WP-Safety

Injection Guard Security & Risk Analysis

wordpress.org/plugins/injection-guard

This plugin blocks all unauthorized and irrelevant requests through query strings and provides extended session tracking and capability audit.

1K active installs v1.3.0 PHP 7.0+ WP 3.0+ Updated Mar 14, 2026
anti-hackingfirewallsecuritysql-injectionwordpress-security
96
A · Safe
CVEs total5
Unpatched0
Last CVEJul 24, 2025
Plugin page Download
Safety Verdict

Is Injection Guard Safe to Use in 2026?

Generally Safe

Score 96/100

Injection Guard has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jul 24, 2025Updated 20d ago
Risk Assessment

The "injection-guard" plugin v1.3.0 exhibits a mixed security posture. While it demonstrates good practices in using prepared statements for all SQL queries and a high percentage of properly escaped output, several significant concerns exist. The static analysis reveals three AJAX handlers that lack authorization checks, directly contributing to a potential attack surface. Furthermore, the taint analysis highlights two flows with unsanitized paths, which, though not classified as critical or high severity, represent a risk of input manipulation leading to unexpected behavior or vulnerabilities.

The plugin's vulnerability history is particularly concerning, with five known medium-severity CVEs, including Cross-Site Scripting, Missing Authorization, and CSRF. The fact that all previously known vulnerabilities are marked as patched is a positive sign, but the sheer number and variety of past issues suggest a pattern of security weaknesses that require diligent ongoing maintenance and auditing. The most recent vulnerability was as recent as July 2025, indicating that this is not a historical issue. While the current version appears to have addressed past issues, the historical context necessitates a cautious approach.

In conclusion, the plugin has strengths in its database interaction and output handling. However, the unprotected AJAX endpoints, unsanitized input paths, and a history of numerous medium-severity vulnerabilities, especially those related to authorization and input validation, present a notable risk. Continued vigilance and thorough testing are essential to mitigate these ongoing concerns.

Key Concerns

  • 3 AJAX handlers without auth checks
  • 2 flows with unsanitized paths
  • 5 medium severity CVEs in history
Vulnerabilities
5

Injection Guard Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-8046medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Injection Guard <= 1.2.7 - Reflected Cross-Site Scripting

Jul 24, 2025 Patched in 1.2.8 (33d)
WF-4a5c4bef-f871-4e6b-9b6e-85079f1233a2-injection-guardmedium · 4.3Cross-Site Request Forgery (CSRF)

Injection Guard <= 1.2.1 - Cross-Site Request Forgery via ig_update

May 11, 2023 Patched in 1.2.2 (257d)
CVE-2023-32574medium · 4.3Missing Authorization

Injection Guard <= 1.2.1 - Missing Authorization via ig_update

May 11, 2023 Patched in 1.2.2 (257d)
WF-1a6bc58f-9cf3-4d3f-a10e-0ccde0b890a3-injection-guardmedium · 4.3Cross-Site Request Forgery (CSRF)

Injection Guard <= 1.2.1 - Cross-Site Request Forgery to Whitelist Update

May 10, 2023 Patched in 1.2.2 (258d)
WF-a9c41797-b256-47de-a783-18df36dd2234-injection-guardmedium · 5.3Missing Authorization

Injection Guard <= 1.2.1 - Missing Authorization to Whitelist Update

May 10, 2023 Patched in 1.2.2 (258d)
Code Analysis
Analyzed Mar 16, 2026

Injection Guard Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
8
56 escaped
Nonce Checks
3
Capability Checks
4
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

88% escaped64 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
ig_update (functions.php:117)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Injection Guard Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_ig_load_capability_auditfunctions.php:387
authwp_ajax_ig_updateindex.php:185
authwp_ajax_ig_update_bulk_backlistindex.php:186
WordPress Hooks 10
actionwp_loginfunctions.php:218
actionwp_loginfunctions.php:308
actionwp_logoutfunctions.php:313
filtermanage_users_columnsfunctions.php:327
filtermanage_users_custom_columnfunctions.php:334
actioninitfunctions.php:441
actionadmin_initfunctions.php:442
actionadmin_menuindex.php:181
actionadmin_enqueue_scriptsindex.php:183
actioninitindex.php:193
Maintenance & Trust

Injection Guard Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version7.0
Downloads33K

Community Trust

Rating100/100
Number of ratings4
Active installs1K
Alternatives

Injection Guard Alternatives

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

A
100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs
Polar Mass Advanced IP Blocker

Polar Mass Advanced IP Blocker

polar-mass-advanced-ip-blocker

A
100

Automatically block threats at the network level by forwarding Wordfence-detected IPs to Cloudflare.

90 No CVEs
Cybershield Firewall

Cybershield Firewall

cybershield-waf

A
92

CyberShield, Your First Line of Defense Against Web Attacks.

10 No CVEs
Guardify Firewall

Guardify Firewall

guardify

A
100

Guardify is a powerful WordPress firewall plugin designed to protect your website from a wide range of threats, including brute force attacks, SQL inj &hellip;

10 No CVEs
Proactive Security Suite

Proactive Security Suite

proactive-security-suite

A
100

Welcome to the ProActive Security Suite Plugin Wiki Enhance your WordPress website's security with the ProActive Security Suite.

10 No CVEs
Developer Profile

Injection Guard Developer Profile

Fahad Mahmood

40 plugins · 33K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
237 days
View full developer profile
Detection Fingerprints

How We Detect Injection Guard

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/injection-guard/css/bootstrap-responsive.min.css/wp-content/plugins/injection-guard/css/bootstrap.icon-large.min.css/wp-content/plugins/injection-guard/css/bootstrap.min.css/wp-content/plugins/injection-guard/css/fontawesome.min.css/wp-content/plugins/injection-guard/css/style.css/wp-content/plugins/injection-guard/js/bootstrap.min.js/wp-content/plugins/injection-guard/js/jquery.blockUI.js/wp-content/plugins/injection-guard/js/script.js
Script Paths
/wp-content/plugins/injection-guard/js/bootstrap.min.js/wp-content/plugins/injection-guard/js/jquery.blockUI.js/wp-content/plugins/injection-guard/js/script.js
Version Parameters
injection-guard/css/style.css?ver=injection-guard/css/fontawesome.min.css?ver=injection-guard/css/bootstrap.min.css?ver=injection-guard/css/bootstrap-responsive.min.css?ver=injection-guard/css/bootstrap.icon-large.min.css?ver=injection-guard/js/bootstrap.min.js?ver=injection-guard/js/jquery.blockUI.js?ver=injection-guard/js/script.js?ver=

HTML / DOM Fingerprints

JS Globals
ig_objig_translation
FAQ

Frequently Asked Questions about Injection Guard