WP-Safety

WPBULKiT – Bulk Edit WordPress Posts & Pages Security & Risk Analysis

wordpress.org/plugins/ithemeland-bulk-posts-editing-lite

Editing Date in WordPress is very painful. Be professionals with managing data in the reliable and flexible way by Wordpress Bulk Posts Editing.

200 active installs v5.0.7 PHP 8.0.3+ WP 5.5+ Updated Jan 7, 2026
custom-posts-bulk-editpost-bulk-editposts-exportwordpress-bulk-editwordpress-edit-post
99
A · Safe
CVEs total2
Unpatched0
Last CVEMay 16, 2024
Plugin page Download
Safety Verdict

Is WPBULKiT – Bulk Edit WordPress Posts & Pages Safe to Use in 2026?

Generally Safe

Score 99/100

WPBULKiT – Bulk Edit WordPress Posts & Pages has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: May 16, 2024Updated 4mo ago
Risk Assessment

The ithemeland-bulk-posts-editing-lite plugin, version 5.0.7, exhibits a mixed security posture. While it demonstrates good practices in output escaping and SQL statement preparation, significant concerns arise from its attack surface and taint analysis. The plugin exposes 46 AJAX handlers, with a notable 3 lacking any authentication checks, creating a potential entry point for unauthorized actions. Furthermore, the taint analysis reveals 13 flows with unsanitized paths, including 4 designated as high severity. This indicates that user-supplied data is not being adequately validated or neutralized before being used in potentially sensitive operations.

The plugin's vulnerability history, with 2 known medium-severity CVEs historically, and a recent vulnerability reported in May 2024, suggests a pattern of security weaknesses. The common types of these past vulnerabilities, Cross-Site Request Forgery (CSRF) and Missing Authorization, align with the findings from the static analysis regarding unprotected AJAX handlers. While there are no currently unpatched CVEs, the recurring nature of authorization and input validation issues is a cause for concern.

In conclusion, despite strengths in output sanitization and prepared SQL statements, the significant number of unprotected AJAX endpoints and the high-severity unsanitized taint flows represent critical security risks. The historical pattern of vulnerabilities further reinforces the need for careful scrutiny and potentially remediation of these areas to improve the plugin's overall security. Users should be aware of the potential for unauthorized access and data manipulation due to these identified weaknesses.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • Bundled library (Select2)
  • Use of unseralize() function
Vulnerabilities
2 published

WPBULKiT – Bulk Edit WordPress Posts & Pages Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-4204medium · 4.3Cross-Site Request Forgery (CSRF)

Bulk Posts Editing For WordPress <= 4.2.3 - Cross-Site Request Forgery

May 16, 2024 Patched in 4.2.4 (1d)
CVE-2024-4199medium · 4.3Missing Authorization

Bulk Posts Editing For WordPress <= 4.2.3 - Authenticated (Subscriber+) Missing Authorization

May 14, 2024 Patched in 4.2.4 (1d)
Version History

WPBULKiT – Bulk Edit WordPress Posts & Pages Release Timeline

v5.0.7Current
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.3.3
v4.3.2
v4.3.1
v4.3.0
v4.2.4
v4.2.32 CVEs
CVE-2024-4204 CVE-2024-4199
v4.2.12 CVEs
CVE-2024-4204 CVE-2024-4199
v4.2.02 CVEs
CVE-2024-4204 CVE-2024-4199
v4.1.12 CVEs
CVE-2024-4204 CVE-2024-4199
v4.1.02 CVEs
CVE-2024-4204 CVE-2024-4199
v4.0.02 CVEs
CVE-2024-4204 CVE-2024-4199
v3.9.52 CVEs
CVE-2024-4204 CVE-2024-4199
Code Analysis
Analyzed Mar 16, 2026

WPBULKiT – Bulk Edit WordPress Posts & Pages Code Analysis

Dangerous Functions
25
Raw SQL Queries
6
55 prepared
Unescaped Output
8
1464 escaped
Nonce Checks
56
Capability Checks
3
File Operations
2
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserializereturn (!is_array($sticky_posts)) ? unserialize($sticky_posts) : $sticky_posts;classes\repositories\Post.php:112
unserialize$item->new_value = is_serialized($item->new_value) ? unserialize($item->new_value) : $item->new_valuclasses\services\history\HistoryRedoService.php:78
unserialize$field = unserialize($item->field);classes\services\history\HistoryRedoService.php:79
unserialize$field = unserialize($item->field);classes\services\history\HistoryRedoService.php:134
unserialize'value' => unserialize($item->new_value),classes\services\history\HistoryRedoService.php:148
unserialize'value' => intval((unserialize($item->new_value))['id'])classes\services\history\HistoryRedoService.php:205
unserialize'value' => unserialize($item->new_value)classes\services\history\HistoryRedoService.php:215
unserialize$new_val = unserialize($item->new_value);classes\services\history\HistoryRedoService.php:222
unserialize'value' => unserialize($item->new_value),classes\services\history\HistoryRedoService.php:235
unserialize$new_val = unserialize($item->new_value);classes\services\history\HistoryRedoService.php:243
unserialize'value' => unserialize($item->new_value),classes\services\history\HistoryRedoService.php:256
unserialize$item->prev_value = is_serialized($item->prev_value) ? unserialize($item->prev_value) : $item->prev_classes\services\history\HistoryUndoService.php:91
unserialize$field = unserialize($item->field);classes\services\history\HistoryUndoService.php:92
unserialize$field = unserialize($item->field);classes\services\history\HistoryUndoService.php:146
unserialize$item->prev_value = is_serialized($item->prev_value) ? unserialize($item->prev_value) : $item->prev_classes\services\history\HistoryUndoService.php:152
unserialize'value' => (unserialize($item->prev_value))['id']classes\services\history\HistoryUndoService.php:198
unserialize'value' => unserialize($item->prev_value)classes\services\history\HistoryUndoService.php:208
unserialize$prev = unserialize($item->prev_value);classes\services\history\HistoryUndoService.php:215
unserialize'value' => unserialize($item->prev_value),classes\services\history\HistoryUndoService.php:228
unserialize$prev = unserialize($item->prev_value);classes\services\history\HistoryUndoService.php:235
unserialize'value' => unserialize($item->prev_value),classes\services\history\HistoryUndoService.php:248
unserialize$sticky_posts = (!is_array($sticky_posts)) ? unserialize($sticky_posts) : $sticky_posts;classes\services\update\handlers\Sticky_FIeld_Handler.php:37
unserializeif (is_array(unserialize($history->fields)) && !empty(unserialize($history->fields))) {views\history\history_items.php:30
unserializeif (is_array(unserialize($history->fields)) && !empty(unserialize($history->fields))) {views\history\history_items.php:30
unserializeforeach (unserialize($history->fields) as $field) {views\history\history_items.php:31

Bundled Libraries

Select2

SQL Query Safety

90% prepared61 total queries

Output Escaping

99% escaped1472 total outputs
Data Flows · Security
13 unsanitized

Data Flow Analysis

13 flows13 with unsanitized paths
print_script (classes\controllers\Wordpress_Posts_Bulk_Edit.php:251)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

WPBULKiT – Bulk Edit WordPress Posts & Pages Attack Surface

Entry Points46
Unprotected3

AJAX Handlers 46

authwp_ajax_wpbe_get_default_filter_profile_postsclasses\controllers\WPBEL_Ajax.php:47
authwp_ajax_wpbe_get_post_tagsclasses\controllers\WPBEL_Ajax.php:48
authwp_ajax_wpbe_create_new_postclasses\controllers\WPBEL_Ajax.php:49
authwp_ajax_wpbe_posts_filterclasses\controllers\WPBEL_Ajax.php:50
authwp_ajax_wpbe_duplicate_postclasses\controllers\WPBEL_Ajax.php:51
authwp_ajax_wpbe_delete_postsclasses\controllers\WPBEL_Ajax.php:52
authwp_ajax_wpbe_untrash_postsclasses\controllers\WPBEL_Ajax.php:53
authwp_ajax_wpbe_empty_trashclasses\controllers\WPBEL_Ajax.php:54
authwp_ajax_wpbe_filter_profile_change_use_alwaysclasses\controllers\WPBEL_Ajax.php:55
authwp_ajax_wpbe_change_count_per_pageclasses\controllers\WPBEL_Ajax.php:56
authwp_ajax_wpbe_column_manager_get_fields_for_editclasses\controllers\WPBEL_Ajax.php:57
authwp_ajax_wpbe_get_text_editor_contentclasses\controllers\WPBEL_Ajax.php:58
authwp_ajax_wpbe_history_filterclasses\controllers\WPBEL_Ajax.php:59
authwp_ajax_wpbe_history_undoclasses\controllers\WPBEL_Ajax.php:60
authwp_ajax_wpbe_history_redoclasses\controllers\WPBEL_Ajax.php:61
authwp_ajax_wpbe_add_meta_keys_by_post_idclasses\controllers\WPBEL_Ajax.php:62
authwp_ajax_wpbe_update_post_taxonomyclasses\controllers\WPBEL_Ajax.php:63
authwp_ajax_wpbe_add_post_taxonomyclasses\controllers\WPBEL_Ajax.php:64
authwp_ajax_wpbe_post_editclasses\controllers\WPBEL_Ajax.php:65
authwp_ajax_wpbe_load_filter_profileclasses\controllers\WPBEL_Ajax.php:66
authwp_ajax_wpbe_save_filter_presetclasses\controllers\WPBEL_Ajax.php:67
authwp_ajax_wpbe_save_column_profileclasses\controllers\WPBEL_Ajax.php:68
authwp_ajax_wpbe_sort_by_columnclasses\controllers\WPBEL_Ajax.php:69
authwp_ajax_wpbe_delete_filter_profileclasses\controllers\WPBEL_Ajax.php:70
authwp_ajax_wpbe_get_taxonomy_parent_select_boxclasses\controllers\WPBEL_Ajax.php:71
authwp_ajax_wpbe_clear_filter_dataclasses\controllers\WPBEL_Ajax.php:72
authwp_ajax_wpbe_get_post_by_idclasses\controllers\WPBEL_Ajax.php:73
authwp_ajax_wpbe_get_posts_by_nameclasses\controllers\WPBEL_Ajax.php:74
authwp_ajax_wpbe_history_change_pageclasses\controllers\WPBEL_Ajax.php:75
authwp_ajax_wpbe_get_post_custom_field_filesclasses\controllers\WPBEL_Ajax.php:76
authwp_ajax_wpbe_add_custom_field_file_itemclasses\controllers\WPBEL_Ajax.php:77
authwp_ajax_wpbe_bulk_edit_add_custom_field_file_itemclasses\controllers\WPBEL_Ajax.php:78
authwp_ajax_wpbe_get_usersclasses\controllers\WPBEL_Ajax.php:79
authwp_ajax_wpbe_get_post_taxonomy_termsclasses\controllers\WPBEL_Ajax.php:80
authwp_ajax_wpbe_is_processingclasses\controllers\WPBEL_Ajax.php:81
authwp_ajax_wpbe_background_process_force_stopclasses\controllers\WPBEL_Ajax.php:82
authwp_ajax_wpbe_background_process_clear_complete_messageclasses\controllers\WPBEL_Ajax.php:83
authwp_ajax_wpbe_background_process_clear_tasks_countclasses\controllers\WPBEL_Ajax.php:84
authwp_ajax_wpbe_column_manager_add_fieldclasses\controllers\WPBEL_Ajax.php:85
authwp_ajax_wpbe_add_meta_keys_manualclasses\controllers\WPBEL_Ajax.php:86
authwp_ajax_get_meta_fields_jsonclasses\repositories\meta_field\Meta_Field_Main.php:37
noprivwp_ajax_get_meta_fields_jsonclasses\repositories\meta_field\Meta_Field_Main.php:38
authwp_ajax_wpbe_add_schedule_jobclasses\services\scheduler\Post_Scheduler.php:41
authwp_ajax_wpbe_get_schedule_jobsclasses\services\scheduler\Post_Scheduler.php:42
authwp_ajax_wpbe_schedule_get_current_timeclasses\services\scheduler\Scheduler.php:41
authwp_ajax_wpbel_ithemeland_onboarding_pluginframework\onboarding\Onboarding.php:24
WordPress Hooks 28
filtersafe_style_cssclasses\bootstrap\WPBEL.php:47
actionadmin_menuclasses\bootstrap\WPBEL.php:53
actionadmin_enqueue_scriptsclasses\bootstrap\WPBEL.php:54
filterposts_whereclasses\bootstrap\WPBEL_Custom_Queries.php:24
filterposts_whereclasses\bootstrap\WPBEL_Custom_Queries.php:25
filterwpbe_post_column_fieldsclasses\bootstrap\WPBEL_Meta_Fields.php:23
filterwpbe_page_column_fieldsclasses\bootstrap\WPBEL_Meta_Fields.php:24
filterwpbe_custom_post_column_fieldsclasses\bootstrap\WPBEL_Meta_Fields.php:25
filterwpbe_post_column_fieldsclasses\bootstrap\WPBEL_Meta_Fields.php:26
filterwpbe_custom_post_column_fieldsclasses\bootstrap\WPBEL_Meta_Fields.php:27
filterit_black_friday_bannerclasses\bootstrap\WPBEL_Top_Banners.php:26
actionadmin_noticesclasses\bootstrap\WPBEL_Top_Banners.php:30
actionadmin_post_wpbe_black_friday_banner_dismissclasses\bootstrap\WPBEL_Top_Banners.php:31
filterwpbe_top_navigation_buttonsclasses\controllers\Wordpress_Posts_Bulk_Edit.php:52
filterwpbe_footer_view_filesclasses\controllers\Wordpress_Posts_Bulk_Edit.php:53
actionadmin_post_wpbe_switcherclasses\controllers\WPBEL_Post.php:29
actionadmin_post_wpbe_settingsclasses\controllers\WPBEL_Post.php:30
actionadmin_post_wpbe_column_manager_new_presetclasses\controllers\WPBEL_Post.php:31
actionadmin_post_wpbe_column_manager_edit_presetclasses\controllers\WPBEL_Post.php:32
actionadmin_post_wpbe_column_manager_delete_presetclasses\controllers\WPBEL_Post.php:33
actionadmin_post_wpbe_load_column_profileclasses\controllers\WPBEL_Post.php:34
actionadmin_post_wpbe_export_postsclasses\controllers\WPBEL_Post.php:35
filtercron_schedulesclasses\services\scheduler\Scheduler.php:29
actionadmin_enqueue_scriptsclasses\services\scheduler\Scheduler.php:30
actionadmin_initframework\analytics\AnalyticsTracker.php:22
actioninitframework\analytics\AnalyticsTracker.php:23
actioninitithemeland-bulk-posts-editing-lite.php:53
actionplugins_loadedithemeland-bulk-posts-editing-lite.php:55
Maintenance & Trust

WPBULKiT – Bulk Edit WordPress Posts & Pages Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 7, 2026
PHP min version8.0.3
Downloads23K

Community Trust

Rating60/100
Number of ratings6
Active installs200
Alternatives

WPBULKiT – Bulk Edit WordPress Posts & Pages Alternatives

Astra Bulk Edit

Astra Bulk Edit

astra-bulk-edit

A
98

An easy-to-use plugin for the Astra theme that lets you edit Page Meta Settings for multiple pages/posts at once.

30K 2 CVEs
Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management

Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management

smart-manager-for-wp-e-commerce

A
94

WooCommerce Advanced Bulk Edit products, orders, & posts in an Excel-like sheet editor. Get advanced WooCommerce stock, pricing, & order management.

10K 4 CVEs
MIPL WP Export – Export Posts, Users, Categories to CSV

MIPL WP Export – Export Posts, Users, Categories to CSV

mipl-wp-export

A
100

Export WordPress posts, pages, custom post types, users, categories, and taxonomies into CSV files quickly and easily.

10 No CVEs
Developer Profile

WPBULKiT – Bulk Edit WordPress Posts & Pages Developer Profile

ithemelandco

9 plugins · 5K total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect WPBULKiT – Bulk Edit WordPress Posts & Pages

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ithemeland-bulk-posts-editing-lite/assets/css/core/style.core.css/wp-content/plugins/ithemeland-bulk-posts-editing-lite/assets/js/core/script.core.js/wp-content/plugins/ithemeland-bulk-posts-editing-lite/assets/images/wpbulkit-icon-wh20.svg
Script Paths
/wp-content/plugins/ithemeland-bulk-posts-editing-lite/assets/js/core/script.core.js
Version Parameters
ithemeland-bulk-posts-editing-lite/assets/css/core/style.core.css?ver=ithemeland-bulk-posts-editing-lite/assets/js/core/script.core.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpbe-icon-go-pro
HTML Comments
<!-- Add "Go Pro" submenu --><!-- Add "Other Plugins" submenu -->
Data Attributes
wpbel-icon-go-pro
JS Globals
WPBEL_URLWPBEL_ASSETS_URLWPBEL_CSS_URLWPBEL_JS_URLWPBEL_IMAGES_URLWPBEL_PRO_LINK+15 more
FAQ

Frequently Asked Questions about WPBULKiT – Bulk Edit WordPress Posts & Pages