WP-Safety

Multiple Page Generator Plugin – MPG Security & Risk Analysis

wordpress.org/plugins/multiple-pages-generator-by-porthas

Create thousands of targeted landing pages in bulk, boost your search visibility, and save countless hours of manual work with MPG.🚀

2K active installs v4.1.5 PHP 7.2+ WP 5.6+ Updated Feb 26, 2026
bulk-editbulk-pagesgeneratelanding-pagemass
93
A · Safe
CVEs total11
Unpatched0
Last CVEJan 25, 2025
Plugin page Download
Safety Verdict

Is Multiple Page Generator Plugin – MPG Safe to Use in 2026?

Generally Safe

Score 93/100

Multiple Page Generator Plugin – MPG has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jan 25, 2025Updated 1mo ago
Risk Assessment

The "multiple-pages-generator-by-porthas" plugin version 4.1.5 exhibits significant security concerns despite some positive indicators. While it boasts no "dangerous functions" and a moderate percentage of SQL queries using prepared statements, the extensive attack surface is a major red flag. With 43 out of 49 entry points lacking authentication checks, the plugin is highly susceptible to unauthorized access and execution of potentially harmful actions. The taint analysis further exacerbates these worries, revealing 4 high-severity flows with unsanitized paths, suggesting a high risk of exploitation for actions like path traversal or remote code execution, especially when combined with the lack of authorization.

The plugin's vulnerability history is also concerning, with 11 known CVEs, including 3 high-severity ones. The prevalence of common vulnerability types like SSRF, External Control of File Name or Path, and Improper Access Control, along with recent historical issues, indicates recurring weaknesses in input validation and access control mechanisms. Although there are currently no unpatched CVEs, the historical pattern suggests a propensity for developing exploitable flaws. The presence of bundled libraries like DataTables and Select2, while common, could also introduce risks if they are outdated or have known vulnerabilities.

In conclusion, the plugin's security posture is weak due to its massive unprotected attack surface and recurring historical vulnerabilities in critical areas like access control and input handling. The high-severity taint flows are a direct indicator of exploitable code. While some positive code signals exist, they are overshadowed by the significant risks posed by the lack of robust authorization and the plugin's vulnerability track record. Continuous monitoring and prompt patching of any new vulnerabilities are essential.

Key Concerns

  • Large unprotected attack surface (AJAX)
  • High severity taint flows
  • Multiple historical high severity CVEs
  • Historical SSRF and path control vulns
  • Historical improper access control vulns
  • High percentage of unsanitized paths in taint
  • SQL queries without prepared statements
  • Output escaping below 70%
  • Bundled libraries
Vulnerabilities
11

Multiple Page Generator Plugin – MPG Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
6 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
6
Low
2

11 total CVEs

CVE-2024-10705medium · 5.4Server-Side Request Forgery (SSRF)

Multiple Page Generator Plugin – MPG <= 4.0.5 - Authenticated (Editor+) Server-Side Request Forgery via fileUrl

Jan 25, 2025 Patched in 4.0.6 (1d)
CVE-2024-10672low · 2.7External Control of File Name or Path

Multiple Page Generator Plugin – MPG <= 4.0.2 - Authenticated (Editor+) Directory Traversal to Limited File Deletion

Nov 11, 2024 Patched in 4.0.3 (1d)
CVE-2024-7424medium · 5.4Improper Access Control

Multiple Page Generator Plugin – MPG <= 4.0.1 - Missing Authorization

Oct 31, 2024 Patched in 4.0.2 (1d)
CVE-2024-47325medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Multiple Page Generator Plugin – MPG <= 3.4.7 - Authenticated (Contributor+) SQL Injection

Sep 25, 2024 Patched in 3.4.8 (8d)
CVE-2024-31301medium · 4.3Cross-Site Request Forgery (CSRF)

Multiple Page Generator Plugin – MPG <= 3.4.0 - Cross-Site Request Forgery

Apr 5, 2024 Patched in 3.4.1 (7d)
CVE-2024-30235medium · 4.3Missing Authorization

Multiple Page Generator Plugin – MPG <= 3.4.0 - Missing Authorization via mpg_get_log_by_project_id

Mar 26, 2024 Patched in 3.4.1 (2d)
CVE-2024-27951high · 7.2Improper Control of Generation of Code ('Code Injection')

Multiple Page Generator Plugin – MPG <= 3.4.0 - Authenticated (Editor+) Remote Code Execution

Mar 13, 2024 Patched in 3.4.1 (8d)
CVE-2023-33927high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Multiple Page Generator Plugin – MPG <= 3.3.19 - Authenticated (Administrator+) SQL Injection in projects_list and total_projects

May 23, 2023 Patched in 3.3.20 (245d)
CVE-2023-2607high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Multiple Page Generator Plugin <= 3.3.17 - Authenticated (Administrator+) SQL Injection

May 16, 2023 Patched in 3.3.18 (252d)
CVE-2023-2608low · 3.1Cross-Site Request Forgery (CSRF)

Multiple Page Generator Plugin <= 3.3.17 - Cross-Site Request Forgery to SQL Injection

May 16, 2023 Patched in 3.3.18 (252d)
CVE-2022-47143medium · 6.3Cross-Site Request Forgery (CSRF)

Multiple Page Generator Plugin <= 3.3.9 - Cross-Site Request Forgery

Feb 20, 2023 Patched in 3.3.10 (337d)
Code Analysis
Analyzed Mar 16, 2026

Multiple Page Generator Plugin – MPG Code Analysis

Dangerous Functions
0
Raw SQL Queries
37
28 prepared
Unescaped Output
92
147 escaped
Nonce Checks
11
Capability Checks
4
File Operations
62
External Requests
1
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

43% prepared65 total queries

Output Escaping

62% escaped239 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

17 flows10 with unsanitized paths
mpg_shortcode_ajax (controllers\CoreController.php:243)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
43 unprotected

Multiple Page Generator Plugin – MPG Attack Surface

Entry Points49
Unprotected43

AJAX Handlers 43

authwp_ajax_mpg_get_permalink_structurecontrollers\HookController.php:119
authwp_ajax_mpg_change_permalink_structurecontrollers\HookController.php:120
authwp_ajax_mpg_ti_subscribecontrollers\HookController.php:121
authwp_ajax_mpg_deploy_datasetcontrollers\HookController.php:390
authwp_ajax_mpg_get_posts_by_custom_typecontrollers\HookController.php:393
authwp_ajax_mpg_upload_filecontrollers\HookController.php:395
authwp_ajax_mpg_options_updatecontrollers\HookController.php:397
authwp_ajax_mpg_upsert_project_maincontrollers\HookController.php:399
authwp_ajax_mpg_upsert_project_source_blockcontrollers\HookController.php:400
authwp_ajax_mpg_upsert_project_url_blockcontrollers\HookController.php:402
authwp_ajax_mpg_get_data_for_previewcontrollers\HookController.php:404
authwp_ajax_mpg_preview_all_urlscontrollers\HookController.php:406
authwp_ajax_mpg_get_all_projectscontrollers\HookController.php:408
authwp_ajax_mpg_get_projectcontrollers\HookController.php:410
authwp_ajax_mpg_download_file_by_urlcontrollers\HookController.php:412
authwp_ajax_mpg_get_unique_rows_in_columncontrollers\HookController.php:414
authwp_ajax_mpg_delete_projectcontrollers\HookController.php:416
authwp_ajax_mpg_unschedule_cron_taskcontrollers\HookController.php:418
authwp_ajax_mpg_shortcodecontrollers\HookController.php:422
noprivwp_ajax_mpg_shortcodecontrollers\HookController.php:423
authwp_ajax_mpg_generate_sitemapcontrollers\HookController.php:426
authwp_ajax_mpg_check_is_sitemap_name_is_uniqcontrollers\HookController.php:427
authwp_ajax_mpg_generate_spintaxcontrollers\HookController.php:431
authwp_ajax_mpg_flush_spintax_cachecontrollers\HookController.php:433
authwp_ajax_mpg_get_log_by_project_idcontrollers\HookController.php:438
authwp_ajax_mpg_clear_log_by_project_idcontrollers\HookController.php:440
authwp_ajax_mpg_activation_eventscontrollers\HookController.php:443
authwp_ajax_mpg_set_hook_name_and_prioritycontrollers\HookController.php:446
authwp_ajax_mpg_get_hook_name_and_prioritycontrollers\HookController.php:447
authwp_ajax_mpg_delete_hook_name_and_prioritycontrollers\HookController.php:448
authwp_ajax_mpg_set_basepathcontrollers\HookController.php:452
authwp_ajax_mpg_get_basepathcontrollers\HookController.php:453
authwp_ajax_mpg_set_cache_hook_name_and_prioritycontrollers\HookController.php:455
authwp_ajax_mpg_get_cache_hook_name_and_prioritycontrollers\HookController.php:456
authwp_ajax_mpg_set_branding_positioncontrollers\HookController.php:459
authwp_ajax_mpg_get_branding_positioncontrollers\HookController.php:460
authwp_ajax_mpg_get_search_resultscontrollers\HookController.php:465
noprivwp_ajax_mpg_get_search_resultscontrollers\HookController.php:466
authwp_ajax_mpg_search_settings_upset_optionscontrollers\HookController.php:468
authwp_ajax_mpg_search_settings_get_optionscontrollers\HookController.php:469
noprivwp_ajax_mpg_search_settings_get_optionscontrollers\HookController.php:470
authwp_ajax_mpg_send_analytics_datacontrollers\HookController.php:472
authwp_ajax_mpg_ti_toggle_licensecontrollers\HookController.php:476

REST API Routes 1

POST/wp-json/mpg/webhook/(?P<project_id>\d+)controllers\HookController.php:485

Shortcodes 5

[mpg-if] controllers\display\conditional\Shortcode.php:20
[mpg] controllers\display\loop\Shortcode.php:11
[mpg_match] controllers\display\match\Shortcode.php:10
[mpg_spintax] controllers\HookController.php:565
[mpg_search] controllers\HookController.php:567
WordPress Hooks 107
actionelementor/frontend/element/before_rendercontrollers\CoreController.php:18
filterelementor/frontend/the_contentcontrollers\CoreController.php:21
filterget_the_modified_datecontrollers\CoreController.php:34
actionwp_headcontrollers\CoreController.php:54
filterpost_thumbnail_htmlcontrollers\CoreController.php:70
filterhas_post_thumbnailcontrollers\CoreController.php:90
actionwp_headcontrollers\CoreController.php:112
actionget_footercontrollers\CoreController.php:117
actionwp_footercontrollers\CoreController.php:122
filterwpse_linkcontrollers\CoreController.php:159
actionenqueue_block_editor_assetscontrollers\display\conditional\Block.php:20
actionwp_loadedcontrollers\display\conditional\Block.php:21
filterrender_blockcontrollers\display\conditional\Block.php:22
filterelementor/widget/render_contentcontrollers\display\conditional\Elementor.php:21
actionelementor/element/after_section_endcontrollers\display\conditional\Elementor.php:23
actioninitcontrollers\display\loop\Block.php:20
actionenqueue_block_editor_assetscontrollers\display\loop\Block.php:53
filteradmin_footer_textcontrollers\HookController.php:27
actionpre_get_postscontrollers\HookController.php:60
actionwpcontrollers\HookController.php:73
filtercron_schedulescontrollers\HookController.php:88
filtercron_schedulescontrollers\HookController.php:90
actionadmin_headcontrollers\HookController.php:91
actionmpg_schedule_executioncontrollers\HookController.php:103
actionadmin_enqueue_scriptscontrollers\HookController.php:112
actionwp_enqueue_scriptscontrollers\HookController.php:114
actionadmin_action_mpg_dismiss_subscribe_noticecontrollers\HookController.php:122
actionadmin_headcontrollers\HookController.php:124
actionplugins_loadedcontrollers\HookController.php:126
actiontemplate_redirectcontrollers\HookController.php:128
actioninitcontrollers\HookController.php:132
actionelementor/widget/before_render_contentcontrollers\HookController.php:141
filterclean_urlcontrollers\HookController.php:142
filtertemplate_redirectcontrollers\HookController.php:153
filterwpml_ls_language_urlcontrollers\HookController.php:165
filterwpml_hreflangscontrollers\HookController.php:180
actionthe_seo_framework_after_admin_initcontrollers\HookController.php:198
filterclean_urlcontrollers\HookController.php:202
actionadmin_footercontrollers\HookController.php:226
filterclean_urlcontrollers\HookController.php:246
actionwp_insert_sitecontrollers\HookController.php:273
actionwp_update_sitecontrollers\HookController.php:279
actionpre_get_postscontrollers\HookController.php:287
actionposts_resultscontrollers\HookController.php:288
filterfound_postscontrollers\HookController.php:289
filterwpseo_exclude_from_sitemap_by_post_idscontrollers\HookController.php:296
actionenqueue_block_editor_assetscontrollers\HookController.php:314
actionmpg_sitemap_checkcontrollers\HookController.php:318
filterrank_math/sitemap/posts_to_excludecontrollers\HookController.php:321
actionrest_api_initcontrollers\HookController.php:473
actioninitcontrollers\HookController.php:478
actionpre_handle_404controllers\HookController.php:549
actionposts_selectioncontrollers\HookController.php:551
actionposts_selectioncontrollers\HookController.php:553
actiontemplate_redirectcontrollers\HookController.php:555
actionadmin_menucontrollers\MenuController.php:18
actionadmin_headcontrollers\MenuController.php:19
actionadmin_noticescontrollers\ProjectController.php:992
actionadmin_enqueue_scriptshelpers\Helper.php:15
actionwp_loadedhelpers\Themeisle.php:103
filterplugin_row_metahelpers\Themeisle.php:105
actionadmin_menuhelpers\Themeisle.php:114
filterposts_wheremodels\ProjectModel.php:266
filterwpseo_canonicalmodels\SEOModel.php:9
filterwpseo_opengraph_urlmodels\SEOModel.php:18
filterwpseo_schema_graphmodels\SEOModel.php:27
filterwpseo_titlemodels\SEOModel.php:32
filterwpseo_metadescmodels\SEOModel.php:37
filterwpseo_opengraph_titlemodels\SEOModel.php:42
filterwpseo_opengraph_descmodels\SEOModel.php:47
filterwpseo_twitter_titlemodels\SEOModel.php:51
filterwpseo_twitter_descriptionmodels\SEOModel.php:55
filterwpseo_opengraph_imagemodels\SEOModel.php:60
filterwds_titlemodels\SEOModel.php:74
filteraioseop_titlemodels\SEOModel.php:89
filteraioseop_description_overridemodels\SEOModel.php:93
filteraioseo_titlemodels\SEOModel.php:99
filteraioseo_descriptionmodels\SEOModel.php:103
filteraioseop_canonical_urlmodels\SEOModel.php:107
filteraioseo_facebook_tagsmodels\SEOModel.php:115
filteraioseo_twitter_tagsmodels\SEOModel.php:123
filterrank_math/frontend/titlemodels\SEOModel.php:135
filterrank_math/frontend/descriptionmodels\SEOModel.php:147
filterrank_math/frontend/robotsmodels\SEOModel.php:168
filterseopress_titles_titlemodels\SEOModel.php:183
filterseopress_titles_descmodels\SEOModel.php:187
filtersq_titlemodels\SEOModel.php:194
filtersq_descriptionmodels\SEOModel.php:206
filtersq_open_graphmodels\SEOModel.php:218
filtersq_twitter_cardmodels\SEOModel.php:227
filtersq_json_ldmodels\SEOModel.php:236
filterthe_seo_framework_title_from_custom_fieldmodels\SEOModel.php:275
filterthe_seo_framework_custom_field_descriptionmodels\SEOModel.php:286
filterthe_seo_framework_image_detailsmodels\SEOModel.php:297
actionadmin_initporthas-multi-pages-generator.php:45
actionadmin_noticesporthas-multi-pages-generator.php:50
filterthemeisle_sdk_productsporthas-multi-pages-generator.php:89
filterthemeisle_sdk_hide_dashboard_widgetporthas-multi-pages-generator.php:94
filtermultiple_pages_generator_by_porthas_about_us_metadataporthas-multi-pages-generator.php:95
filtermultiple_pages_generator_by_porthas_welcome_metadataporthas-multi-pages-generator.php:105
filtermultiple_pages_generator_by_porthas_welcome_upsell_messageporthas-multi-pages-generator.php:117
filterthemeisle_sdk_blackfriday_dataporthas-multi-pages-generator.php:141
filterset-screen-optionporthas-multi-pages-generator.php:190
filterthemeisle_sdk_enable_telemetryporthas-multi-pages-generator.php:206
actionthemeisle_log_eventporthas-multi-pages-generator.php:212
actionadmin_headviews\dataset-library\index.php:12
actionadmin_headviews\search\index.php:7

Scheduled Events 2

mpg_sitemap_check
mpg_schedule_execution
Maintenance & Trust

Multiple Page Generator Plugin – MPG Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version7.2
Downloads130K

Community Trust

Rating78/100
Number of ratings27
Active installs2K
Alternatives

Multiple Page Generator Plugin – MPG Alternatives

SEO Landing Page Generator

SEO Landing Page Generator

seo-landing-page-generator

A
99

Generate landing pages in bulk based on location with randomized content. Update thousands of landing pages in seconds.

70 1 CVE
Landing Page Rockstar – BETA

Landing Page Rockstar – BETA

landing-page-rockstar

A
85

Create beautiful, high converting landing pages or squeeze pages in seconds. Plugin includes pre-built templates and opt-in code functionality.

10 No CVEs
Elementor Website Builder – More Than Just a Page Builder

Elementor Website Builder – More Than Just a Page Builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

coming-soon

C
67

Easy Drag & Drop Page Builder. A complete solution to create a WordPress Website, Custom Themes, Landing Pages, Coming Soon & Maintenance Mode Pages.

700K 1 unpatched
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs
Developer Profile

Multiple Page Generator Plugin – MPG Developer Profile

Themeisle

37 plugins · 2.2M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
420 days
View full developer profile
Detection Fingerprints

How We Detect Multiple Page Generator Plugin – MPG

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/multiple-pages-generator-by-porthas/frontend/css/style.css/wp-content/plugins/multiple-pages-generator-by-porthas/frontend/js/mpg-frontend-script.js/wp-content/plugins/multiple-pages-generator-by-porthas/frontend/js/mpg-frontend-script.js?ver=/wp-content/plugins/multiple-pages-generator-by-porthas/assets/css/backend.css/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/backend.js/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/backend.js?ver=/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/mpg-modal.js/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/mpg-modal.js?ver=+3 more
Script Paths
/wp-content/plugins/multiple-pages-generator-by-porthas/frontend/js/mpg-frontend-script.js/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/backend.js/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/mpg-modal.js/wp-content/plugins/multiple-pages-generator-by-porthas/assets/js/themeisle-sdk.js
Version Parameters
multiple-pages-generator-by-porthas/frontend/js/mpg-frontend-script.js?ver=multiple-pages-generator-by-porthas/assets/js/backend.js?ver=multiple-pages-generator-by-porthas/assets/js/mpg-modal.js?ver=multiple-pages-generator-by-porthas/assets/js/themeisle-sdk.js?ver=

HTML / DOM Fingerprints

CSS Classes
mpg-backend-form-wrappermpg-backend-inputmpg-backend-selectmpg-backend-buttonmpg-backend-labelmpg-add-new-pagesmpg-select-templatempg-add-new-pages-button+23 more
HTML Comments
<!-- Admin notice to deactivate free plugin --><!-- Your plugin's main file logic --><!-- Запуск базового функционала подмены данных --><!-- Запуск всяких actions, hooks, filters -->+11 more
Data Attributes
data-mpg-modal-iddata-mpg-modal-closedata-mpg-modal-targetdata-mpg-nonce
JS Globals
mpg_apptsdk_translate_linktsdk_utmifywpautopmd5
FAQ

Frequently Asked Questions about Multiple Page Generator Plugin – MPG