WP-Safety

Init User Engine – Gamified, Fast, Frontend-First Security & Risk Analysis

wordpress.org/plugins/init-user-engine

Gamified user engine with EXP levels, Coin/Cash wallet, check-in, VIP, inbox, and referral – powered by REST API and Vanilla JS.

40 active installs v1.4.6 PHP 7.4+ WP 5.5+ Updated Feb 7, 2026
check-inlevelreferraluservip
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Init User Engine – Gamified, Fast, Frontend-First Safe to Use in 2026?

Generally Safe

Score 100/100

Init User Engine – Gamified, Fast, Frontend-First has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "init-user-engine" v1.4.6 plugin demonstrates a generally strong security posture with many good practices in place. The code extensively utilizes prepared statements for SQL queries (79%) and has an excellent rate of output escaping (98%), significantly reducing the risk of common vulnerabilities like SQL injection and cross-site scripting. The plugin also incorporates a healthy number of nonce and capability checks, indicating an effort to secure its functionalities. Furthermore, the absence of any known CVEs and a clean vulnerability history suggests a well-maintained and secure codebase over time. The taint analysis found no critical or high-severity issues, reinforcing the impression of robust security development.

However, there is a notable concern regarding the plugin's attack surface. It exposes one AJAX handler without any authentication checks. This unprotected entry point is the most significant security risk identified in the static analysis. While the taint analysis did not find any direct exploitation paths through this specific handler, it represents a potential avenue for unauthorized actions or information disclosure if not properly secured against direct, unauthenticated access. The presence of external HTTP requests, while only one, warrants attention to ensure the target is trustworthy and the request is handled securely. The file operation also requires scrutiny to ensure no sensitive files are accessed or modified without proper validation.

In conclusion, "init-user-engine" v1.4.6 is a relatively secure plugin with strong coding practices in SQL and output handling, and a clean security history. The primary weakness lies in an unprotected AJAX endpoint, which, while not exploited according to the static analysis, is a critical area that requires immediate attention to implement proper authentication and authorization checks to fully secure the plugin.

Key Concerns

  • AJAX handler without authentication
Vulnerabilities
None known

Init User Engine – Gamified, Fast, Frontend-First Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Init User Engine – Gamified, Fast, Frontend-First Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
68 prepared
Unescaped Output
11
520 escaped
Nonce Checks
12
Capability Checks
16
File Operations
1
External Requests
1
Bundled Libraries
0

SQL Query Safety

79% prepared86 total queries

Output Escaping

98% escaped531 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
init_plugin_suite_user_engine_handle_cleanup_inbox_type (includes\inbox.php:437)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Init User Engine – Gamified, Fast, Frontend-First Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_iue_user_searchincludes\ajax.php:4

Shortcodes 1

[init_user_engine] includes\shortcode.php:4
WordPress Hooks 41
actioninitincludes\core.php:38
actioninit_plugin_suite_user_engine_cleanup_transientsincludes\core.php:39
actionwp_insert_commentincludes\hooks.php:5
actiontransition_post_statusincludes\hooks.php:61
actionuser_registerincludes\hooks.php:85
actionprofile_updateincludes\hooks.php:125
actioninitincludes\hooks.php:151
actionwoocommerce_order_status_completedincludes\hooks.php:184
actionwp_insert_commentincludes\hooks.php:242
filterpre_get_avatar_dataincludes\hooks.php:276
filterget_avatar_urlincludes\hooks.php:338
filtershow_admin_barincludes\hooks.php:348
actioninit_plugin_suite_review_system_after_criteria_reviewincludes\hooks.php:363
actioninit_plugin_suite_user_engine_vip_removedincludes\hooks.php:391
actionwpincludes\inbox.php:401
actioninit_plugin_suite_user_engine_cleanup_orphaned_inboxincludes\inbox.php:404
actionadmin_post_iue_cleanup_inbox_typeincludes\inbox.php:436
actionwpmu_new_blogincludes\init.php:8
actionadmin_initincludes\init.php:9
actionadmin_initincludes\redeem-codes-handler.php:7
actionuser_registerincludes\referral.php:5
actionrest_api_initincludes\rest-api.php:5
actionadmin_menuincludes\settings-page.php:5
actionadmin_initincludes\settings-page.php:71
actionwp_dashboard_setupincludes\tools\inbox-statistics.php:514
actionshow_user_profileincludes\user-metabox.php:12
actionedit_user_profileincludes\user-metabox.php:13
actionadmin_enqueue_scriptsincludes\user-metabox.php:18
actionadmin_post_iue_remove_vipincludes\user-metabox.php:533
actionadmin_post_iue_toggle_avatar_banincludes\user-metabox.php:625
actionadmin_noticesincludes\user-metabox.php:676
actionadmin_noticesincludes\user-metabox.php:713
actioninit_plugin_suite_user_engine_add_expincludes\utils.php:69
actioninit_plugin_suite_user_engine_add_coinincludes\utils.php:75
actioninit_plugin_suite_user_engine_add_cashincludes\utils.php:81
actionadmin_enqueue_scriptsincludes\utils.php:203
filterbody_classincludes\vip.php:203
actionwp_enqueue_scriptsinit-user-engine.php:66
actionwp_footerinit-user-engine.php:126
actionwp_enqueue_scriptsinit-user-engine.php:149
actionadmin_enqueue_scriptsinit-user-engine.php:401

Scheduled Events 2

init_plugin_suite_user_engine_cleanup_transients
init_plugin_suite_user_engine_cleanup_orphaned_inbox
Maintenance & Trust

Init User Engine – Gamified, Fast, Frontend-First Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 7, 2026
PHP min version7.4
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Alternatives

Init User Engine – Gamified, Fast, Frontend-First Alternatives

BP Custom Functionalities

BP Custom Functionalities

bp-custom-functionalities

A
92

BP Custom Functionalities provides custom functionalities that regular BuddyPress users requires.

10 No CVEs
Lootly Loyalty & Rewards

Lootly Loyalty & Rewards

lootly-for-woocommerce

A
100

Version 1.43 Lootly helps you build relationships with customers by rewarding them for interacting with your store or for driving referral sales.

10 No CVEs
Show Content by User Level

Show Content by User Level

show-content-by-user-level

A
100

This simple plug-in hides content from all users except those that exceed a specific user level.

10 No CVEs
Show User Level Content

Show User Level Content

show-user-level-content

A
85

This simple plug-in hides content from all users except those that exceed a specific user level.

10 No CVEs
User-Cats Manager

User-Cats Manager

user-cats-manager

A
85

Provides to admin users a way to select what categorie determined users can write. (administrators have access to all categories)

10 No CVEs
Developer Profile

Init User Engine – Gamified, Fast, Frontend-First Developer Profile

Init HTML

12 plugins · 710 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Init User Engine – Gamified, Fast, Frontend-First

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/init-user-engine/assets/css/style-guest.css/wp-content/plugins/init-user-engine/assets/js/guest.js/wp-content/plugins/init-user-engine/assets/css/style-user.css/wp-content/plugins/init-user-engine/assets/js/member.js
Script Paths
/wp-content/plugins/init-user-engine/assets/js/guest.js/wp-content/plugins/init-user-engine/assets/js/member.js
Version Parameters
init-user-engine/assets/css/style-guest.css?ver=init-user-engine/assets/js/guest.js?ver=init-user-engine/assets/css/style-user.css?ver=init-user-engine/assets/js/member.js?ver=

HTML / DOM Fingerprints

CSS Classes
init-user-engine-login-modaliue-overlayiue-contentiue-headeriue-closeiue-body
Data Attributes
id="init-user-engine-login-modal"id="init-user-engine-modal-close"
JS Globals
InitUserEngineData
REST Endpoints
/wp-json/inituser/v1
FAQ

Frequently Asked Questions about Init User Engine – Gamified, Fast, Frontend-First