WP-Safety

IdeaPush Security & Risk Analysis

wordpress.org/plugins/ideapush

IdeaPush is a feature request management system for WordPress

800 active installs v8.73 PHP 5.2.4+ WP 4.0+ Updated Dec 1, 2024
feature-requestideaidea-collectoridea-boardpush
88
A · Safe
CVEs total8
Unpatched0
Last CVEDec 27, 2024
Plugin page Download
Safety Verdict

Is IdeaPush Safe to Use in 2026?

Generally Safe

Score 88/100

IdeaPush has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Dec 27, 2024Updated 1yr ago
Risk Assessment

The ideapush v8.73 plugin exhibits a mixed security posture, with some positive signs but significant areas of concern that warrant attention. While the plugin demonstrates good practice by utilizing prepared statements for all SQL queries and shows a relatively low percentage of improperly escaped output (56% properly escaped is concerning but not extreme), the presence of a `unserialize` function is a critical red flag. The static analysis reveals a substantial attack surface with 29 total entry points, a worrying 23 of which lack any authentication checks. This large number of unprotected AJAX handlers creates numerous opportunities for attackers to interact with the plugin without proper authorization.

The vulnerability history is also a significant concern. With 8 known CVEs, including 1 high and 7 medium severity issues, the plugin has a track record of security weaknesses. The common vulnerability types (Missing Authorization, CSRF, XSS) directly correlate with the findings in the static analysis, particularly the large number of unprotected entry points and the potential for insecure deserialization. While there are no currently unpatched vulnerabilities, the historical pattern suggests a persistent tendency towards exploitable flaws.

Overall, the plugin has some strengths like proper SQL handling, but these are overshadowed by critical weaknesses. The high number of unprotected AJAX endpoints, the presence of `unserialize`, and the extensive history of severe vulnerabilities collectively point to a plugin that requires significant remediation to be considered secure. The risk is elevated due to the combination of a broad attack surface with weak access controls and the potential for code execution or sensitive data compromise through deserialization and historical vulnerabilities.

Key Concerns

  • Large number of unprotected AJAX handlers
  • Dangerous function: unserialize present
  • History of 1 high severity CVE
  • History of 7 medium severity CVEs
  • Low percentage of properly escaped output (56%)
  • 13 flows with unsanitized paths
Vulnerabilities
8

IdeaPush Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
6 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
7

8 total CVEs

CVE-2025-24607medium · 5.3Missing Authorization

IdeaPush <= 8.72 - Missing Authorization

Dec 27, 2024 Patched in 8.73 (60d)
CVE-2024-11844medium · 4.3Missing Authorization

IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion

Dec 2, 2024 Patched in 8.72 (1d)
CVE-2024-49275medium · 4.3Cross-Site Request Forgery (CSRF)

IdeaPush <= 8.69 - Cross-Site Request Forgery

Oct 14, 2024 Patched in 8.71 (5d)
CVE-2024-44041medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IdeaPush <= 8.66 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 23, 2024 Patched in 8.69 (10d)
CVE-2024-37461high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IdeaPush <= 8.65 - Unauthenticated Stored Cross-Site Scripting

Jul 1, 2024 Patched in 8.66 (9d)
CVE-2024-37265medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IdeaPush <= 8.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jun 27, 2024 Patched in 8.61 (6d)
CVE-2023-48774medium · 4.3Missing Authorization

IdeaPush <= 8.57 - Missing Authorization

Nov 28, 2023 Patched in 8.58 (56d)
CVE-2023-47181medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IdeaPush <= 8.52 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 31, 2023 Patched in 8.53 (84d)
Code Analysis
Analyzed Mar 16, 2026

IdeaPush Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
77
98 escaped
Nonce Checks
4
Capability Checks
14
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$returned_object = unserialize(wp_remote_retrieve_body($response));inc\options\nbw.php:180

Output Escaping

56% escaped175 total outputs
Data Flows
13 unsanitized

Data Flow Analysis

20 flows13 with unsanitized paths
idea_push_create_idea (inc\functions\create-idea.php:3)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
23 unprotected

IdeaPush Attack Surface

Entry Points29
Unprotected23

AJAX Handlers 28

authwp_ajax_add_taxonomy_itemideapush.php:755
authwp_ajax_taxonomy_save_routineideapush.php:766
authwp_ajax_save_tab_memoryideapush.php:1366
authwp_ajax_create_ideainc\functions\create-idea.php:436
noprivwp_ajax_create_ideainc\functions\create-idea.php:437
authwp_ajax_delete_ideainc\functions\create-idea.php:482
noprivwp_ajax_delete_ideainc\functions\create-idea.php:483
authwp_ajax_create_userinc\functions\create-user.php:79
noprivwp_ajax_create_userinc\functions\create-user.php:80
authwp_ajax_submit_voteinc\functions\create-vote.php:348
noprivwp_ajax_submit_voteinc\functions\create-vote.php:349
authwp_ajax_is_person_able_to_add_taginc\functions\helper-functions.php:279
noprivwp_ajax_is_person_able_to_add_taginc\functions\helper-functions.php:280
authwp_ajax_header_renderinc\functions\helper-functions.php:456
noprivwp_ajax_header_renderinc\functions\helper-functions.php:457
authwp_ajax_form_renderinc\functions\helper-functions.php:497
noprivwp_ajax_form_renderinc\functions\helper-functions.php:498
authwp_ajax_idea_push_delete_plugin_updates_transientinc\functions\helper-functions.php:713
authwp_ajax_below_title_headerinc\functions\single-idea.php:398
noprivwp_ajax_below_title_headerinc\functions\single-idea.php:399
authwp_ajax_change_statusinc\functions\status-change.php:123
noprivwp_ajax_change_statusinc\functions\status-change.php:124
authwp_ajax_update_user_profileinc\functions\update-user.php:5
noprivwp_ajax_update_user_profileinc\functions\update-user.php:6
authwp_ajax_get_new_ideasinc\shortcode\idea-list-items.php:567
noprivwp_ajax_get_new_ideasinc\shortcode\idea-list-items.php:568
authwp_ajax_update_vote_counterinc\shortcode\idea-list-items.php:956
noprivwp_ajax_update_vote_counterinc\shortcode\idea-list-items.php:957

Shortcodes 1

[ideapush] inc\shortcode\ideaboard-shortcode.php:378
WordPress Hooks 43
actioninitideapush.php:100
actionadmin_initideapush.php:136
actionadmin_initideapush.php:142
filteroption_page_capability_ip_notificationsideapush.php:195
filteroption_page_capability_ip_statusesideapush.php:196
filteroption_page_capability_ip_designideapush.php:197
filteroption_page_capability_ip_idea_formideapush.php:198
filteroption_page_capability_ip_boardsideapush.php:199
filteroption_page_capability_ip_licenceideapush.php:200
filteroption_page_capability_ip_ideapush_supportideapush.php:201
filteroption_page_capability_ip_ideapush_proideapush.php:202
filteroption_page_capability_ip_integrationsideapush.php:203
actioninitideapush.php:223
actioninitideapush.php:272
actioninitideapush.php:321
actioninitideapush.php:384
actionadmin_menuideapush.php:480
actionadmin_initideapush.php:481
actionadmin_enqueue_scriptsideapush.php:600
actionadmin_enqueue_scriptsideapush.php:618
actionwp_enqueue_scriptsideapush.php:668
filterbody_classideapush.php:845
actionadmin_menuideapush.php:851
actionadmin_noticesideapush.php:994
filtermanage_edit-idea_columnsideapush.php:1000
actionmanage_idea_posts_custom_columnideapush.php:1022
filtermanage_edit-idea_sortable_columnsideapush.php:1055
actionpre_get_postsideapush.php:1063
filtertemplate_includeideapush.php:1081
actioninitideapush.php:1105
actionpre_get_postsideapush.php:1112
actionwp_enqueue_scriptsideapush.php:1195
filterplugin_row_metaideapush.php:1344
filterget_the_archive_titleideapush.php:1373
actionadd_meta_boxesinc\functions\create-metaboxes.php:11
actionsave_post_ideainc\functions\create-metaboxes.php:55
filterthe_contentinc\functions\single-idea.php:124
actionpost_updatedinc\functions\status-change.php:55
actiontransition_post_statusinc\functions\status-change.php:350
actionshow_user_profileinc\functions\user-profile-meta.php:3
actionedit_user_profileinc\functions\user-profile-meta.php:4
actionpersonal_options_updateinc\functions\user-profile-meta.php:55
actionedit_user_profile_updateinc\functions\user-profile-meta.php:56
Maintenance & Trust

IdeaPush Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedDec 1, 2024
PHP min version5.2.4
Downloads38K

Community Trust

Rating90/100
Number of ratings31
Active installs800
Alternatives

IdeaPush Alternatives

Product Feature Request

Product Feature Request

product-feature-request

A
92

Product Feature Request plugin allows you to easily create and manage feature requests in your WordPress products.

50 No CVEs
Simple Feature Requests Free – User Feedback Board

Simple Feature Requests Free – User Feedback Board

simple-feature-requests

A
100

Collect and manage user feedback using your existing WordPress website. Prioritize the product features important to you and your customers.

100 No CVEs
Feature Request & Idea Collector

Feature Request & Idea Collector

feature-request

A
85

Advanced Feature request and suggestion submitter with voting system for WordPress.

30 No CVEs
WP Migrate Lite – Migration Made Easy

WP Migrate Lite – Migration Made Easy

wp-migrate-db

A
99

Migrate your database. Export full sites including media, themes, and plugins. Find and replace content with support for serialized data.

200K 1 CVE
OneSignal – Web Push Notifications

OneSignal – Web Push Notifications

onesignal-free-web-push-notifications

A
98

Increase engagement and drive more repeat traffic to your WordPress site with push notifications. Now a WordPress VIP Gold Partner.

70K 2 CVEs
Developer Profile

IdeaPush Developer Profile

Northern Beaches Websites

6 plugins · 50K total installs

82
trust score
Avg Security Score
92/100
Avg Patch Time
72 days
View full developer profile
Detection Fingerprints

How We Detect IdeaPush

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ideapush/js/vue.js/wp-content/plugins/ideapush/css/bootstrap.css/wp-content/plugins/ideapush/css/style.css/wp-content/plugins/ideapush/js/moment.min.js/wp-content/plugins/ideapush/js/axios.min.js/wp-content/plugins/ideapush/js/vue-router.min.js/wp-content/plugins/ideapush/js/vue.js/wp-content/plugins/ideapush/js/bootstrap.js+1 more
Version Parameters
ideapush/style.css?ver=ideapush/bootstrap.css?ver=ideapush/app.js?ver=

HTML / DOM Fingerprints

CSS Classes
ideapush-boardideapush-ideaideapush-voting-buttonideapush-comment-formideapush-new-idea-formideapush-status-changeideapush-tag-filter
HTML Comments
<!-- IdeaPush Pro version indicator --><!-- IdeaPush Voting Button --><!-- IdeaPush Comment Section --><!-- IdeaPush New Idea Form -->
Data Attributes
data-ideapush-board-iddata-ideapush-idea-iddata-ideapush-user-iddata-ideapush-vote-countdata-ideapush-action
JS Globals
ideapush_vue_appideapush_rest_api_urlideapush_plugin_settingsideapush_user_permissions
REST Endpoints
/wp-json/ideapush/v1/ideas/wp-json/ideapush/v1/boards/wp-json/ideapush/v1/comments/wp-json/ideapush/v1/votes
Shortcode Output
[ideapush_boards][ideapush_ideas][ideapush_new_idea_form][ideapush_idea_details]
FAQ

Frequently Asked Questions about IdeaPush