LendingQ Security & Risk Analysis

wordpress.org/plugins/lendingq

LendingQ is a simple way to manage and lend out items without worrying about using a large ILS.

0 active installs v1.0 PHP 5.6+ WP 4.7+ Updated Jan 30, 2023
borrowlending
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is LendingQ Safe to Use in 2026?

Generally Safe

Score 85/100

LendingQ has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The "lendingq" v1.0 plugin exhibits a mixed security posture. On one hand, the static analysis reveals a small attack surface with no reported AJAX handlers, REST API routes, shortcodes, or cron events that are directly exposed and unprotected. The plugin also demonstrates good practices by using prepared statements for all SQL queries and performing file operations. Furthermore, there are no known vulnerabilities (CVEs) associated with this plugin, suggesting a generally stable history.

However, significant concerns arise from the taint analysis and output escaping. The presence of 3 flows with unsanitized paths, even without critical or high severity, indicates potential vulnerabilities that could be exploited if an attacker can control the input leading to these paths. The low percentage of properly escaped output (15%) is a major red flag, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities across the plugin's outputs. While nonce checks and capability checks are present, the limited number and the unescaped outputs overshadow these positive aspects.

In conclusion, "lendingq" v1.0 has strengths in its minimal attack surface and SQL handling, and a clean vulnerability history. Nevertheless, the identified unsanitized paths in taint analysis and the alarmingly low rate of proper output escaping represent substantial security weaknesses that require immediate attention to prevent potential XSS and other data manipulation attacks.

Key Concerns

  • Unsanitized paths in taint analysis
  • Low percentage of properly escaped output
Vulnerabilities
None known

LendingQ Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

LendingQ Release Timeline

v1.0Current
v0.98
v0.97
v0.96.3
v0.96.2
v0.96.1
v0.96
v0.95.1
v0.95
v0.94
Code Analysis
Analyzed Apr 16, 2026

LendingQ Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
240
44 escaped
Nonce Checks
5
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

15% escaped284 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
add_taxonomy_filters (lendingq.php:272)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

LendingQ Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 37
actionmanage_lendingq_hold_posts_columnslendingq.php:64
actionmanage_lendingq_hold_posts_custom_columnlendingq.php:65
filtermanage_edit-lendingq_hold_sortable_columnslendingq.php:66
actionmanage_lendingq_stock_posts_columnslendingq.php:68
actionmanage_lendingq_stock_posts_custom_columnlendingq.php:69
filtermanage_edit-lendingq_stock_sortable_columnslendingq.php:70
filterpost_row_actionslendingq.php:72
actionadmin_initlendingq.php:74
actioninitlendingq.php:76
actionpre_get_postslendingq.php:77
actioninitlendingq.php:81
actionadmin_menulendingq.php:83
actionwp_enqueue_scriptslendingq.php:86
actionadmin_enqueue_scriptslendingq.php:87
actionadd_meta_boxeslendingq.php:89
filterpost_updated_messageslendingq.php:91
actionrestrict_manage_postslendingq.php:93
filterbulk_actions-edit-lendingq_stocklendingq.php:95
filterbulk_actions-edit-lendingq_holdlendingq.php:96
actionpre_post_updatelendingq.php:97
filtersave_post_lendingq_holdlendingq.php:99
filtersave_post_lendingq_stocklendingq.php:100
actionadmin_post_lendingq_checkoutlendingq.php:102
actionadmin_post_lendingq_checkinlendingq.php:103
actionadmin_post_lendingq_contactedlendingq.php:104
actionadmin_post_lendingq_cancel_holdlendingq.php:105
actionsave_post_lendingq_holdlendingq.php:106
filtercustom_menu_orderlendingq.php:107
actionplugins_loadedlendingq.php:108
actionadmin_post_lendingq_checkoutlendingq.php:1262
actionredirect_post_locationlendingq.php:1557
actionsave_post_lendingq_holdlendingq.php:1564
actionredirect_post_locationlendingq.php:1569
actionsave_post_lendingq_holdlendingq.php:1577
actionredirect_post_locationlendingq.php:1675
actionredirect_post_locationlendingq.php:1681
actionsave_post_lendingq_stocklendingq.php:1689
Maintenance & Trust

LendingQ Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedJan 30, 2023
PHP min version5.6
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Developer Profile

LendingQ Developer Profile

74
trust score
Avg Security Score
71/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect LendingQ

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/lendingq/lendingq-admin.css/wp-content/plugins/lendingq/lendingq-admin.js/wp-content/plugins/lendingq/lendingq-frontend.css/wp-content/plugins/lendingq/lendingq-frontend.js
Script Paths
/wp-content/plugins/lendingq/lendingq-admin.js/wp-content/plugins/lendingq/lendingq-frontend.js
Version Parameters
lendingq/lendingq-admin.css?ver=lendingq/lendingq-admin.js?ver=lendingq/lendingq-frontend.css?ver=lendingq/lendingq-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
lendingq-hold-formlendingq-stock-form
HTML Comments
<!-- lendingq_post_message --><!-- lendingq_old_date --><!-- NOTE: These are constants defined as required by the LendingQ plugin. Do not modify these values. -->
Data Attributes
data-lendingq-item-id
JS Globals
lendingq_checkout_noncelendingq_checkin_noncelendingq_contacted_noncelendingq_cancel_hold_nonce
FAQ

Frequently Asked Questions about LendingQ