Does Masquerade have any unpatched vulnerabilities?

No. All known vulnerabilities in Masquerade have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Masquerade compatible with WordPress 3.3.2?

According to WordPress.org data, Masquerade 1.01 has been tested up to WordPress 3.3.2. Check the plugin's changelog for the latest compatibility information.

How often is Masquerade updated?

Masquerade was last updated on Jun 18, 2012. Frequent updates are generally a positive security signal.

What is Masquerade's security score?

Masquerade has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Masquerade Security & Risk Analysis

wordpress.org/plugins/masquerade

Adds a link to users.php that allows an administrator to login as that user without knowing the password.

70 active installs v1.01 PHP + WP 2.8+ Updated Jun 18, 2012

admin-loginadmin-login-as-userlogin-as-usermasquerade-as-useruser-login

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Masquerade Safe to Use in 2026?

Generally Safe

Score 85/100

Masquerade has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago

Risk Assessment

The masquerade plugin v1.01, based on static analysis, presents a generally good security posture with no reported vulnerabilities. The plugin demonstrates an understanding of secure coding practices by utilizing prepared statements for all SQL queries and including nonce and capability checks. The attack surface is also commendably small and appears to be protected.

However, a significant concern arises from the output escaping. With 100% of observed outputs being unescaped, this introduces a high risk of Cross-Site Scripting (XSS) vulnerabilities. Any data displayed by the plugin that originates from user input or external sources could potentially be manipulated to execute malicious scripts within a user's browser.

The lack of any recorded vulnerability history is a positive sign, suggesting a history of responsible development or a lack of significant past issues. Despite the concerning output escaping, the overall strength in preventing direct SQL injection and maintaining a small, guarded attack surface, along with no known CVEs, suggests that while immediate critical risks might be mitigated by other factors not detailed, the XSS vulnerability is a notable weakness that requires immediate attention.

Key Concerns

Unescaped output

Vulnerabilities

None known

Masquerade Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Masquerade Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped3 total outputs

Attack Surface

Masquerade Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_masq_usermasquerade.php:65

WordPress Hooks 3

actionadmin_initmasquerade.php:25

filteruser_row_actionsmasquerade.php:28

actionadmin_footermasquerade.php:42

Maintenance & Trust

Masquerade Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2

Last updatedJun 18, 2012

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs70

Alternatives

Masquerade Alternatives

When Last Login

when-last-login

100

Show a users last login date by creating a sortable column in your WordPress users list.

50K 1 CVE

Login as User

100

30K No CVEs

Admin Custom Login

admin-custom-login

Customize Your WordPress Login Screen Amazingly - Add Own Logo, Add Social Profiles, Login Form Positions, Background Image Slide Show

20K 2 CVEs

Loggedin – Limit Concurrent Sessions

loggedin

Lightweight plugin that limits an account to a specific number of concurrent logins.

8K 1 CVE

Rename wp-admin login

rename-wp-admin-login

100

Rename wp-admin login* is a plugin that allows us to rename wp-admin login URL to anything you want

7K No CVEs

Developer Profile

Masquerade Developer Profile

jrking4

1 plugin · 70 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Masquerade

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

JS Globals

window.locationmasq_as_user

FAQ