WP-Safety

InfiniteWP Client Security & Risk Analysis

wordpress.org/plugins/iwp-client

Install this plugin on unlimited sites and manage them all from a central dashboard. This plugin communicates with your InfiniteWP Admin Panel.

200K active installs v1.13.5 PHP + WP 3.1+ Updated Feb 26, 2026
backupmulti-sitemultiple-adminsecurityupdates
90
A · Safe
CVEs total7
Unpatched0
Last CVEJan 7, 2025
Plugin page Download
Safety Verdict

Is InfiniteWP Client Safe to Use in 2026?

Generally Safe

Score 90/100

InfiniteWP Client has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Jan 7, 2025Updated 1mo ago
Risk Assessment

The iwp-client v1.13.5 plugin presents a concerning security posture, despite having no currently unpatched CVEs. The static analysis reveals significant weaknesses, particularly the complete absence of nonce checks and a very low percentage of properly escaped output. The high number of "dangerous functions" like `unserialize`, `popen`, `exec`, and `system` combined with 8 out of 9 analyzed taint flows having unsanitized paths, 5 of which are rated as high severity, strongly suggests a high risk of remote code execution and path traversal vulnerabilities. The plugin's history of 7 CVEs, including 4 critical ones, further amplifies these concerns, indicating a recurring pattern of severe security flaws. While the presence of Guzzle as a bundled library is a positive sign for potential managed dependencies, it does not outweigh the critical issues found in core plugin logic.

Key Concerns

  • No nonce checks on entry points
  • High number of dangerous functions
  • Low output escaping percentage
  • High severity taint flows (unsanitized paths)
  • Multiple critical CVEs in history
  • High number of file operations
  • Bundled library (Guzzle) not checked for vulns
Vulnerabilities
7

InfiniteWP Client Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
1 CVE in 2017
2017
1 CVE in 2020
2020
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
4
High
1
Medium
2

7 total CVEs

CVE-2024-10585medium · 5.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

InfiniteWP Client <= 1.13.0 - Unauthenticated Limited Directory Traversal to Arbitrary .txt File Reading

Jan 7, 2025 Patched in 1.13.1 (1d)
CVE-2023-6565medium · 5.9Insecure Storage of Sensitive Information

InfiniteWP Client <= 1.12.3 - Unauthenticated Sensitive Information Exposure

Feb 8, 2024 Patched in 1.12.3.1 (173d)
CVE-2023-2916high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

InfiniteWP Client <= 1.11.1 - Authenticated (Subscriber+) Sensitive Information Exposure

Aug 14, 2023 Patched in 1.12.1 (162d)
CVE-2020-8772critical · 9.8Missing Authorization

InfiniteWP Client <= 1.9.4.4 - Authentication Bypass

Jan 14, 2020 Patched in 1.9.4.5 (1470d)
CVE-2016-15004critical · 9.8Deserialization of Untrusted Data

InfiniteWP Client <= 1.6.0 - Unauthenticated PHP Object Injection

Jan 25, 2017 Patched in 1.6.1.1 (2554d)
WF-9e7a1116-2bf1-4d36-a091-e0d4a9d6e1c9-iwp-clientcritical · 9.8Improper Privilege Management

InfiniteWP Client <= 1.3.7 - Privilege Escalation

Dec 2, 2014 Patched in 1.3.8 (3339d)
WF-a71a1a7b-6299-44c5-b686-65f214986c27-iwp-clientcritical · 9.8Deserialization of Untrusted Data

InfiniteWP Client <= 1.3.7 - PHP Object Injection

Dec 2, 2014 Patched in 1.3.8 (3339d)
Code Analysis
Analyzed Mar 16, 2026

InfiniteWP Client Code Analysis

Dangerous Functions
45
Raw SQL Queries
84
156 prepared
Unescaped Output
84
27 escaped
Nonce Checks
0
Capability Checks
5
File Operations
383
External Requests
5
Bundled Libraries
1

Dangerous Functions Found

unserialize$white_lable_details = unserialize($white_lable_details);activities_log.class.php:106
popen$handle = @popen($exec, 'r');backup\backup.core.class.php:155
popen$handle = popen($exec, "r");backup\backup.core.class.php:1031
popen$handle = popen($exec, "r");backup\backup.core.class.php:1103
proc_open$handle = proc_open($exec, $descriptorspec, $pipes, $iwp_backup_dir);backup\backup.core.class.php:1134
unserialize$tasks['taskResults'] = unserialize($tasks['taskResults']);backup\backup.core.class.php:4352
unserialize$requestParams = unserialize($tasks['requestParams']);backup\backup.core.class.php:4355
popen$handle = popen($exec, "r");backup\backup.php:1566
unserializereturn unserialize($var);backup\backup.php:2117
proc_open$process = proc_open($exec, $descriptorspec, $pipes, $rdirname);backup\backup.zip.class.php:251
unserializereturn unserialize($value);backup.class.multicall.php:2819
unserialize$task_results = (!empty($value['taskResults']))?unserialize($value['taskResults']):array();backup.class.multicall.php:2864
unserialize$requestParams = unserialize($value['requestParams']);backup.class.multicall.php:2865
unserialize$task_results = (!empty($value['taskResults']))?unserialize($value['taskResults']):array();backup.class.multicall.php:2886
unserialize$task_results = unserialize($value->taskResults);backup.class.multicall.php:2951
unserialize$tasks['taskResults'] = unserialize($tasks['taskResults']);backup.class.multicall.php:3232
unserialize$requestParams = unserialize($tasks['requestParams']);backup.class.multicall.php:3237
exec$log = @exec($command, $output, $return);backup.class.multicall.php:4109
system$log = @system($command, $return);backup.class.multicall.php:4118
passthru$log = passthru($command, $return);backup.class.multicall.php:4128
unserialize$requestParams = unserialize($thisTask['requestParams']);backup.class.multicall.php:6627
unserialize$task_result = unserialize($backup_data['taskResults']);backup.class.multicall.php:6682
unserialize$requestParams = unserialize($tasks['requestParams']);backup.class.multicall.php:6900
unserializereturn unserialize($all_files_detail[$field]);backup.class.multicall.php:7310
unserialize$requestParams = unserialize($taskArray['requestParams']);backup.class.multicall.php:7555
unserialize$return = unserialize($backup_settings['taskResults']);backup.class.singlecall.php:190
exec$log = @exec($command, $output, $return);backup.class.singlecall.php:1566
system$log = @system($command, $return);backup.class.singlecall.php:1575
passthru$log = passthru($command, $return);backup.class.singlecall.php:1585
unserialize$tasksThere = unserialize($test_this_task['taskResults']);backup.class.singlecall.php:2726
unserialize$task_results = unserialize($value['taskResults']);backup.class.singlecall.php:2950
unserialize$task_results = unserialize($value['taskResults']);backup.class.singlecall.php:2966
unserialize$rows = unserialize($rows['requestParams']);backup.class.singlecall.php:3001
unserializereturn unserialize($rows['requestParams']);backup.class.singlecall.php:3016
unserialize$return = unserialize($rows['taskResults']);backup.class.singlecall.php:3025
unserialize$task_results = unserialize($value->taskResults);backup.class.singlecall.php:3040
unserialize$requestParams = unserialize($value->requestParams);backup.class.singlecall.php:3043
unserialize$task_result = unserialize($backup_data['taskResults']);backup.class.singlecall.php:3144
unserialize$fieldParams = unserialize($backupData->$field);backup.class.singlecall.php:3300
unserialize$tasks = unserialize($test_this_task['taskResults']);backup.class.singlecall.php:3443
unserialize$requestParams = unserialize($taskArray['requestParams']);backup.class.singlecall.php:3736
unserialize$ftp_details = unserialize($params['account_info']);helper.class.php:519
unserialize$this_task_result = unserialize($v['taskResults']);init.php:2716
popen$handle = popen($exec, 'r');init.php:3241
unserialize$fieldParams = unserialize($fieldParams);pclzip.class.php:707

Bundled Libraries

Guzzle

SQL Query Safety

65% prepared240 total queries

Output Escaping

24% escaped111 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

9 flows8 with unsanitized paths
iwp_mmb_response (init.php:408)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

InfiniteWP Client Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 90
actioncore_upgrade_preambleactivities_log.class.php:24
action_core_updated_successfullyactivities_log.class.php:25
actionupgrader_process_completeactivities_log.class.php:26
actionautomatic_updates_completeactivities_log.class.php:27
actionupdated_optionactivities_log.class.php:28
actioninitactivities_log.class.php:29
filterupdate_theme_complete_actionsactivities_log.class.php:36
filterupdate_bulk_theme_complete_actionsactivities_log.class.php:37
filterasync_update_translationactivities_log.class.php:39
filterupdate_translations_complete_actionsactivities_log.class.php:41
filterupgrader_post_installactivities_log.class.php:42
actionwpfc_delete_cacheaddons\wp_optimize\purge-plugins-cache-class.php:315
actionIWP_backupbackup\backup.core.class.php:45
actionIWP_backup_databasebackup\backup.core.class.php:46
filterIWP_backupable_file_entities_finalbackup\backup.core.class.php:47
actionIWP_backupnow_backupbackup\backup.core.class.php:51
actionIWP_backupnow_backup_databasebackup\backup.core.class.php:52
actionIWP_backupnow_backup_allbackup\backup.core.class.php:53
actionIWP_backup_resumebackup\backup.core.class.php:54
actionIWP_backup_allbackup\backup.core.class.php:56
filterschedule_eventbackup\backup.core.class.php:58
filterIWP_dropbox_modpathbackup\backup.core.class.php:59
filterhttp_request_argsbackup\backup.core.class.php:203
actionhttp_api_curlbackup\backup.core.class.php:204
filterpre_option_IWP_backup_historybackup\backup.core.class.php:1462
actionhttp_request_argsbackup\backup.php:357
filterIWP_encrypt_filebackup\databaseencrypt.php:16
actionall_admin_noticesbackup\dropbox.php:461
actionIWP_prune_retained_backups_finishedbackup\s3.php:452
actionwp_initialize_sitecore.class.php:88
actionnetwork_admin_noticescore.class.php:103
actionadmin_noticescore.class.php:109
actionadmin_noticescore.class.php:113
actionrightnow_endcore.class.php:220
actionnetwork_admin_menucore.class.php:222
actionadmin_menucore.class.php:224
actioninitcore.class.php:226
actionadmin_initcore.class.php:227
actionadmin_initcore.class.php:228
actionadmin_initcore.class.php:229
filterdeprecated_function_trigger_errorcore.class.php:230
filterplugin_row_metacore.class.php:231
actionadmin_headcore.class.php:232
actionadmin_footercore.class.php:233
actionsetup_themecore.class.php:235
actionsetup_themecore.class.php:236
actionset_auth_cookiecore.class.php:237
actionwp_loadedcore.class.php:238
actionset_logged_in_cookiecore.class.php:239
actionwp_loadedcore.class.php:330
actionwp_loadedcore.class.php:331
actionwp_loadedcore.class.php:333
actionwp_loadedcore.class.php:336
actionafter_setup_themecore.class.php:338
actioninitcore.class.php:340
actionadmin_noticescore.class.php:866
filterplugin_row_metacore.class.php:1180
filtersite_transient_update_pluginscore.class.php:1181
filteradmin_urlcore.class.php:1182
filterall_pluginscore.class.php:1184
filtershow_advanced_pluginscore.class.php:1185
filtertransient_update_pluginscore.class.php:1208
filtersite_transient_update_corecore.class.php:1209
filtersite_transient_update_pluginscore.class.php:1210
filtersite_transient_update_themescore.class.php:1211
filterplugin_action_linkscore.class.php:1219
filtertransient_update_pluginscore.class.php:1229
filtersite_transient_update_corecore.class.php:1230
filtersite_transient_update_pluginscore.class.php:1231
filtersite_transient_update_themescore.class.php:1232
actionplugins_loadedcore.class.php:1335
actionwp_enqueue_scriptsinit.php:86
actionadmin_enqueue_scriptsinit.php:87
filteriwp_website_addinit.php:1159
actionadmin_enqueue_scriptsinit.php:2860
actionplugins_loadedinit.php:3496
actioninitinit.php:3499
actiontemplate_redirectinit.php:3502
actiontemplate_redirectinit.php:3505
filterinstall_plugin_complete_actionsinit.php:3508
actionadmin_initinit.php:3516
actionadmin_initinit.php:3525
filterhttp_request_argsinstaller.class.php:137
actioninitplugin.compatibility.class.php:45
filtericwp-wpsf-visitor_is_whitelistedplugin.compatibility.class.php:55
actioninitplugin.compatibility.class.php:64
actioninitplugin.compatibility.class.php:117
filteriwp_mmb_stats_filterplugins\cleanup\cleanup.php:21
filteriwp_mmb_stats_filterplugins\extra_html_example\extra_html_example.php:13
filteriwp_website_addstats.class.php:954

Scheduled Events 7

IWP_backup_resume
IWP_backup_resume
IWP_backup_resume
IWP_backup
IWP_backup_database
iwp_client_backup_tasks
iwp_client_backup_tasks
Maintenance & Trust

InfiniteWP Client Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version
Downloads8.2M

Community Trust

Rating88/100
Number of ratings177
Active installs200K
Alternatives

InfiniteWP Client Alternatives

Solid Central – Site Management, Backups, Security, and Reporting

Solid Central – Site Management, Backups, Security, and Reporting

ithemes-sync

A
97

Manage multiple WordPress sites from one dashboard.

30K 3 CVEs
Jetpack – WP Security, Backup, Speed, & Growth

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

A
87

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs
ManageWP Worker

ManageWP Worker

worker

A
98

A better way to manage dozens of WordPress websites.

1.0M 1 CVE
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

mainwp-child

A
91

MainWP Child establishes a secure link between your WordPress sites and your self-hosted MainWP Dashboard, simplifying site management.

700K 7 CVEs
Modular DS: Monitor, update, and backup multiple websites

Modular DS: Monitor, update, and backup multiple websites

modular-connector

A
87

Manage all your WordPress sites from one place. Automate updates, backups, uptime monitoring, security, maintenance reports, and more.

40K 3 CVEs
Developer Profile

InfiniteWP Client Developer Profile

revmakx

6 plugins · 224K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
704 days
View full developer profile
Detection Fingerprints

How We Detect InfiniteWP Client

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/iwp-client/iwp_mmb_utils.css/wp-content/plugins/iwp-client/css/custom_admin.css/wp-content/plugins/iwp-client/js/iwp_mmb.js/wp-content/plugins/iwp-client/js/iwp_mmb_dashboard.js/wp-content/plugins/iwp-client/js/iwp_mmb_stats.js/wp-content/plugins/iwp-client/js/iwp_mmb_backup.js/wp-content/plugins/iwp-client/js/iwp_mmb_maintenance.js/wp-content/plugins/iwp-client/js/iwp_mmb_users.js+14 more
Script Paths
/wp-content/plugins/iwp-client/js/iwp_mmb.js/wp-content/plugins/iwp-client/js/iwp_mmb_dashboard.js/wp-content/plugins/iwp-client/js/iwp_mmb_stats.js/wp-content/plugins/iwp-client/js/iwp_mmb_backup.js/wp-content/plugins/iwp-client/js/iwp_mmb_maintenance.js/wp-content/plugins/iwp-client/js/iwp_mmb_users.js+14 more
Version Parameters
iwp-client/iwp_mmb_utils.css?ver=iwp-client/css/custom_admin.css?ver=iwp-client/js/iwp_mmb.js?ver=iwp-client/js/iwp_mmb_dashboard.js?ver=iwp-client/js/iwp_mmb_stats.js?ver=iwp-client/js/iwp_mmb_backup.js?ver=iwp-client/js/iwp_mmb_maintenance.js?ver=iwp-client/js/iwp_mmb_users.js?ver=iwp-client/js/iwp_mmb_plugins.js?ver=iwp-client/js/iwp_mmb_themes.js?ver=iwp-client/js/iwp_mmb_comments.js?ver=iwp-client/js/iwp_mmb_posts.js?ver=iwp-client/js/iwp_mmb_pages.js?ver=iwp-client/js/iwp_mmb_links.js?ver=iwp-client/js/iwp_mmb_install_addon.js?ver=iwp-client/js/iwp_mmb_optimizer.js?ver=iwp-client/js/iwp_mmb_security.js?ver=iwp-client/js/iwp_mmb_cache.js?ver=iwp-client/js/iwp_mmb_client_brand.js?ver=iwp-client/js/iwp_mmb_broken_links.js?ver=iwp-client/js/iwp_mmb_updates.js?ver=iwp-client/js/iwp_mmb_restore.js?ver=

HTML / DOM Fingerprints

CSS Classes
iwp_mmb_dashboard_widgetiwp_mmb_custom_cssiwp_mmb_menu_cssiwp_mmb_main_wrapperiwp_mmb_plugin_update_btniwp_mmb_theme_update_btniwp_mmb_maintenance_mode_activeiwp_mmb_message_success+12 more
HTML Comments
Copyright (c) 2012 Revmakxwww.revmakx.comCopyright (c) 2011 Prelovac Mediawww.prelovac.com+4 more
Data Attributes
data-iwp-noncedata-iwp-actiondata-iwp-blog-iddata-iwp-item-iddata-iwp-plugin-slugdata-iwp-theme-slug+1 more
JS Globals
iwp_mmb_coreiwp_mmb_vars
REST Endpoints
/wp-json/iwp-client/v1/actions
FAQ

Frequently Asked Questions about InfiniteWP Client