Does Inactive User Deleter have any unpatched vulnerabilities?

No. All known vulnerabilities in Inactive User Deleter have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Inactive User Deleter compatible with WordPress 6.5.8?

According to WordPress.org data, Inactive User Deleter 1.65 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

How often is Inactive User Deleter updated?

Inactive User Deleter was last updated on Jun 15, 2024. Frequent updates are generally a positive security signal.

What is Inactive User Deleter's security score?

Inactive User Deleter has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Inactive User Deleter Security & Risk Analysis

wordpress.org/plugins/inactive-user-deleter

If you wanna clean up a lot of fake or inactive user's registrations (usually made by spammers) by one operation - this tool will help you to do …

900 active installs v1.65 PHP + WP 3.1.0+ Updated Jun 15, 2024

delete-userinactive-useruseruser-deleteruser-management

A · Safe

CVEs total1

Unpatched0

Last CVEApr 24, 2023

Plugin page Download

Safety Verdict

Is Inactive User Deleter Safe to Use in 2026?

Generally Safe

Score 91/100

Inactive User Deleter has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 24, 2023Updated 1yr ago

Risk Assessment

The "inactive-user-deleter" plugin v1.65 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for most SQL queries and includes nonce and capability checks, significant concerns arise from its attack surface and output handling. The presence of one AJAX handler without authentication checks is a direct gateway for potential attacks. Furthermore, a low percentage of properly escaped output (8%) suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the user interface. The plugin also uses the `unserialize` function, which can be a vector for remote code execution if it processes untrusted data. Historically, the plugin has one high-severity vulnerability, which, though currently patched, highlights a past susceptibility to significant security flaws, specifically CSRF. This history, combined with the current lack of output escaping and the unprotected AJAX endpoint, paints a picture of a plugin that requires careful attention to mitigate potential risks.

Key Concerns

AJAX handler without auth checks
Low output escaping percentage
Use of unserialize function
Past high-severity vulnerability (CSRF)

Vulnerabilities

Inactive User Deleter Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2023-27424high · 7.1Cross-Site Request Forgery (CSRF)

Inactive User Deleter <= 1.59 - Cross-Site Request Forgery via Multiple Functions

Apr 24, 2023 Patched in 1.60 (274d)

Code Analysis

Analyzed Mar 16, 2026

Inactive User Deleter Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

175

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$UR['USL'] = @unserialize($UR['USL']);templates\users_list_csv.tpl.php:26

unserialize$UR['USL'] = @unserialize($UR['USL']);templates\users_list_html.tpl.php:69

SQL Query Safety

89% prepared9 total queries

Output Escaping

8% escaped190 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

toolpage (inactive-user-deleter.php:239)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Inactive User Deleter Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_iud_getCsvUserListinactive-user-deleter.php:37

WordPress Hooks 7

actionadmin_menuinactive-user-deleter.php:34

filterplugin_action_linksinactive-user-deleter.php:35

actioninitinactive-user-deleter.php:41

actionwp_logininactive-user-deleter.php:44

actionlogin_forminactive-user-deleter.php:47

actionwp_logininactive-user-deleter.php:48

filterauthenticateinactive-user-deleter.php:50

Maintenance & Trust

Inactive User Deleter Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedJun 15, 2024

PHP min version

Downloads37K

Community Trust

Rating84/100

Number of ratings20

Active installs900

Alternatives

Inactive User Deleter Alternatives

Bulk Delete Users by Keyword

bulk-delete-users-by-keyword

100

Efficiently manage your WordPress users with keyword-based bulk deletion capabilities.

70 No CVEs

Users Bulk Delete With Preview

users-bulk-delete-with-preview

100

Easily delete multiple WordPress users with the Users Bulk Delete With Preview plugin. Preview details before removal for accuracy and better control.

30 No CVEs

Role Based User Deleter

role-based-user-deleter

100

Easily delete users based on their roles with Role Based User Deleter. Manage your WordPress users efficiently and securely.

10 No CVEs

Storm Clean Admin

storm-clean-admin

100

A modern WordPress plugin to manage inactive users, monitor site activity, and keep your site optimized and secure.

0 No CVEs

New User Approve

new-user-approve

WordPress user approval plugin to moderate registrations. Approve or deny real users and prevent fake signups to control who registers on site.

20K 8 CVEs

Developer Profile

Inactive User Deleter Developer Profile

Ashraful Sarkar Naiem

43 plugins · 19K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

111 days

View full developer profile

Detection Fingerprints

How We Detect Inactive User Deleter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/inactive-user-deleter/css/style.css/wp-content/plugins/inactive-user-deleter/css/jquery.dataTables.min.css/wp-content/plugins/inactive-user-deleter/js/jquery.dataTables.min.js/wp-content/plugins/inactive-user-deleter/js/bootstrap.min.js/wp-content/plugins/inactive-user-deleter/js/jquery.dataTables.js/wp-content/plugins/inactive-user-deleter/js/users.js/wp-content/plugins/inactive-user-deleter/js/admin.js

Script Paths

/wp-content/plugins/inactive-user-deleter/js/jquery.dataTables.min.js/wp-content/plugins/inactive-user-deleter/js/bootstrap.min.js/wp-content/plugins/inactive-user-deleter/js/jquery.dataTables.js/wp-content/plugins/inactive-user-deleter/js/users.js/wp-content/plugins/inactive-user-deleter/js/admin.js

Version Parameters

inactive-user-deleter/css/style.css?ver=inactive-user-deleter/css/jquery.dataTables.min.css?ver=inactive-user-deleter/js/jquery.dataTables.min.js?ver=inactive-user-deleter/js/bootstrap.min.js?ver=inactive-user-deleter/js/jquery.dataTables.js?ver=inactive-user-deleter/js/users.js?ver=inactive-user-deleter/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

iud-settings-tabsiud-tabiud-activeiud-main-contentiud-table-wrapper

HTML Comments

+4 more

Data Attributes

data-iud-user-iddata-iud-action

JS Globals

iud_paramsiud_users_object

REST Endpoints

/wp-json/inactive-user-deleter/v1/settings

FAQ