WP-Safety

Menu Rules Security & Risk Analysis

wordpress.org/plugins/menu-rules

An extension of the menu system with context-based rules and a flexible framework to write your own.

10 active installs v1.2.2 PHP + WP 3.2+ Updated Dec 17, 2012
contextmenumenusparent-menurules
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Menu Rules Safe to Use in 2026?

Generally Safe

Score 85/100

Menu Rules has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The "menu-rules" plugin v1.2.2 exhibits a generally positive security posture with no known CVEs and all SQL queries utilizing prepared statements. The plugin also avoids file operations and external HTTP requests, which are common vectors for vulnerabilities. However, there are significant concerns within the static analysis. The presence of `create_function`, a deprecated and insecure function, is a major red flag. Furthermore, only 17% of output is properly escaped, suggesting a high risk of cross-site scripting (XSS) vulnerabilities. The lack of nonce checks across any entry points, combined with only one capability check, indicates that many actions might be susceptible to unauthorized execution if an attack vector can be identified.

Key Concerns

  • Use of deprecated and dangerous function: create_function
  • Low percentage of properly escaped output (17%)
  • No nonce checks on any entry points
  • Limited capability checks (1)
Vulnerabilities
None known

Menu Rules Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Menu Rules Code Analysis

Dangerous Functions
6
Raw SQL Queries
0
0 prepared
Unescaped Output
5
1 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionarray_map( create_function( '$v', 'return $v->ID;' ), $nav_menu_items ),admin\meta-box-reactions.php:24
create_functionarray_map( create_function( '$v', 'return empty( $v->menu_item_parent ) ? $v->title : "-- " . $v->tiadmin\meta-box-reactions.php:25
create_functionarray_map( create_function( '$v', 'return $v->description;' ), Menu_Rules::get_var( 'rules_handlers'admin\meta-box-reactions.php:41
create_functionadd_action( 'plugins_loaded', create_function( '', 'Menu_Rules::register( "Menu_Rules_Handler_Activerules\active-parent.php:4
create_functionadd_action( 'plugins_loaded', create_function( '', 'Menu_Rules::register( "Menu_Rules_Handler_Child_rules\child-page.php:4
create_functionadd_action( 'plugins_loaded', create_function( '', 'Menu_Rules::register( "Menu_Rules_Handler_Inactirules\inactive-parent.php:4

Output Escaping

17% escaped6 total outputs
Attack Surface

Menu Rules Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 15
actionadmin_initadmin\admin.php:16
actionadmin_print_styles-post.phpadmin\admin.php:18
actionadmin_print_styles-post-new.phpadmin\admin.php:19
actionadmin_print_scripts-post.phpadmin\admin.php:21
actionadmin_print_scripts-post-new.phpadmin\admin.php:22
filterpost_updated_messagesadmin\admin.php:24
actionadmin_noticesadmin\admin.php:27
actioninitmenu-rules.php:54
actionwpmenu-rules.php:57
actionplugins_loadedrules\active-parent.php:4
filterwp_nav_menu_objectsrules\active-parent.php:17
actionplugins_loadedrules\child-page.php:4
filterwp_nav_menu_objectsrules\child-page.php:15
actionplugins_loadedrules\inactive-parent.php:4
filterwp_nav_menu_objectsrules\inactive-parent.php:17
Maintenance & Trust

Menu Rules Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedDec 17, 2012
PHP min version
Downloads9K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Menu Rules Alternatives

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

capability-manager-enhanced

A
96

PublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.

100K 4 CVEs
User Menus – Nav Menu Visibility

User Menus – Nav Menu Visibility

user-menus

A
92

Show/hide menu items to logged in users, logged out users or specific user roles. Display logged in user details in menu. Add a logout link to menu.

80K No CVEs
Nav Menu Roles

Nav Menu Roles

nav-menu-roles

A
100

Hide custom menu items based on user roles. PLEASE READ THE FAQ IF YOU ARE NOT SEEING THE SETTINGS.

70K No CVEs
Conditional Menus

Conditional Menus

conditional-menus

A
100

This plugin enables you to set conditional menus per posts, pages, categories, archive pages, etc.

60K 1 CVE
If Menu – Visibility control for Menus

If Menu – Visibility control for Menus

if-menu

A
91

Display tailored menu items to each visitor with visibility rules

60K 2 CVEs
Developer Profile

Menu Rules Developer Profile

Phill Brown

2 plugins · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Menu Rules

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/menu-rules/admin/css/admin.css/wp-content/plugins/menu-rules/admin/js/admin.js
Script Paths
/wp-content/plugins/menu-rules/admin/js/admin.js/wp-content/plugins/menu-rules/libs/pb-framework/js/meta-box.js
Version Parameters
menu-rules/admin/css/admin.css?ver=menu-rules/admin/js/admin.js?ver=pb-framework/js/meta-box.js?ver=

HTML / DOM Fingerprints

CSS Classes
menu-rules-conditions-wrapmenu-rules-meta-box
HTML Comments
<!-- PB Framework JS Meta Box -->
Data Attributes
data-menu-rules-parent-iddata-menu-rules-child-id
JS Globals
Menu_Rules_AdminMenu_Rules_Meta_Box_ConditionsMenu_Rules_Meta_Box_Reactions
FAQ

Frequently Asked Questions about Menu Rules