WP-Safety

Experience API for LifterLMS by Grassblade Security & Risk Analysis

wordpress.org/plugins/grassblade-xapi-lifterlms

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the LifterLMS by integrating with GrassBlade xAPI Compan …

100 active installs v3.2 PHP 5.6+ WP 4.0+ Updated Feb 27, 2026
experience-apigrassbladelifterlmstin-canxapi
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Experience API for LifterLMS by Grassblade Safe to Use in 2026?

Generally Safe

Score 100/100

Experience API for LifterLMS by Grassblade has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The grassblade-xapi-lifterlms plugin, version 3.2, presents a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs), indicating a history of responsible development or thorough past audits. The code also shows good practices in areas like SQL query preparation (86% prepared statements) and a reasonable number of capability checks (5). Taint analysis also reveals no critical or high-severity unsanitized flows, which is a strong indicator of data sanitization diligence.

However, there are significant concerns. The plugin exposes a single unprotected AJAX handler, which represents a direct attack vector. Furthermore, a concerningly low percentage (12%) of output is properly escaped, suggesting a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. While there's a nonce check present, its effectiveness is questionable if it's not applied to the unprotected AJAX handler. The plugin also makes one external HTTP request, which, while not inherently dangerous, is an additional entry point that needs to be secured and monitored.

In conclusion, while the plugin benefits from a clean vulnerability history and good SQL practices, the presence of an unprotected AJAX handler and widespread unescaped output significantly increase its risk profile. These issues could allow for arbitrary code execution or data theft if exploited. Addressing these specific code-level concerns should be a priority.

Key Concerns

  • Unprotected AJAX handler
  • Low percentage of properly escaped output
  • External HTTP request without auth context
Vulnerabilities
None known

Experience API for LifterLMS by Grassblade Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Experience API for LifterLMS by Grassblade Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
24 prepared
Unescaped Output
29
4 escaped
Nonce Checks
1
Capability Checks
5
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

86% prepared28 total queries

Output Escaping

12% escaped33 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
menu_page (functions.php:191)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Experience API for LifterLMS by Grassblade Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_llms_add_xapi_contentfunctions.php:67
WordPress Hooks 61
actionadmin_menuaddon_plugins\functions.php:18
filterlearn-press/admin-default-scriptsaddon_plugins\functions.php:24
filterpre_http_requestaddon_plugins\functions.php:27
filterplugin_install_action_linksaddon_plugins\functions.php:203
filterplugin_install_action_linksaddon_plugins\functions.php:204
filterplugin_install_action_linksaddon_plugins\functions.php:313
actionadmin_menufunctions.php:33
actionplugins_loadedfunctions.php:34
actionadmin_noticesfunctions.php:51
filtergrassblade/groups/addon_filesfunctions.php:58
actionllms_after_lesson_buttonsfunctions.php:59
filterllms_field_settingsfunctions.php:61
actionlifterlms_before_start_quizfunctions.php:63
actionllms_builder_quiz_after_settingsfunctions.php:65
actiongrassblade_completedfunctions.php:69
actionafter_llms_mark_completefunctions.php:71
actionlifterlms_quiz_completedfunctions.php:73
actiongrassblade_course_startedfunctions.php:75
actionllms_user_enrolled_in_coursefunctions.php:77
actionllms_user_removed_from_coursefunctions.php:79
filtergrassblade_lms_mark_complete_button_idfunctions.php:81
filtergrassblade_lms_next_linkfunctions.php:83
filteradmin_headfunctions.php:85
actionadmin_enqueue_scriptsfunctions.php:87
filtergrassblade_get_coursesfunctions.php:90
filtergrassblade_get_course_content_idsfunctions.php:92
filtergrassblade_get_coursefunctions.php:94
filtergrassblade_lms_is_adminfunctions.php:96
filtergrassblade/reports/can_report_on_all_coursesfunctions.php:98
actionadmin_noticesfunctions.php:106
filtergrassblade_add_scripts_on_pagefunctions.php:110
actiongrassblade_edit_extra_messagefunctions.php:112
filtergb_block_datafunctions.php:113
filtersafe_style_cssfunctions.php:228
filtergrassblade_reports_menu_capgroups\lifter_groups.php:19
filtergrassblade_groupsgroups\lifter_groups.php:21
filtergrassblade_group_user_querygroups\lifter_groups.php:23
filtergrassblade_is_group_leadergroups\lifter_groups.php:25
filtergrassblade_group_leadersgroups\lifter_groups.php:27
filtergrassblade_is_group_leader_of_usergroups\lifter_groups.php:29
filtergrassblade/groups/get/group_typegroups\lifter_groups.php:31
filtergrassblade_lifterlms_get_coursesgroups\lifter_groups.php:33
actionwpgroups\lifter_groups.php:35
actionllms_user_group_enrollment_createdgroups\lifter_groups.php:37
actionllms_user_enrollment_deletedgroups\lifter_groups.php:39
actionllms_group_profile_main_reportsgroups\lifter_groups.php:52
filtergrassblade_groupsgroups\lifter_memberships.php:19
filtergrassblade_group_user_querygroups\lifter_memberships.php:21
filtergrassblade_is_group_leadergroups\lifter_memberships.php:23
filtergrassblade_group_leadersgroups\lifter_memberships.php:25
filtergrassblade_is_group_leader_of_usergroups\lifter_memberships.php:27
filtergrassblade/groups/get/group_typegroups\lifter_memberships.php:29
filtergrassblade_lifterlms_get_coursesgroups\lifter_memberships.php:31
filtergrassblade_reports_menu_capgroups\lifter_memberships.php:33
actionllms_user_membership_enrollment_createdgroups\lifter_memberships.php:35
actionllms_user_enrollment_deletedgroups\lifter_memberships.php:37
filtergrassblade/reports/show_achievement_reportreports_achievement_report\functions.php:7
filtergrassblade/reports/achievement_optionsreports_achievement_report\functions.php:8
filtergrassblade/reports/achievement_report/datareports_achievement_report\functions.php:9
filtergrassblade/reports/progress_snapshot/datareports_progress_snapshot_report\functions.php:6
filtergrassblade/reports/progress_snapshot/detailsreports_progress_snapshot_report\functions.php:7
Maintenance & Trust

Experience API for LifterLMS by Grassblade Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 27, 2026
PHP min version5.6
Downloads6K

Community Trust

Rating0/100
Number of ratings0
Active installs100
Alternatives

Experience API for LifterLMS by Grassblade Alternatives

Experience API for LearnPress by GrassBlade

Experience API for LearnPress by GrassBlade

grassblade-xapi-learnpress

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5 , SCORM 1.2, SCORM 2004 and SCORM Dispatch on the LearnPress LMS by integrating with Gra …

200 No CVEs
Experience API for WP Courseware by Grassblade

Experience API for WP Courseware by Grassblade

grassblade-xapi-wp-courseware

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5, SCORM 1.2 and SCORM 2004 support on the WP Courseware LMS by integrating with GrassBlad …

50 No CVEs
Experience API for MasterStudy by GrassBlade

Experience API for MasterStudy by GrassBlade

grassblade-xapi-masterstudy

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2, SCORM 2004 cmi5 standard content support on the MasterStudy LMS by integrating wi …

30 No CVEs
Experience API for Sensei LMS by GrassBlade

Experience API for Sensei LMS by GrassBlade

grassblade-xapi-sensei

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the Sensei LMS by integrating with GrassBlade xAPI Compa …

20 No CVEs
Experience API for TutorLMS by GrassBlade

Experience API for TutorLMS by GrassBlade

grassblade-xapi-tutorlms

A
100

Experience API for TutorLMS plugin adds xAPI, SCORM, and cmi5 support to Tutor LMS by integrating with the GrassBlade xAPI Companion plugin.

200 No CVEs
Developer Profile

Experience API for LifterLMS by Grassblade Developer Profile

Pankaj Agrawal

21 plugins · 5K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Experience API for LifterLMS by Grassblade

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/grassblade-xapi-lifterlms/css/grassblade_lifterlms.css/wp-content/plugins/grassblade-xapi-lifterlms/js/grassblade_lifterlms.js/wp-content/plugins/grassblade-xapi-lifterlms/groups/lifter_groups.php/wp-content/plugins/grassblade-xapi-lifterlms/groups/lifter_memberships.php/wp-content/plugins/grassblade-xapi-lifterlms/reports_achievement_report/functions.php/wp-content/plugins/grassblade-xapi-lifterlms/reports_progress_snapshot_report/functions.php
Script Paths
/wp-content/plugins/grassblade-xapi-lifterlms/js/grassblade_lifterlms.js
Version Parameters
grassblade-xapi-lifterlms/css/grassblade_lifterlms.css?ver=grassblade-xapi-lifterlms/js/grassblade_lifterlms.js?ver=

HTML / DOM Fingerprints

CSS Classes
gb_meta_box_extra_messagegb_course_completion_tracking_notice_metabox
JS Globals
grassblade_addons_activate_plugin
FAQ

Frequently Asked Questions about Experience API for LifterLMS by Grassblade