Does Roles & Capabilities have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Roles & Capabilities compatible with WordPress 6.9.4?

According to WordPress.org data, Roles & Capabilities 1.1.14 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Roles & Capabilities compatible with PHP 7.4+?

Roles & Capabilities requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Roles & Capabilities updated?

Roles & Capabilities was last updated on Dec 19, 2025. Frequent updates are generally a positive security signal.

What is Roles & Capabilities's security score?

Roles & Capabilities has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Roles & Capabilities Security & Risk Analysis

wordpress.org/plugins/leira-roles

Take full control of user roles and capabilities in WordPress with an intuitive, powerful interface.

1K active installs v1.1.14 PHP 7.4+ WP 4.1+ Updated Dec 19, 2025

admincapabilitieseditpermissionsrole

A · Safe

CVEs total1

Unpatched0

Last CVESep 12, 2024

Plugin page Download

Safety Verdict

Is Roles & Capabilities Safe to Use in 2026?

Generally Safe

Score 99/100

Roles & Capabilities has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Sep 12, 2024Updated 4mo ago

Risk Assessment

The 'leira-roles' v1.1.14 plugin exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. The plugin exposes six AJAX handlers, all of which lack authentication checks, creating a substantial vulnerability for unauthorized actions. Despite a history of one known CVE, which was a medium-severity Cross-site Scripting (XSS) vulnerability, the fact that it is now patched is a positive sign. However, the presence of unsanitized paths in taint analysis warrants attention, even if no critical or high-severity vulnerabilities were identified in this specific analysis. The lack of authentication on all AJAX endpoints is a critical weakness that overshadows some of the positive coding practices.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Medium severity vulnerability history

Vulnerabilities

1 published

Roles & Capabilities Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-8732medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Roles & Capabilities <= 1.1.9 - Reflected Cross-Site Scripting

Sep 12, 2024 Patched in 1.1.10 (11d)

Version History

Roles & Capabilities Release Timeline

v1.1.14Current

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.91 CVE

v1.1.8.01 CVE

v1.1.71 CVE

v1.1.61 CVE

v1.1.51 CVE

v1.1.41 CVE

v1.1.31 CVE

v1.1.21 CVE

v1.1.11 CVE

v1.1.01 CVE

v1.0.21 CVE

v1.0.11 CVE

v1.0.01 CVE

Code Analysis

Analyzed Mar 16, 2026

Roles & Capabilities Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

103 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

94% escaped109 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths

search_box (admin\class-leira-roles-capabilities-list-table.php:342)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Roles & Capabilities Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_leira-roles-add-roleincludes\class-leira-roles.php:209

authwp_ajax_leira-roles-delete-roleincludes\class-leira-roles.php:210

authwp_ajax_leira-roles-clone-roleincludes\class-leira-roles.php:211

authwp_ajax_leira-roles-quick-edit-roleincludes\class-leira-roles.php:212

authwp_ajax_leira-roles-quick-edit-user-capabilitiesincludes\class-leira-roles.php:213

authwp_ajax_leira-roles-footer-ratedincludes\class-leira-roles.php:214

WordPress Hooks 9

actionplugins_loadedincludes\class-leira-roles.php:169

actionadmin_menuincludes\class-leira-roles.php:194

actionadmin_enqueue_scriptsincludes\class-leira-roles.php:195

actionadmin_enqueue_scriptsincludes\class-leira-roles.php:196

actionadmin_footerincludes\class-leira-roles.php:197

filterset-screen-optionincludes\class-leira-roles.php:199

filteruser_row_actionsincludes\class-leira-roles.php:200

filteradmin_footer_textincludes\class-leira-roles.php:202

actionload-users.phpincludes\class-leira-roles.php:219

Maintenance & Trust

Roles & Capabilities Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 19, 2025

PHP min version7.4

Downloads31K

Community Trust

Rating100/100

Number of ratings6

Active installs1K

Alternatives

Roles & Capabilities Alternatives

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

capability-manager-enhanced

PublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.

100K 5 CVEs

Custom Access Roles

custom-access-roles

Create custom roles with editing capability for only specific pages, categories and post types.

200 No CVEs

Editorial Access Manager

editorial-access-manager

Allow for granular editorial access control for all post types in WordPress

80 No CVEs

Members – Membership & User Role Editor Plugin

members

The best WordPress membership and user role editor plugin. User Roles & Capabilities editor helps you restrict content in just a few clicks.

300K 1 CVE

WPFront User Role Editor

wpfront-user-role-editor

Easily allows you to manage WordPress user roles. You can create, edit, delete and manage capabilities, also copy existing roles.

30K 5 CVEs

Developer Profile

Roles & Capabilities Developer Profile

Ariel

5 plugins · 9K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

12 days

View full developer profile

Detection Fingerprints

How We Detect Roles & Capabilities

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/leira-roles/build/admin.css/wp-content/plugins/leira-roles/build/admin.js/wp-content/plugins/leira-roles/build/roles-admin.js/wp-content/plugins/leira-roles/build/inline-edit-user-capabilities.js/wp-content/plugins/leira-roles/build/inline-edit-roles.js

Script Paths

/wp-content/plugins/leira-roles/build/admin.js/wp-content/plugins/leira-roles/build/roles-admin.js/wp-content/plugins/leira-roles/build/inline-edit-user-capabilities.js/wp-content/plugins/leira-roles/build/inline-edit-roles.js

Version Parameters

leira-roles/build/admin.css?ver=leira-roles/build/admin.js?ver=leira-roles/build/roles-admin.js?ver=leira-roles/build/inline-edit-user-capabilities.js?ver=leira-roles/build/inline-edit-roles.js?ver=

HTML / DOM Fingerprints

JS Globals

leiraRolesL10n

FAQ

Roles & Capabilities Security & Risk Analysis

Is Roles & Capabilities Safe to Use in 2026?

Generally Safe

Key Concerns

Roles & Capabilities Security Vulnerabilities

CVEs by Year

Severity Breakdown

Roles & Capabilities Release Timeline

Roles & Capabilities Code Analysis

Output Escaping

Data Flow Analysis

Roles & Capabilities Attack Surface

AJAX Handlers 6

Roles & Capabilities Maintenance & Trust

Maintenance Signals

Community Trust

Roles & Capabilities Alternatives

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

Custom Access Roles

Editorial Access Manager

Members – Membership & User Role Editor Plugin

WPFront User Role Editor

Roles & Capabilities Developer Profile

How We Detect Roles & Capabilities

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Roles & Capabilities