WP-Safety

WP Fast Total Search – The Power of Indexed Search Security & Risk Analysis

wordpress.org/plugins/fulltext-search

Extends the default fulltext search with relevance, jet speed and ability to search any posts, metadata, taxonomy, shortcode content and more data.

1K active installs v1.79.274 PHP + WP 5.0+ Updated Aug 21, 2025
better-searchextended-searchfulltext-searchrelevant-searchsearch-pdf
94
A · Safe
CVEs total8
Unpatched0
Last CVEAug 22, 2025
Download
Safety Verdict

Is WP Fast Total Search – The Power of Indexed Search Safe to Use in 2026?

Generally Safe

Score 94/100

WP Fast Total Search – The Power of Indexed Search has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Aug 22, 2025Updated 7mo ago
Risk Assessment

The "fulltext-search" plugin v1.79.274 exhibits a concerning security posture, despite some positive indicators. While the plugin largely utilizes prepared statements for SQL queries and performs proper output escaping, a significant portion of its attack surface remains unprotected. A substantial number of AJAX handlers and REST API routes lack authentication and authorization checks, presenting a direct path for unauthorized actions. The presence of dangerous functions like 'unserialize' and 'preg_replace' with the 'e' modifier, coupled with a history of 8 known CVEs, including a high-severity vulnerability, raises significant red flags. The common vulnerability types (Missing Authorization, XSS, CSRF) in its history suggest recurring weaknesses in input validation and access control. While there are currently no unpatched vulnerabilities, the plugin's historical pattern and the static analysis findings indicate a strong potential for future security issues if these fundamental weaknesses are not addressed.

Key Concerns

  • 18 unprotected entry points (AJAX, REST API)
  • 16 AJAX handlers without auth checks
  • 2 REST API routes without permission callbacks
  • Vulnerability history: 1 high severity CVE
  • Vulnerability history: 7 medium severity CVEs
  • Dangerous function: unserialize
  • Dangerous function: preg_replace(/e)
  • Taint analysis: 2 flows with unsanitized paths
  • Bundled library: Select2 (potential outdated version)
Vulnerabilities
8

WP Fast Total Search – The Power of Indexed Search Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
7

8 total CVEs

CVE-2025-57893medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fast Total Search <= 1.79.270 - Cross-Site Request Forgery

Aug 22, 2025 Patched in 1.79.274 (5d)
CVE-2025-30894medium · 4.3Missing Authorization

WP Fast Total Search <= 1.79.262 - Missing Authorization

Mar 27, 2025 Patched in 1.79.264 (7d)
CVE-2025-24571medium · 4.3Missing Authorization

WP Fast Total Search <= 1.78.258 - Missing Authorization

Jan 24, 2025 Patched in 1.79.262 (5d)
CVE-2025-24572medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fast Total Search <= 1.78.258 - Cross-Site Request Forgery

Jan 24, 2025 Patched in 1.79.262 (5d)
CVE-2024-39663high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Fast Total Search <= 1.68.232 - Unauthenticated Stored Cross-Site Scripting

Aug 1, 2024 Patched in 1.69.234 (7d)
CVE-2024-38778medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fast Total Search <= 1.69.234 - Cross-Site Request Forgery

Jul 19, 2024 Patched in 1.70.236 (7d)
CVE-2024-38714medium · 4.3Missing Authorization

WP Fast Total Search <= 1.68.232 - Missing Authorization

Jul 11, 2024 Patched in 1.69.234 (7d)
CVE-2024-29799medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Fast Total Search <= 1.59.211 - Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget

Mar 25, 2024 Patched in 1.60.213 (8d)
Code Analysis
Analyzed Mar 16, 2026

WP Fast Total Search – The Power of Indexed Search Code Analysis

Dangerous Functions
6
Raw SQL Queries
2
93 prepared
Unescaped Output
42
979 escaped
Nonce Checks
18
Capability Checks
10
File Operations
7
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

preg_replace(/e)preg_replace( '@\[et_pb_post_nav[^\]]*?\].*?\[\/ecompat\themes\divi\index.php:98
preg_replace(/e)preg_replace( '@\[embed[^\]]*?\].*?\[\/ecompat\themes\divi\index.php:105
unserialize$v = ($v && (strlen($v) > 0)) ? @unserialize($v) : array();includes\wpfts_core.php:924
unserialize$v = (strlen($v) > 0) ? @unserialize($v) : array();includes\wpfts_core.php:928
unserialize$v = (strlen($v) > 0) ? @unserialize($v) : array();includes\wpfts_core.php:955
unserializereturn @unserialize($res[0]['data']);includes\wpfts_utils.class.php:103

Bundled Libraries

Select2

SQL Query Safety

98% prepared95 total queries

Output Escaping

96% escaped1021 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
SendFire (includes\wpfts_flare.php:26)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

WP Fast Total Search – The Power of Indexed Search Attack Surface

Entry Points22
Unprotected18

AJAX Handlers 19

noprivwp_ajax_wpfts_autocompletefulltext-search.php:278
authwp_ajax_wpfts_autocompletefulltext-search.php:279
noprivwp_ajax_wpfts_force_indexfulltext-search.php:281
authwp_ajax_wpfts_force_indexfulltext-search.php:282
authwp_ajax_wpftsi_pingfulltext-search.php:336
authwp_ajax_wpftsi_set_pausefulltext-search.php:337
authwp_ajax_wpftsi_hide_notificationfulltext-search.php:338
authwp_ajax_wpftsi_se_style_previewfulltext-search.php:339
authwp_ajax_wpftsi_se_style_resetfulltext-search.php:340
authwp_ajax_wpftsi_try_updatedbfulltext-search.php:341
authwp_ajax_wpftsi_submit_testpostfulltext-search.php:345
authwp_ajax_wpftsi_submit_testsearchfulltext-search.php:346
authwp_ajax_wpftsi_submit_rebuildfulltext-search.php:347
authwp_ajax_wpftsi_smartformfulltext-search.php:348
authwp_ajax_wpftsi_submit_upgradeindexfulltext-search.php:349
authwp_ajax_wpftsi_add_user_irulefulltext-search.php:350
authwp_ajax_wpftsi_get_qlog_dataincludes\wpfts_querylog.php:44
authwp_ajax_wpftsi_get_qlog_detailsincludes\wpfts_querylog.php:45
authwp_ajax_wpftsi_get_qlog_settingsincludes\wpfts_querylog.php:46

REST API Routes 2

POST/wp-json/fulltext-search/v1/wpfts-livesearch-block-rendererblocks\src\livesearch\renderer.php:14
POST/wp-json/fulltext-search/v1/wpfts-livesearch-get-presetsblocks\src\livesearch\renderer.php:20

Shortcodes 1

[wpfts_widget] includes\wpfts_shortcodes.php:31
WordPress Hooks 62
actioninitblocks\src\livesearch\index.php:5
actionwp_enqueue_scriptblocks\src\livesearch\index.php:21
actionrest_api_initblocks\src\livesearch\renderer.php:11
actionplugins_loadedcompat\themes\avada\index.php:7
actioninitcompat\themes\avada\index.php:67
actionavada_blog_post_contentcompat\themes\avada\index.php:73
actioninitcompat\themes\divi\index.php:7
actionplugins_loadedcompat\themes\divi\index.php:22
actioninitcompat\themes\oceanwp\index.php:7
actionocean_before_content_innercompat\themes\oceanwp\index.php:46
filterwp_trim_wordscompat\themes\oceanwp\index.php:49
actionocean_after_content_innercompat\themes\oceanwp\index.php:52
actionplugins_loadedcompat\themes\scientia\index.php:7
actionplugins_loadedcompat\themes\sinatra\index.php:7
actionplugins_loadedcompat\themes\storefront\index.php:7
actioncron_schedulesfulltext-search.php:73
actionwpmu_new_blogfulltext-search.php:99
actionwpfts_indexer_eventfulltext-search.php:115
actionwpfts_log_cleanfulltext-search.php:136
actionwp_enqueue_scriptsfulltext-search.php:147
actioninitfulltext-search.php:165
actioninitfulltext-search.php:167
filterexcerpt_morefulltext-search.php:248
actioninitfulltext-search.php:270
filtersafe_style_cssfulltext-search.php:285
actionpost_submitbox_misc_actionsfulltext-search.php:293
actionadmin_menufulltext-search.php:329
filterplugin_row_metafulltext-search.php:330
actionadmin_enqueue_scriptsfulltext-search.php:334
actioninitfulltext-search.php:361
actionadmin_headfulltext-search.php:433
actionwp_headfulltext-search.php:441
actionwidgets_initfulltext-search.php:443
actionplugins_loadedfulltext-search.php:492
filterplugin_action_linksfulltext-search.php:550
actionsave_postfulltext-search.php:639
actionafter_delete_postfulltext-search.php:650
filterthe_titlefulltext-search.php:700
filterattachment_linkfulltext-search.php:731
filterpage_linkfulltext-search.php:761
filterpost_type_linkfulltext-search.php:791
filterpost_linkfulltext-search.php:821
filterget_the_excerptfulltext-search.php:851
actionadmin_noticesincludes\wpfts_core.php:124
filterwpfts_irule/content_open_shortcodesincludes\wpfts_core.php:127
filterwpfts_irule/content_is_remove_nodesincludes\wpfts_core.php:128
filterwpfts_irule/content_strip_tagsincludes\wpfts_core.php:129
actionwpfts_init_addonsincludes\wpfts_querylog.php:41
actionparse_queryincludes\wpfts_querylog.php:50
actionpre_get_postsincludes\wpfts_querylog.php:51
actionpre_get_postsincludes\wpfts_search.php:36
filterposts_searchincludes\wpfts_search.php:37
filterposts_search_orderbyincludes\wpfts_search.php:38
filterposts_whereincludes\wpfts_search.php:39
filterposts_joinincludes\wpfts_search.php:40
filterposts_distinctincludes\wpfts_search.php:41
filterpost_limitsincludes\wpfts_search.php:42
filterposts_fieldsincludes\wpfts_search.php:43
filterposts_clausesincludes\wpfts_search.php:44
filterposts_pre_queryincludes\wpfts_search.php:46
filtersplit_the_queryincludes\wpfts_search.php:47
filterthe_postsincludes\wpfts_search.php:48

Scheduled Events 2

wpfts_indexer_event
wpfts_log_clean
Maintenance & Trust

WP Fast Total Search – The Power of Indexed Search Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 21, 2025
PHP min version
Downloads68K

Community Trust

Rating88/100
Number of ratings28
Active installs1K
Alternatives

WP Fast Total Search – The Power of Indexed Search Alternatives

ACF: Better Search

ACF: Better Search

acf-better-search

A
99

This plugin adds to default WordPress search engine the ability to search by content from selected fields of Advanced Custom Fields plugin.

40K 1 CVE
Better Search – Relevant search results for WordPress

Better Search – Relevant search results for WordPress

better-search

B
83

Better Search replaces the default WordPress search with a better search engine that gives contextual results sorted by relevance.

5K 8 CVEs
Swiftype Site Search Plugin for WordPress

Swiftype Site Search Plugin for WordPress

swiftype-search

A
85

Fast, intelligent, and fully customizable search for your site.

500 No CVEs
Relevant Search

Relevant Search

relevant-search

A
85

Relevant Search replaces the default WordPress search with relevant results.

20 No CVEs
Relevanssi – A Better Search

Relevanssi – A Better Search

relevanssi

B
82

Relevanssi replaces the default search with a partial-match search that sorts results by relevance. It also indexes comments and shortcode content.

100K 17 CVEs
Developer Profile

WP Fast Total Search – The Power of Indexed Search Developer Profile

Epsiloncool

5 plugins · 1K total installs

96
trust score
Avg Security Score
94/100
Avg Patch Time
6 days
View full developer profile
Detection Fingerprints

How We Detect WP Fast Total Search – The Power of Indexed Search

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fulltext-search/style/wpfts_autocomplete.css/wp-content/plugins/fulltext-search/js/wpfts_frontend.js
Script Paths
/wp-content/plugins/fulltext-search/js/wpfts_frontend.js
Version Parameters
fulltext-search/style/wpfts_autocomplete.css?ver=fulltext-search/js/wpfts_frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-block-post-excerpt__more-link
HTML Comments
SORRY, WP CORE DEVELOPERS, you had to think about filter that allow not to
FAQ

Frequently Asked Questions about WP Fast Total Search – The Power of Indexed Search