WP-Safety

Menu Ghost Security & Risk Analysis

wordpress.org/plugins/menu-ghost

Target menu items by role, device, schedule, and campaign rules using a fast, native conditions interface inside the menu editor.

0 active installs v2.0.1 PHP 8.0+ WP 6.6+ Updated Nov 25, 2025
conditional-menusmenu-visibilitynavigationpersonalizationuser-roles
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Menu Ghost Safe to Use in 2026?

Generally Safe

Score 100/100

Menu Ghost has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The 'menu-ghost' plugin v2.0.1 exhibits a generally strong security posture, with excellent adherence to secure coding practices. The static analysis reveals a complete absence of dangerous functions, raw SQL queries, unsanitized output, file operations, and external HTTP requests. All SQL queries are properly prepared, and all output is correctly escaped. Furthermore, the plugin implements nonce and capability checks for all identified entry points, including its AJAX handlers and REST API routes. The vulnerability history also shows a clean slate, with no recorded CVEs, indicating a lack of past security issues and a likely robust development process.

However, a minor concern exists with one of the REST API routes lacking a permission callback. While the overall attack surface is small, this single unprotected entry point presents a potential avenue for unauthorized access or misuse if not properly secured by the calling application or context. The absence of taint analysis flows is positive but could also indicate limited analysis depth rather than a definitive absence of potential vulnerabilities in complex, multi-step operations. Despite this single oversight, the plugin's commitment to secure coding fundamentals is commendable.

Key Concerns

  • REST API route without permission callback
Vulnerabilities
None known

Menu Ghost Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Menu Ghost Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
0
40 escaped
Nonce Checks
3
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

100% escaped40 total outputs
Attack Surface
1 unprotected

Menu Ghost Attack Surface

Entry Points5
Unprotected1

AJAX Handlers 3

authwp_ajax_mngh_save_menu_rulesincludes\Admin\AdvancedController.php:49
authwp_ajax_mngh_save_menu_conditionsincludes\Admin\MenuItem.php:47
authwp_ajax_mngh_save_menu_settingsincludes\Admin\SettingsController.php:50

REST API Routes 2

GET/wp-json/menu-ghost/v1/navigation/(?P<navigation_id>\d+)/(?P<link_key>[A-Za-z0-9:_\-]+)/settingsincludes\Admin\NavigationController.php:38
GET/wp-json/menu-ghost/v1/searchincludes\Admin\SearchController.php:37
WordPress Hooks 11
actionadmin_enqueue_scriptsincludes\Admin\Assets\AdminAssets.php:40
actionenqueue_block_editor_assetsincludes\Admin\Assets\AdminAssets.php:41
actionwp_nav_menu_item_custom_fieldsincludes\Admin\MenuItem.php:46
actionrest_api_initincludes\Admin\NavigationController.php:35
actionrest_api_initincludes\Admin\SearchController.php:28
filterwp_get_nav_menu_itemsincludes\Frontend\MenuVisibility.php:59
filterrender_block_core/navigation-linkincludes\Frontend\MenuVisibility.php:60
filterrender_block_core/navigationincludes\Frontend\MenuVisibility.php:61
filterrender_block_dataincludes\Frontend\MenuVisibility.php:62
actioninitincludes\Plugin.php:59
filterload_script_translation_fileincludes\Plugin.php:60
Maintenance & Trust

Menu Ghost Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 25, 2025
PHP min version8.0
Downloads247

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

Menu Ghost Alternatives

Different Menu in Different Pages – Conditional Menu

Different Menu in Different Pages – Conditional Menu

different-menus-in-different-pages

A
99

Easily assign different menus to pages, posts, user roles, devices, and custom URLs using advanced conditional menu visibility rules.

4K 1 CVE
Menu By User Roles

Menu By User Roles

menu-by-user-roles

A
100

Menu By User Roles allows you to control the visibility of menu items based on user roles.

1K No CVEs
User Menu Customizer for HivePress

User Menu Customizer for HivePress

user-menu-customizer-for-hivepress

A
100

Easily customize or hide the user menu for HivePress in the header navigation using the WordPress Customizer.

100 No CVEs
Hide Menu Items by Role

Hide Menu Items by Role

hide-menu-items-by-role

A
92

A simple WordPress plugin to hide menu items based on user roles.

70 No CVEs
Breadcrumb NavXT

Breadcrumb NavXT

breadcrumb-navxt

A
98

Adds breadcrumb navigation showing the visitor's path to their current location.

800K 2 CVEs
Developer Profile

Menu Ghost Developer Profile

Reza Sarailoo

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Menu Ghost

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/menu-ghost/build/index.js/wp-content/plugins/menu-ghost/build/index.css
Version Parameters
menu-ghost/style.css?ver=menu-ghost/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
mngh-menu-item-settings
Data Attributes
data-menu-ghost-navigation-iddata-menu-ghost-link-keydata-menu-ghost-settings
JS Globals
mnghMenuGhost
REST Endpoints
/menu-ghost/v1/navigation
FAQ

Frequently Asked Questions about Menu Ghost