 2026?

Generally Safe

Score 97/100

FeedWordPress has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Mar 4, 2024Updated 3mo ago

Risk Assessment

The security posture of FeedWordPress v2025.1211 presents a mixed bag of strengths and significant concerns. While the plugin demonstrates good practices in output escaping (97%) and a strong utilization of prepared statements for SQL queries (47% is decent, though could be higher), the presence of 8 dangerous function calls, notably `unserialize`, warrants close attention. The attack surface is relatively small with 3 entry points, but critically, all 3 of these are unprotected AJAX handlers, posing a substantial risk for unauthorized actions. The taint analysis showing no critical or high severity flows is a positive sign, suggesting that direct code execution or data compromise through untrusted input might be less prevalent than other potential risks.

The plugin's vulnerability history, with 5 known CVEs including one critical, is a major red flag. The recurring themes of Authorization Bypass, SQL Injection, and Cross-site Scripting indicate persistent weaknesses in input validation and access control. The fact that the last vulnerability was in March 2024, and there are currently no unpatched CVEs, suggests that recent updates have addressed past issues, but the historical pattern raises concerns about the overall robustness of its security. The presence of critical vulnerabilities in its past, even if currently patched, points to a codebase that has historically been susceptible to severe exploits.

In conclusion, FeedWordPress v2025.1211 has made strides in areas like output sanitization and SQL query preparation. However, the unprotected AJAX handlers and the history of critical vulnerabilities, particularly those related to authorization and injection, represent significant security weaknesses that require careful management. The presence of `unserialize` without explicit context on its usage also introduces a potential attack vector that should be carefully reviewed.

Key Concerns

Unprotected AJAX handlers
Dangerous function: unserialize
Historical critical CVE
1 critical CVE in history
Authorization Bypass CVEs
SQL Injection CVEs
XSS CVEs

Vulnerabilities

FeedWordPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2015

2015

1 CVE in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

Medium

5 total CVEs

CVE-2024-0839medium · 5.3Authorization Bypass Through User-Controlled Key

FeedWordPress <= 2022.0222 - Insecure Direct Object Referece

Mar 4, 2024 Patched in 2024.0428 (148d)

CVE-2021-25055medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FeedWordPress <= 2021.0713 - Reflected Cross-Site Scripting

Jan 18, 2022 Patched in 2022.0123 (735d)

CVE-2015-4018critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

FeedWordPress < 2015.0514 - SQL Injection

May 19, 2015 Patched in 2015.0514 (3171d)

CVE-2015-9358medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FeedWordPress < 2015.0514 - Reflected Cross-Site Scripting

May 14, 2015 Patched in 2015.0514 (3176d)

WF-e9178920-d865-45d3-bfdf-b8ad207d4546-feedwordpressmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FeedWordPress < 2015.0426 - Cross-Site Scripting

Apr 26, 2015 Patched in 2015.0426 (3194d)

Code Analysis

Analyzed Mar 16, 2026

FeedWordPress Code Analysis

Dangerous Functions

Raw SQL Queries

17 prepared

Unescaped Output

916 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$the_error = unserialize( $o_s_link->setting( 'update/error' ) );admin-ui.php:498

unserializeif ($meta and !is_array($meta)) : $meta = unserialize($meta); endif;feedwordpressboilerplatereformatter.shortcode.functions.php:39

unserializeif ($meta and !is_array($meta)) : $meta = unserialize($meta); endif;feedwordpressboilerplatereformatter.shortcode.functions.php:105

unserialize$custom_settings = unserialize($custom_settings);posts-page.php:426

unserialize? unserialize($page->link->settings['boilerplate rules'])posts-page.php:544

unserialize$oldError = unserialize($oldError);syndicatedlink.class.php:162

unserialize$default_custom_settings = unserialize($default_custom_settings);syndicatedlink.class.php:900

unserialize$custom_settings = unserialize($custom_settings);syndicatedlink.class.php:909

SQL Query Safety

47% prepared36 total queries

Output Escaping

97% escaped947 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

info_box (diagnostics-page.php:116)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

FeedWordPress Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_fwp_feedsfeedwordpress.php:1319

authwp_ajax_fwp_feedcontentsfeedwordpress.php:1320

authwp_ajax_fwp_xpathtestfeedwordpress.php:1321

WordPress Hooks 68

actionfeedwordpress_diagnostics_do_http_testdiagnostics-page.php:13

actionpublish_postfeedwordpress.php:188

actiondo_pingsfeedwordpress.php:189

actionfeedwordpress_updatefeedwordpress.php:190

actionfeedwordpress_update_completefeedwordpress.php:191

actionadmin_menufeedwordpress.php:195

filtercron_schedulesfeedwordpress.php:520

filterfeedwordpress_update_completefeedwordpress.php:523

filterthe_contentfeedwordpress.php:551

filterthe_contentfeedwordpress.php:552

actionatom_entryfeedwordpress.php:554

filterpost_linkfeedwordpress.php:557

filterpost_type_linkfeedwordpress.php:558

filterthe_permalinkfeedwordpress.php:562

filterthe_permalink_rssfeedwordpress.php:563

filterpost_comments_feed_linkfeedwordpress.php:565

filterthe_titlefeedwordpress.php:576

filterget_the_excerptfeedwordpress.php:582

filterthe_contentfeedwordpress.php:588

filterthe_content_rssfeedwordpress.php:594

actionadmin_initfeedwordpress.php:602

actionadmin_menufeedwordpress.php:603

actionadmin_noticesfeedwordpress.php:604

actionadmin_menufeedwordpress.php:606

actionsave_postfeedwordpress.php:607

actionadmin_footerfeedwordpress.php:609

actionsyndicated_feed_errorfeedwordpress.php:611

actionwp_footerfeedwordpress.php:613

actionadmin_footerfeedwordpress.php:614

actioninitfeedwordpress.php:622

actionwp_loadedfeedwordpress.php:623

actionshutdownfeedwordpress.php:625

actionshutdownfeedwordpress.php:626

actionwp_dashboard_setupfeedwordpress.php:627

filtersyndicated_item_contentfeedwordpress.php:630

filtersyndicated_item_contentfeedwordpress.php:631

actionplugins_loadedfeedwordpress.php:633

actionall_admin_noticesfeedwordpress.php:634

filterwp_feed_cache_transient_lifetimefeedwordpress.php:637

filterpage_row_actionsfeedwordpress.php:718

filterpost_row_actionsfeedwordpress.php:719

actionadmin_print_scriptsfeedwordpress.php:1283

actionadmin_print_stylesfeedwordpress.php:1286

actiontemplate_redirectfeedwordpress.php:1313

filterwp_mail_content_typefeedwordpress.php:2317

actionadd_meta_boxesfeedwordpress.wp-admin.post-edit.functions.php:22

filteruser_can_richeditfeedwordpress.wp-admin.post-edit.functions.php:24

actionfeedwordpress_check_feedfeedwordpressadminpage.class.php:73

actionfeedwordpress_check_feed_completefeedwordpressadminpage.class.php:74

filteruse_curl_transportfeedwordpresshttpauthenticator.class.php:6

filterpre_http_requestfeedwordpresshttpauthenticator.class.php:11

actionhttp_api_curlfeedwordpresshttpauthenticator.class.php:12

filterxmlrpc_methodsfeedwordpressrpc.class.php:8

actionfeedwordpress_check_feedfeedwordpresssyndicationpage.class.php:1350

actionfeedwordpress_check_feed_completefeedwordpresssyndicationpage.class.php:1351

actionadd_meta_boxesinspectpostmeta.class.php:12

filterfeedwordpress_update_completesyndicatedlink.class.php:61

actiontransition_post_statussyndicatedpost.class.php:1657

action_wp_put_post_revisionsyndicatedpost.class.php:1719

actiontransition_post_statussyndicatedpost.class.php:1745

actiontransition_post_statussyndicatedpost.class.php:1754

filtercontent_save_presyndicatedpost.class.php:1828

actioninitsyndicationdataqueries.class.php:5

actionparse_querysyndicationdataqueries.class.php:6

filterposts_searchsyndicationdataqueries.class.php:7

filterposts_wheresyndicationdataqueries.class.php:8

filterposts_fieldssyndicationdataqueries.class.php:9

filterposts_requestsyndicationdataqueries.class.php:10

Scheduled Events 1

do_pings

Maintenance & Trust

FeedWordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 11, 2025

PHP min version

Downloads1.3M

Community Trust

Rating84/100

Number of ratings61

Active installs10K

Alternatives

FeedWordPress Alternatives

FeedWordPress Advanced Filters

faf

Author: Bas Schuiling

200 1 unpatched

YD BuddyPress Feed Syndication

yd-buddypress-feed-syndication

Syndicate RSS feeds into your user or group Activity stream

10 No CVEs

Disable Feeds

disable-feeds

Disables all RSS/Atom/RDF feeds on your WordPress site.

30K No CVEs

Disable Feeds WP

disable-feeds-wp

100

Disables all RSS/Atom/RDF feeds on your WordPress site.

10K No CVEs

RSS Just Better

rss-just-better

Displays a list of RSS/Atom feed items given the feed URL and other parameters (optionals). Highly customizable.

400 No CVEs

Developer Profile

FeedWordPress Developer Profile

C. Johnson

2 plugins · 10K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

2085 days

View full developer profile

Detection Fingerprints

How We Detect FeedWordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/feedwordpress/css/feedwordpress.css/wp-content/plugins/feedwordpress/css/admin.css/wp-content/plugins/feedwordpress/css/inspect.css/wp-content/plugins/feedwordpress/js/feedwordpress.js/wp-content/plugins/feedwordpress/js/jquery.tablesorter.min.js/wp-content/plugins/feedwordpress/js/postmeta.js

Version Parameters

feedwordpress/css/feedwordpress.css?ver=feedwordpress/css/admin.css?ver=feedwordpress/css/inspect.css?ver=feedwordpress/js/feedwordpress.js?ver=feedwordpress/js/jquery.tablesorter.min.js?ver=feedwordpress/js/postmeta.js?ver=

HTML / DOM Fingerprints

CSS Classes

feedwordpressfeedwordpress-settingsfeedwordpress-adminfeedwordpress-diagnosticfeedwordpress-syndicationfeedwordpress-inspect-post-metafeedwordpress-link-settingsfeedwordpress-syndication-settings

HTML Comments

+4 more

Data Attributes

data-feedwordpress-iddata-feedwordpress-urldata-feedwordpress-post-id

JS Globals

feedwordpressFeedWordPressDebugFeedWordPressData

FAQ