WP-Safety

Front End PM Security & Risk Analysis

wordpress.org/plugins/front-end-pm

Front End PM is a Private Messaging system and a secure contact form to your WordPress site.This is full functioning messaging system from front end.

5K active installs v11.4.5 PHP 5.6+ WP 4.4+ Updated Feb 12, 2025
chatcontact-formmessagemessagingprivate-message
92
A · Safe
CVEs total1
Unpatched0
Last CVENov 7, 2023
Plugin page Download
Safety Verdict

Is Front End PM Safe to Use in 2026?

Generally Safe

Score 92/100

Front End PM has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 7, 2023Updated 1yr ago
Risk Assessment

The plugin "front-end-pm" v11.4.5 exhibits a generally good security posture with a low attack surface and a significant number of protected entry points. The static analysis reveals a reasonable implementation of security best practices, including the use of prepared statements for a majority of SQL queries and a decent percentage of properly escaped output. The absence of dangerous functions and external HTTP requests are positive indicators.

However, there are areas of concern. The taint analysis identified two flows with unsanitized paths, which, while not reaching critical or high severity in this instance, represent a potential for vulnerabilities if exploited. The presence of file operations, even without explicit detail, warrants attention as it can be an avenue for attacks. The plugin's vulnerability history, though currently clear of unpatched issues, includes a past medium-severity CVE for "Exposure of Sensitive Information to an Unauthorized Actor." This suggests that while the developers have addressed past issues, the potential for such vulnerabilities may exist.

Overall, the plugin has strengths in its controlled attack surface and implementation of core security features. However, the identified unsanitized paths in the taint analysis and the historical vulnerability pattern necessitate ongoing vigilance. Developers should prioritize addressing the unsanitized paths and continue to rigorously audit code for potential information exposure risks.

Key Concerns

  • Flows with unsanitized paths found in taint analysis
  • SQL queries not using prepared statements
  • Output not properly escaped
  • Past medium severity vulnerability
  • Bundled Freemius library v1.0
Vulnerabilities
1

Front End PM Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-4930medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Front End PM < 11.4.3 - Sensitive Information Exposure via Directory Listing

Nov 7, 2023 Patched in 11.4.3 (77d)
Code Analysis
Analyzed Mar 17, 2026

Front End PM Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
36 prepared
Unescaped Output
188
334 escaped
Nonce Checks
12
Capability Checks
7
File Operations
7
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

67% prepared54 total queries

Output Escaping

64% escaped522 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths
fep_pagination_prev_next (functions.php:792)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Front End PM Attack Surface

Entry Points9
Unprotected0

AJAX Handlers 4

authwp_ajax_fep_update_ajaxadmin\class-fep-update.php:29
authwp_ajax_fep_review_notice_dismissincludes\class-fep-ajax.php:17
authwp_ajax_fep_ajax_att_deleteincludes\class-fep-ajax.php:18
authwp_ajax_fep_block_unblock_users_ajaxincludes\class-fep-ajax.php:20

Shortcodes 5

[front-end-pm] includes\class-fep-shortcodes.php:18
[fep_shortcode_new_message_count] includes\class-fep-shortcodes.php:19
[fep_shortcode_new_announcement_count] includes\class-fep-shortcodes.php:20
[fep_shortcode_message_to] includes\class-fep-shortcodes.php:21
[fep_shortcode_new_message_form] includes\class-fep-shortcodes.php:22
WordPress Hooks 120
actionadmin_menuadmin\class-fep-admin-pages.php:18
actionadmin_initadmin\class-fep-admin-pages.php:19
actionadmin_post_fep-editadmin\class-fep-admin-pages.php:20
filterwp_privacy_personal_data_exportersadmin\class-fep-admin-pages.php:21
filterwp_privacy_personal_data_erasersadmin\class-fep-admin-pages.php:22
actioninitadmin\class-fep-admin-pages.php:728
actionadmin_menuadmin\class-fep-admin-settings.php:18
actionadmin_enqueue_scriptsadmin\class-fep-admin-settings.php:19
actionadmin_initadmin\class-fep-admin-settings.php:20
actionadmin_noticesadmin\class-fep-admin-settings.php:21
actionadd_option_FEP_admin_optionsadmin\class-fep-admin-settings.php:23
actionupdate_option_FEP_admin_optionsadmin\class-fep-admin-settings.php:24
actionfep_action_after_admin_options_saveadmin\class-fep-admin-settings.php:25
actionpublish_pageadmin\class-fep-admin-settings.php:26
actioninitadmin\class-fep-admin-settings.php:1016
filterfep_admin_settings_tabsadmin\class-fep-pro-info.php:21
filterfep_settings_fieldsadmin\class-fep-pro-info.php:22
actionfep_admin_settings_field_output_oa_adminsadmin\class-fep-pro-info.php:23
actionfep_admin_settings_field_output_gm_groupsadmin\class-fep-pro-info.php:24
actionfep_admin_settings_field_output_rtr_blockadmin\class-fep-pro-info.php:25
actionadmin_initadmin\class-fep-pro-info.php:433
actionadmin_enqueue_scriptsadmin\class-fep-update.php:20
actionadmin_menuadmin\class-fep-update.php:21
actionadmin_noticesadmin\class-fep-update.php:22
actionadmin_post_fep_delete_alladmin\class-fep-update.php:23
actionadmin_initadmin\class-fep-update.php:25
actionadmin_initadmin\class-fep-update.php:26
actionadmin_initadmin\class-fep-update.php:27
actionfep_plugin_updateadmin\class-fep-update.php:30
filterfep_update_enable_version_checkadmin\class-fep-update.php:148
filterfep_require_manual_updateadmin\class-fep-update.php:149
actionfep_plugin_manual_updateadmin\class-fep-update.php:150
actionadmin_noticesadmin\class-fep-update.php:171
filterupload_diradmin\class-fep-update.php:633
filterupload_diradmin\class-fep-update.php:651
actioninitadmin\class-fep-update.php:665
actionplugins_loadeddefault-hooks.php:6
actionplugins_loadeddefault-hooks.php:7
actionafter_setup_themedefault-hooks.php:9
actionafter_setup_themedefault-hooks.php:10
actionwp_enqueue_scriptsdefault-hooks.php:11
actionwp_enqueue_scriptsdefault-hooks.php:12
actionadmin_enqueue_scriptsdefault-hooks.php:13
actionwp_headdefault-hooks.php:15
actionfep_footer_notedefault-hooks.php:16
actiontemplate_redirectdefault-hooks.php:17
filterauth_redirect_schemedefault-hooks.php:18
filterdocument_title_partsdefault-hooks.php:20
filterpre_get_document_titledefault-hooks.php:21
filterfep_pre_save_mgs_titledefault-hooks.php:23
filterfep_pre_save_mgs_contentdefault-hooks.php:26
filterfep_pre_save_mgs_contentdefault-hooks.php:28
filterfep_pre_save_mgs_contentdefault-hooks.php:29
filterfep_pre_save_mgs_last_reply_excerptdefault-hooks.php:31
filterfep_pre_save_mgs_last_reply_excerptdefault-hooks.php:33
filterfep_pre_save_mgs_last_reply_excerptdefault-hooks.php:34
filterfep_pre_save_mgs_typedefault-hooks.php:36
filterfep_pre_save_mgs_statusdefault-hooks.php:37
filterfep_filter_message_before_senddefault-hooks.php:39
actionwp_loadeddefault-hooks.php:40
actionfep_transition_post_statusdefault-hooks.php:41
actionfep_transition_post_statusdefault-hooks.php:42
filterfep_get_the_titledefault-hooks.php:45
filterfep_get_the_titledefault-hooks.php:46
filterfep_get_the_titledefault-hooks.php:47
filterfep_get_the_contentdefault-hooks.php:50
filterfep_get_the_contentdefault-hooks.php:51
filterfep_get_the_contentdefault-hooks.php:52
filterfep_get_the_contentdefault-hooks.php:53
filterfep_get_the_contentdefault-hooks.php:54
filterfep_get_the_contentdefault-hooks.php:55
filterfep_get_the_excerptdefault-hooks.php:57
filterfep_get_the_excerptdefault-hooks.php:58
filterfep_get_the_excerptdefault-hooks.php:59
filterfep_get_the_datedefault-hooks.php:61
actionafter_uninstallfront-end-pm.php:64
filtersupport_forum_urlfront-end-pm.php:66
actioninitincludes\class-fep-ajax.php:69
actionfep_transition_post_statusincludes\class-fep-announcements.php:17
filterfep_menu_buttonsincludes\class-fep-announcements.php:18
filterfep_menu_buttonsincludes\class-fep-announcements.php:20
filterfep_filter_switch_new_announcementincludes\class-fep-announcements.php:21
actionfep_posted_action_new_announcementincludes\class-fep-announcements.php:22
filterfep_filter_switch_announcementsincludes\class-fep-announcements.php:26
filterfep_filter_switch_view_announcementincludes\class-fep-announcements.php:27
actionfep_posted_bulk_announcement_bulk_actionincludes\class-fep-announcements.php:28
actionwp_loadedincludes\class-fep-announcements.php:322
actionfep_display_after_messageincludes\class-fep-attachment.php:42
actionfep_display_after_announcementincludes\class-fep-attachment.php:43
actiontemplate_redirectincludes\class-fep-attachment.php:44
actionfep_action_message_after_sendincludes\class-fep-attachment.php:47
actionfep_action_announcement_after_addedincludes\class-fep-attachment.php:48
filterupload_dirincludes\class-fep-attachment.php:65
filterupload_dirincludes\class-fep-attachment.php:233
actionwp_loadedincludes\class-fep-attachment.php:244
filterfep_menu_buttonsincludes\class-fep-directory.php:18
actionfep_switch_directoryincludes\class-fep-directory.php:19
actionfep_posted_bulk_directory_bulk_actionincludes\class-fep-directory.php:20
actionwp_loadedincludes\class-fep-directory.php:194
actionfep_status_to_publishincludes\class-fep-emails.php:24
actionfep_status_to_publishincludes\class-fep-emails.php:27
actionwp_loadedincludes\class-fep-emails.php:154
actionfep_menu_buttonincludes\class-fep-menu.php:18
actioninitincludes\class-fep-menu.php:77
actionfep_action_validate_formincludes\class-fep-messages.php:18
actionfep_action_validate_formincludes\class-fep-messages.php:19
actionfep_posted_bulk_bulk_actionincludes\class-fep-messages.php:20
actionwp_loadedincludes\class-fep-messages.php:390
actionrest_api_initincludes\class-fep-rest-api.php:17
actioninitincludes\class-fep-rest-api.php:300
actioninitincludes\class-fep-shortcodes.php:122
filterfep_menu_buttonsincludes\class-fep-user-settings.php:18
filterfep_filter_switch_settingsincludes\class-fep-user-settings.php:21
actionfep_posted_action_settingsincludes\class-fep-user-settings.php:22
actionfep_after_form_fieldsincludes\class-fep-user-settings.php:23
actionfep_action_form_validatedincludes\class-fep-user-settings.php:44
actioninitincludes\class-fep-user-settings.php:96
actionwidgets_initincludes\fep-widgets.php:78
actionwidgets_initincludes\fep-widgets.php:187
actionwidgets_initincludes\fep-widgets.php:270
Maintenance & Trust

Front End PM Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 12, 2025
PHP min version5.6
Downloads270K

Community Trust

Rating96/100
Number of ratings220
Active installs5K
Alternatives

Front End PM Alternatives

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

A
88

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs
BuddyPress Messaging Control

BuddyPress Messaging Control

bp-messaging-control

A
92

This plugin is a Swiss Army Knife for messaging, It allows the site admin to place restrictions on public and private messages including general rules &hellip;

80 No CVEs
BuddyPress Restrict Messages

BuddyPress Restrict Messages

buddypress-restrict-messages

A
92

This plugin allows the site admin to restrict who can send private messages or to enable the users to choose themselves.

70 No CVEs
Cloudburst Messenger Bubbles

Cloudburst Messenger Bubbles

cloudburst-messenger-bubbles

A
85

Adds a clean, easy-to-use "Messenger Bubble" block to represent chat conversations.

0 No CVEs
Facebook Chat Plugin – Live Chat Plugin for WordPress

Facebook Chat Plugin – Live Chat Plugin for WordPress

facebook-messenger-customer-chat

B
84

The Facebook Chat Plugin makes it easy for your website visitors to chat with you and ask you questions, even if they don't have Messenger.

90K 2 CVEs
Developer Profile

Front End PM Developer Profile

Shamim Hasan

6 plugins · 5K total installs

78
trust score
Avg Security Score
86/100
Avg Patch Time
77 days
View full developer profile
Detection Fingerprints

How We Detect Front End PM

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/front-end-pm/assets/js/admin.js/wp-content/plugins/front-end-pm/assets/css/admin.css/wp-content/plugins/front-end-pm/assets/css/fep.css/wp-content/plugins/front-end-pm/assets/css/bootstrap.min.css/wp-content/plugins/front-end-pm/assets/css/font-awesome.min.css
Script Paths
/wp-content/plugins/front-end-pm/assets/js/admin.js
Version Parameters
front-end-pm/assets/js/admin.js?ver=front-end-pm/assets/css/admin.css?ver=front-end-pm/assets/css/fep.css?ver=front-end-pm/assets/css/bootstrap.min.css?ver=front-end-pm/assets/css/font-awesome.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
fep-contentfep-message-listfep-message-formfep-field-wrapperfep-message-subjectfep-message-datefep-message-sender-avatarfep-message-sender-name+18 more
HTML Comments
<!-- Do NOT Close the Div --><!-- Do Close the Div -->
Data Attributes
data-fep-recipientdata-fep-subjectdata-fep-messagedata-fep-attachment
JS Globals
fep_adminFEP_MAIN
REST Endpoints
/wp-json/fep/v1/messages/wp-json/fep/v1/message/wp-json/fep/v1/send
Shortcode Output
[front-end-pm][fep_messages][fep_compose_form][fep_message_form]
FAQ

Frequently Asked Questions about Front End PM