WP-Safety

Multisite User Role Manager Security & Risk Analysis

wordpress.org/plugins/multisite-user-role-manager

Manage user roles for each blog from a single screen on multisite (WPMU) setups

80 active installs v1.0.7 PHP + WP 4.0+ Updated Nov 7, 2017
managementmultisiterolesuserswpmu
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Multisite User Role Manager Safe to Use in 2026?

Generally Safe

Score 85/100

Multisite User Role Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The "multisite-user-role-manager" plugin v1.0.7 presents a significant security risk due to its large attack surface with unprotected entry points. All seven identified AJAX handlers lack authentication checks, meaning any user, regardless of their permissions, can trigger these actions. While the plugin demonstrates good practices in SQL query handling and output escaping, the absence of capability checks on AJAX actions is a critical oversight. A single high-severity taint flow with an unsanitized path further exacerbates the risk, suggesting potential for path traversal or unintended file access under specific conditions. The plugin's vulnerability history is clean, which is a positive indicator of its development's perceived security, but this is overshadowed by the current lack of essential security measures. The lack of nonce checks on AJAX actions is also a concern, making it susceptible to Cross-Site Request Forgery (CSRF) attacks. Overall, while the plugin uses prepared statements for SQL and mostly escapes output, the unprotected AJAX handlers and the identified taint flow create a substantial security gap that needs immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow with unsanitized path
  • Missing capability checks on AJAX
  • Missing nonce check on AJAX handlers
Vulnerabilities
None known

Multisite User Role Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Multisite User Role Manager Release Timeline

v1.0.7Current
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
Code Analysis
Analyzed Mar 16, 2026

Multisite User Role Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
1
13 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

93% escaped14 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<class-multisite-user-role-manager-admin> (admin\class-multisite-user-role-manager-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Multisite User Role Manager Attack Surface

Entry Points7
Unprotected7

AJAX Handlers 7

authwp_ajax_get_user_blogsadmin\class-multisite-user-role-manager-admin.php:81
authwp_ajax_reassign_user_blog_postsadmin\class-multisite-user-role-manager-admin.php:82
authwp_ajax_set_user_blog_rolesadmin\class-multisite-user-role-manager-admin.php:83
authwp_ajax_remove_user_from_blogadmin\class-multisite-user-role-manager-admin.php:84
authwp_ajax_get_blogs_wo_useradmin\class-multisite-user-role-manager-admin.php:85
authwp_ajax_get_blog_rolesadmin\class-multisite-user-role-manager-admin.php:86
authwp_ajax_add_user_to_blogadmin\class-multisite-user-role-manager-admin.php:87
WordPress Hooks 13
actionadmin_enqueue_scriptsadmin\class-multisite-user-role-manager-admin.php:77
actionadmin_enqueue_scriptsadmin\class-multisite-user-role-manager-admin.php:78
actionshow_user_profileadmin\class-multisite-user-role-manager-admin.php:90
actionedit_user_profileadmin\class-multisite-user-role-manager-admin.php:91
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:94
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:95
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:96
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:97
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:98
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:99
actionadmin_footeradmin\class-multisite-user-role-manager-admin.php:100
actionplugins_loadedincludes\class-multisite-user-role-manager.php:133
actionadmin_initincludes\class-multisite-user-role-manager.php:148
Maintenance & Trust

Multisite User Role Manager Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedNov 7, 2017
PHP min version
Downloads30K

Community Trust

Rating100/100
Number of ratings3
Active installs80
Alternatives

Multisite User Role Manager Alternatives

Premmerce User Roles

Premmerce User Roles

premmerce-user-roles

A
93

This plugin has been developed for creating user roles from the WordPress admin area and assigning the arbitrary access rights to them.

700 4 CVEs
Multisite User Management

Multisite User Management

multisite-user-management

A
85

Automatically add users to each site in your WordPress network.

70 No CVEs
Network User Management

Network User Management

network-user-management

A
85

Synchronise users and user roles from main Blog, automatically add users to each site in your WordPress network (Multisite).

10 No CVEs
WPMU New Blog Default Role

WPMU New Blog Default Role

new-blog-default-user-role

A
85

Lets site admins specify what role a user who signs up to a new blog will be given by default.

10 No CVEs
Role Based User Deleter

Role Based User Deleter

role-based-user-deleter

A
92

Easily delete users based on their roles with Role Based User Deleter. Manage your WordPress users efficiently and securely.

10 No CVEs
Developer Profile

Multisite User Role Manager Developer Profile

OzTheGreat

3 plugins · 500 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Multisite User Role Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/multisite-user-role-manager/css/multisite-user-role-manager-admin.css/wp-content/plugins/multisite-user-role-manager/assets/jqueryui-editable/css/jqueryui-editable.css/wp-content/plugins/multisite-user-role-manager/js/multisite-user-role-manager-admin.js/wp-content/plugins/multisite-user-role-manager/js/multisite-user-role-manager-admin.min.js/wp-content/plugins/multisite-user-role-manager/assets/jqueryui-editable/js/jqueryui-editable.min.js
Script Paths
/wp-content/plugins/multisite-user-role-manager/js/multisite-user-role-manager-admin.js/wp-content/plugins/multisite-user-role-manager/js/multisite-user-role-manager-admin.min.js
Version Parameters
multisite-user-role-manager/css/multisite-user-role-manager-admin.css?ver=multisite-user-role-manager/assets/jqueryui-editable/css/jqueryui-editable.css?ver=multisite-user-role-manager/js/multisite-user-role-manager-admin.js?ver=multisite-user-role-manager/js/multisite-user-role-manager-admin.min.js?ver=multisite-user-role-manager/assets/jqueryui-editable/js/jqueryui-editable.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpmuurm-user-roles
HTML Comments
<!-- Manage user roles for this blog --><!-- Add user to a blog --><!-- User roles for this blog --><!-- User role options -->+2 more
Data Attributes
data-user-iddata-blog-id
JS Globals
wpmuurm
REST Endpoints
/wp-json/wpmuurm/v1/users//wp-json/wpmuurm/v1/blogs//wp-json/wpmuurm/v1/roles/
FAQ

Frequently Asked Questions about Multisite User Role Manager