WP-Safety

Experience API for WP Courseware by Grassblade Security & Risk Analysis

wordpress.org/plugins/grassblade-xapi-wp-courseware

This plugin enables the Experience API (xAPI / Tin Can), cmi5, SCORM 1.2 and SCORM 2004 support on the WP Courseware LMS by integrating with GrassBlad …

50 active installs v3.1 PHP 5.6+ WP 4.0+ Updated Sep 11, 2025
experience-apigrassbladetin-canwp-coursewarexapi
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Experience API for WP Courseware by Grassblade Safe to Use in 2026?

Generally Safe

Score 100/100

Experience API for WP Courseware by Grassblade has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6mo ago
Risk Assessment

The plugin "grassblade-xapi-wp-courseware" v3.1 presents a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs), no known dangerous functions used, and a high percentage of its SQL queries utilize prepared statements. It also avoids bundled libraries, which can be a source of outdated or vulnerable code. However, the static analysis reveals significant concerns. The plugin exposes three AJAX handlers, all of which lack authentication checks, creating a substantial attack surface for unauthorized actions. Furthermore, a concerningly low percentage (42%) of its outputs are properly escaped, increasing the risk of cross-site scripting (XSS) vulnerabilities. The absence of nonce checks on the AJAX handlers compounds these risks. While the taint analysis shows no critical or high-severity flows, the combination of unprotected entry points and insufficient output escaping suggests a need for immediate attention to secure these areas.

Key Concerns

  • 3 unprotected AJAX handlers
  • Only 42% of outputs properly escaped
  • 0 Nonce checks on AJAX handlers
  • 2 Capability checks only
Vulnerabilities
None known

Experience API for WP Courseware by Grassblade Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Experience API for WP Courseware by Grassblade Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
14 prepared
Unescaped Output
15
11 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

82% prepared17 total queries

Output Escaping

42% escaped26 total outputs
Attack Surface
3 unprotected

Experience API for WP Courseware by Grassblade Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_wpcw_add_xapi_contentfunctions.php:74
authwp_ajax_wpcw_create_xapi_quizfunctions.php:76
authwp_ajax_wpcw_get_xapi_content_idfunctions.php:78
WordPress Hooks 41
actionadmin_menuaddon_plugins\functions.php:18
filterlearn-press/admin-default-scriptsaddon_plugins\functions.php:24
filterpre_http_requestaddon_plugins\functions.php:27
filterplugin_install_action_linksaddon_plugins\functions.php:203
filterplugin_install_action_linksaddon_plugins\functions.php:204
filterplugin_install_action_linksaddon_plugins\functions.php:313
actionadmin_menufunctions.php:28
actionplugins_loadedfunctions.php:29
actionadmin_noticesfunctions.php:39
actionadmin_enqueue_scriptsfunctions.php:44
actionwp_print_scriptsfunctions.php:53
filterthe_contentfunctions.php:55
actiongrassblade_completedfunctions.php:57
filtergrassblade_is_show_hide_buttonfunctions.php:59
filterwpcw_front_completion_boxfunctions.php:62
filterwpcw_front_completion_box_pendingfunctions.php:64
filtergrassblade_advance_completion_datafunctions.php:66
filtergrassblade_post_completion_typefunctions.php:68
filtergrassblade_completion_tracking_enabledfunctions.php:70
filterwpcw_quiz_pass_status_detailsfunctions.php:72
actionwpcw_user_completed_unitfunctions.php:80
actionwpcw_user_completed_modulefunctions.php:82
actionwpcw_user_completed_coursefunctions.php:84
actionwpcw_enroll_userfunctions.php:86
actionwpcw_unenroll_userfunctions.php:88
actiongrassblade_course_startedfunctions.php:90
actionwpcw_unit_after_single_contentfunctions.php:92
filtergrassblade_lms_mark_complete_button_idfunctions.php:94
filtergrassblade_lms_next_linkfunctions.php:95
filtergrassblade_get_coursesfunctions.php:98
filtergrassblade_get_course_content_idsfunctions.php:100
filtergrassblade_get_coursefunctions.php:102
filtergrassblade_add_scripts_on_pagefunctions.php:108
actiongrassblade_edit_extra_messagefunctions.php:110
filtergb_block_datafunctions.php:111
filterwpcw_unit_quiz_allow_quiz_progress_without_questionsfunctions.php:763
filtergrassblade_shortcode_returnfunctions.php:778
filterwpcw_unit_quiz_allow_quiz_progress_without_questionsfunctions.php:896
filterwpcw_unit_quiz_allow_quiz_progress_without_questionsfunctions.php:938
filtergrassblade/reports/progress_snapshot/datareports_progress_snapshot_report\functions.php:6
filtergrassblade/reports/progress_snapshot/detailsreports_progress_snapshot_report\functions.php:7
Maintenance & Trust

Experience API for WP Courseware by Grassblade Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 11, 2025
PHP min version5.6
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs50
Alternatives

Experience API for WP Courseware by Grassblade Alternatives

Experience API for LearnPress by GrassBlade

Experience API for LearnPress by GrassBlade

grassblade-xapi-learnpress

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5 , SCORM 1.2, SCORM 2004 and SCORM Dispatch on the LearnPress LMS by integrating with Gra …

200 No CVEs
Experience API for LifterLMS by Grassblade

Experience API for LifterLMS by Grassblade

grassblade-xapi-lifterlms

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the LifterLMS by integrating with GrassBlade xAPI Compan …

100 No CVEs
Experience API for MasterStudy by GrassBlade

Experience API for MasterStudy by GrassBlade

grassblade-xapi-masterstudy

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2, SCORM 2004 cmi5 standard content support on the MasterStudy LMS by integrating wi …

30 No CVEs
Experience API for Sensei LMS by GrassBlade

Experience API for Sensei LMS by GrassBlade

grassblade-xapi-sensei

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the Sensei LMS by integrating with GrassBlade xAPI Compa …

20 No CVEs
Experience API for TutorLMS by GrassBlade

Experience API for TutorLMS by GrassBlade

grassblade-xapi-tutorlms

A
100

Experience API for TutorLMS plugin adds xAPI, SCORM, and cmi5 support to Tutor LMS by integrating with the GrassBlade xAPI Companion plugin.

200 No CVEs
Developer Profile

Experience API for WP Courseware by Grassblade Developer Profile

Pankaj Agrawal

21 plugins · 5K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Experience API for WP Courseware by Grassblade

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/grassblade-xapi-wp-courseware/addon_plugins/functions.php/wp-content/plugins/grassblade-xapi-wp-courseware/reports_progress_snapshot_report/functions.php
Script Paths
/wp-content/plugins/grassblade-xapi-wp-courseware/js/grassblade-wpcw.js
Version Parameters
grassblade-xapi-wp-courseware/css/wpcw-style.css?ver=grassblade-xapi-wp-courseware/js/grassblade-wpcw.js?ver=

HTML / DOM Fingerprints

CSS Classes
gb_meta_box_extra_messagegb_course_completion_tracking_notice_metabox
HTML Comments
Completion Tracking is not supported on WP Courseware Course page.
Data Attributes
id="gb_meta_box_extra_message"
JS Globals
grassblade_wpcw_activate_pluginWPCW_showPage_ModifyQuiz
REST Endpoints
/wp-json/grassblade/v1/wpcw_add_xapi_content/wp-json/grassblade/v1/wpcw_create_xapi_quiz/wp-json/grassblade/v1/wpcw_get_xapi_content_id
FAQ

Frequently Asked Questions about Experience API for WP Courseware by Grassblade