WP-Safety

NavThemes Employee Ratings Security & Risk Analysis

wordpress.org/plugins/navthemes-employee-ratings

Professionalism Efficiency and technical knowledge Helping your Teammates. Proactiveness Leaves By Timesheet your employees can keep track of time.

0 active installs v1.1.1 PHP 5.2.4+ WP 3.0.1+ Updated Mar 18, 2019
commentsemployeeemployeesperformaceratings
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is NavThemes Employee Ratings Safe to Use in 2026?

Generally Safe

Score 85/100

NavThemes Employee Ratings has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The 'navthemes-employee-ratings' plugin v1.1.1 presents a concerning security posture due to a large number of unprotected entry points. While the plugin utilizes prepared statements for SQL queries and has a clean vulnerability history, the presence of 20 unprotected AJAX handlers is a significant risk. These handlers could be exploited by unauthenticated users to perform unintended actions, potentially leading to data manipulation or unauthorized access if the plugin's functionality allows for it.

The static analysis reveals several areas of concern beyond the unprotected AJAX handlers. The use of the 'unserialize' function without proper input validation is a critical vulnerability vector, as it can lead to remote code execution if an attacker can control the serialized data. Furthermore, only 38% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. While the taint analysis did not reveal critical or high severity flaws, the presence of 5 flows with unsanitized paths suggests potential vulnerabilities that may not have been fully captured by the current analysis, or could be chained with other weaknesses.

Despite the absence of known CVEs, the numerous unprotected entry points and the potential for XSS and unserialize vulnerabilities mean this plugin should be treated with caution. The plugin demonstrates some good practices, such as using prepared statements, but these are outweighed by the significant risks introduced by its insecure handling of user input and entry points. A thorough review of the unprotected AJAX handlers and the implementation of input validation and output escaping for all user-controlled data is strongly recommended.

Key Concerns

  • 20 unprotected AJAX handlers
  • Use of unserialize function
  • 38% of output properly escaped
  • 5 flows with unsanitized paths
  • Bundled outdated library (Select2 v3.5.2)
Vulnerabilities
None known

NavThemes Employee Ratings Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

NavThemes Employee Ratings Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
18 prepared
Unescaped Output
176
110 escaped
Nonce Checks
5
Capability Checks
6
File Operations
7
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$obj = @unserialize( $raw_body );admin\includes\early-access.php:102

Bundled Libraries

Select23.5.2

SQL Query Safety

100% prepared18 total queries

Output Escaping

38% escaped286 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
submit (admin\includes\admin\tools\class-acf-admin-tool-import.php:95)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

NavThemes Employee Ratings Attack Surface

Entry Points24
Unprotected20

AJAX Handlers 22

authwp_ajax_acf/field_group/render_field_settingsadmin\includes\admin\admin-field-group.php:39
authwp_ajax_acf/field_group/render_location_ruleadmin\includes\admin\admin-field-group.php:40
authwp_ajax_acf/field_group/move_fieldadmin\includes\admin\admin-field-group.php:41
authwp_ajax_acf/fields/oembed/searchadmin\includes\fields\class-acf-field-oembed.php:36
noprivwp_ajax_acf/fields/oembed/searchadmin\includes\fields\class-acf-field-oembed.php:37
authwp_ajax_acf/fields/page_link/queryadmin\includes\fields\class-acf-field-page_link.php:37
noprivwp_ajax_acf/fields/page_link/queryadmin\includes\fields\class-acf-field-page_link.php:38
authwp_ajax_acf/fields/post_object/queryadmin\includes\fields\class-acf-field-post_object.php:38
noprivwp_ajax_acf/fields/post_object/queryadmin\includes\fields\class-acf-field-post_object.php:39
authwp_ajax_acf/fields/relationship/queryadmin\includes\fields\class-acf-field-relationship.php:38
noprivwp_ajax_acf/fields/relationship/queryadmin\includes\fields\class-acf-field-relationship.php:39
authwp_ajax_acf/fields/select/queryadmin\includes\fields\class-acf-field-select.php:40
noprivwp_ajax_acf/fields/select/queryadmin\includes\fields\class-acf-field-select.php:41
authwp_ajax_acf/fields/taxonomy/queryadmin\includes\fields\class-acf-field-taxonomy.php:44
noprivwp_ajax_acf/fields/taxonomy/queryadmin\includes\fields\class-acf-field-taxonomy.php:45
authwp_ajax_acf/fields/taxonomy/add_termadmin\includes\fields\class-acf-field-taxonomy.php:46
authwp_ajax_acf/fields/user/queryadmin\includes\fields\class-acf-field-user.php:36
noprivwp_ajax_acf/fields/user/queryadmin\includes\fields\class-acf-field-user.php:37
authwp_ajax_query-attachmentsadmin\includes\media.php:35
authwp_ajax_acf/validate_save_postadmin\includes\validation.php:30
noprivwp_ajax_acf/validate_save_postadmin\includes\validation.php:31
authwp_ajax_my_actionnavthemes-employee-ratings.php:215

Shortcodes 2

[acf] admin\includes\api\api-template.php:885
[nt_timesheet] navthemes-employee-ratings.php:192
WordPress Hooks 193
actioninitadmin\acf.php:185
actioninitadmin\acf.php:186
actioninitadmin\acf.php:187
filterposts_whereadmin\acf.php:191
actioncurrent_screenadmin\includes\admin\admin-field-group.php:34
actionsave_postadmin\includes\admin\admin-field-group.php:35
filterpost_updated_messagesadmin\includes\admin\admin-field-group.php:45
actionacf/input/admin_enqueue_scriptsadmin\includes\admin\admin-field-group.php:114
actionacf/input/admin_headadmin\includes\admin\admin-field-group.php:115
actionacf/input/form_dataadmin\includes\admin\admin-field-group.php:116
actionacf/input/admin_footeradmin\includes\admin\admin-field-group.php:117
actionacf/input/admin_footer_jsadmin\includes\admin\admin-field-group.php:118
filteracf/input/admin_l10nadmin\includes\admin\admin-field-group.php:122
actionpost_submitbox_misc_actionsadmin\includes\admin\admin-field-group.php:208
actionedit_form_after_titleadmin\includes\admin\admin-field-group.php:209
filterscreen_settingsadmin\includes\admin\admin-field-group.php:213
actioncurrent_screenadmin\includes\admin\admin-field-groups.php:38
actiontrashed_postadmin\includes\admin\admin-field-groups.php:39
actionuntrashed_postadmin\includes\admin\admin-field-groups.php:40
actiondeleted_postadmin\includes\admin\admin-field-groups.php:41
actionload-edit.phpadmin\includes\admin\admin-field-groups.php:42
actionadmin_enqueue_scriptsadmin\includes\admin\admin-field-groups.php:102
actionadmin_footeradmin\includes\admin\admin-field-groups.php:103
filtermanage_edit-acf-field-group_columnsadmin\includes\admin\admin-field-groups.php:107
actionmanage_acf-field-group_posts_custom_columnadmin\includes\admin\admin-field-groups.php:108
filterviews_edit-acf-field-groupadmin\includes\admin\admin-field-groups.php:359
actionadmin_footeradmin\includes\admin\admin-field-groups.php:387
actionadmin_menuadmin\includes\admin\admin-tools.php:33
actionadmin_menuadmin\includes\admin\admin-upgrade.php:23
actionnetwork_admin_menuadmin\includes\admin\admin-upgrade.php:24
actionadmin_noticesadmin\includes\admin\admin-upgrade.php:44
actionnetwork_admin_noticesadmin\includes\admin\admin-upgrade.php:91
actionadmin_menuadmin\includes\admin\admin.php:29
actionadmin_enqueue_scriptsadmin\includes\admin\admin.php:30
actionadmin_noticesadmin\includes\admin\admin.php:31
actionadmin_menuadmin\includes\admin\settings-addons.php:24
actionadmin_menuadmin\includes\admin\settings-info.php:21
filterwp_unique_post_slugadmin\includes\api\api-field-group.php:662
filterwp_unique_post_slugadmin\includes\api\api-field.php:1361
filterposts_orderbyadmin\includes\api\api-helpers.php:1732
filteracf/settings/uploaderadmin\includes\api\api-helpers.php:4099
filterterms_clausesadmin\includes\api\api-term.php:193
actioninitadmin\includes\assets.php:31
filteracf/validate_fieldadmin\includes\compatibility.php:23
filteracf/validate_field/type=textareaadmin\includes\compatibility.php:24
filteracf/validate_field/type=relationshipadmin\includes\compatibility.php:25
filteracf/validate_field/type=post_objectadmin\includes\compatibility.php:26
filteracf/validate_field/type=page_linkadmin\includes\compatibility.php:27
filteracf/validate_field/type=imageadmin\includes\compatibility.php:28
filteracf/validate_field/type=fileadmin\includes\compatibility.php:29
filteracf/validate_field/type=wysiwygadmin\includes\compatibility.php:30
filteracf/validate_field/type=date_pickeradmin\includes\compatibility.php:31
filteracf/validate_field/type=taxonomyadmin\includes\compatibility.php:32
filteracf/validate_field/type=date_time_pickeradmin\includes\compatibility.php:33
filteracf/validate_field/type=useradmin\includes\compatibility.php:34
filteracf/validate_field_groupadmin\includes\compatibility.php:35
filteracf/location/validate_rule/type=post_taxonomyadmin\includes\compatibility.php:38
filteracf/location/validate_rule/type=post_categoryadmin\includes\compatibility.php:39
filteracf/settings/show_adminadmin\includes\deprecated.php:25
filteracf/settings/l10n_textdomainadmin\includes\deprecated.php:26
filteracf/settings/l10n_fieldadmin\includes\deprecated.php:27
filteracf/settings/l10n_field_groupadmin\includes\deprecated.php:28
filteracf/settings/urladmin\includes\deprecated.php:29
filteracf/validate_settingadmin\includes\deprecated.php:30
filteracf/validate_fieldadmin\includes\deprecated.php:34
filteracf/validate_field_groupadmin\includes\deprecated.php:35
filteracf/validate_post_idadmin\includes\deprecated.php:36
filterpre_set_site_transient_update_pluginsadmin\includes\early-access.php:46
filtersite_transient_update_pluginsadmin\includes\early-access.php:47
filterget_media_item_argsadmin\includes\fields\class-acf-field-file.php:36
filterget_media_item_argsadmin\includes\fields\class-acf-field-image.php:41
filterwp_prepare_attachment_for_jsadmin\includes\fields\class-acf-field-image.php:42
actionacf/save_postadmin\includes\fields\class-acf-field-taxonomy.php:50
filteruser_search_columnsadmin\includes\fields\class-acf-field-user.php:146
actionacf/enqueue_uploaderadmin\includes\fields\class-acf-field-wysiwyg.php:40
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:62
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:63
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:69
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:70
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:71
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:75
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:78
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:79
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:88
filteracf_the_contentadmin\includes\fields\class-acf-field-wysiwyg.php:91
filteracf_the_editor_contentadmin\includes\fields\class-acf-field-wysiwyg.php:277
filteracf_the_editor_contentadmin\includes\fields\class-acf-field-wysiwyg.php:286
actionacf/input/admin_enqueue_scriptsadmin\includes\fields\class-acf-field.php:65
actionacf/input/admin_headadmin\includes\fields\class-acf-field.php:66
actionacf/input/form_dataadmin\includes\fields\class-acf-field.php:67
filteracf/input/admin_l10nadmin\includes\fields\class-acf-field.php:68
actionacf/input/admin_footeradmin\includes\fields\class-acf-field.php:69
actionacf/field_group/admin_enqueue_scriptsadmin\includes\fields\class-acf-field.php:73
actionacf/field_group/admin_headadmin\includes\fields\class-acf-field.php:74
actionacf/field_group/admin_footeradmin\includes\fields\class-acf-field.php:75
actionacf/save_postadmin\includes\form.php:29
actionadmin_enqueue_scriptsadmin\includes\forms\form-attachment.php:33
filterattachment_fields_to_editadmin\includes\forms\form-attachment.php:37
filterattachment_fields_to_saveadmin\includes\forms\form-attachment.php:41
actionadmin_footeradmin\includes\forms\form-attachment.php:74
actionadmin_enqueue_scriptsadmin\includes\forms\form-comment.php:34
filtercomment_form_field_commentadmin\includes\forms\form-comment.php:38
actionedit_commentadmin\includes\forms\form-comment.php:45
actioncomment_postadmin\includes\forms\form-comment.php:46
actionadmin_footeradmin\includes\forms\form-comment.php:112
actionadd_meta_boxes_commentadmin\includes\forms\form-comment.php:113
actioncustomize_controls_initadmin\includes\forms\form-customizer.php:32
actioncustomize_preview_initadmin\includes\forms\form-customizer.php:33
actioncustomize_saveadmin\includes\forms\form-customizer.php:34
filterwidget_update_callbackadmin\includes\forms\form-customizer.php:38
actionacf/input/admin_footeradmin\includes\forms\form-customizer.php:66
filteracf/pre_load_valueadmin\includes\forms\form-customizer.php:243
filteracf/pre_load_referenceadmin\includes\forms\form-customizer.php:244
actionacf/validate_save_postadmin\includes\forms\form-front.php:65
filteracf/pre_save_postadmin\includes\forms\form-front.php:69
filterfilter_gutenberg_meta_boxesadmin\includes\forms\form-gutenberg.php:24
filterfilter_block_editor_meta_boxesadmin\includes\forms\form-gutenberg.php:25
actionadmin_footeradmin\includes\forms\form-gutenberg.php:40
actionadmin_enqueue_scriptsadmin\includes\forms\form-nav-menu.php:25
actionwp_update_nav_menuadmin\includes\forms\form-nav-menu.php:26
actionacf/validate_save_postadmin\includes\forms\form-nav-menu.php:27
actionwp_nav_menu_item_custom_fieldsadmin\includes\forms\form-nav-menu.php:28
filterwp_get_nav_menu_itemsadmin\includes\forms\form-nav-menu.php:31
filterwp_edit_nav_menu_walkeradmin\includes\forms\form-nav-menu.php:32
actionadmin_footeradmin\includes\forms\form-nav-menu.php:62
actionload-post.phpadmin\includes\forms\form-post.php:26
actionload-post-new.phpadmin\includes\forms\form-post.php:27
filterwp_insert_post_empty_contentadmin\includes\forms\form-post.php:30
actionsave_postadmin\includes\forms\form-post.php:31
actionadd_meta_boxesadmin\includes\forms\form-post.php:63
actionedit_form_after_titleadmin\includes\forms\form-post.php:64
actionadmin_enqueue_scriptsadmin\includes\forms\form-taxonomy.php:36
actioncreate_termadmin\includes\forms\form-taxonomy.php:40
actionedit_termadmin\includes\forms\form-taxonomy.php:41
actiondelete_termadmin\includes\forms\form-taxonomy.php:45
actionadmin_footeradmin\includes\forms\form-taxonomy.php:116
actionadmin_enqueue_scriptsadmin\includes\forms\form-user.php:29
actionlogin_form_registeradmin\includes\forms\form-user.php:30
actionshow_user_profileadmin\includes\forms\form-user.php:33
actionedit_user_profileadmin\includes\forms\form-user.php:34
actionuser_new_formadmin\includes\forms\form-user.php:35
actionregister_formadmin\includes\forms\form-user.php:36
actionuser_registeradmin\includes\forms\form-user.php:39
actionprofile_updateadmin\includes\forms\form-user.php:40
actionacf/input/admin_footeradmin\includes\forms\form-user.php:243
actionadmin_enqueue_scriptsadmin\includes\forms\form-widget.php:40
actionin_widget_formadmin\includes\forms\form-widget.php:41
actionacf/validate_save_postadmin\includes\forms\form-widget.php:42
filterwidget_update_callbackadmin\includes\forms\form-widget.php:46
actionacf/input/admin_footeradmin\includes\forms\form-widget.php:84
actionacf/update_field_groupadmin\includes\json.php:17
actionacf/duplicate_field_groupadmin\includes\json.php:18
actionacf/untrash_field_groupadmin\includes\json.php:19
actionacf/trash_field_groupadmin\includes\json.php:20
actionacf/delete_field_groupadmin\includes\json.php:21
actionacf/include_fieldsadmin\includes\json.php:22
actionacf/include_fieldsadmin\includes\local.php:38
filteracf/get_field_groupsadmin\includes\local.php:42
filteracf/location/rule_matchadmin\includes\locations\class-acf-location.php:46
filteracf/location/rule_operatorsadmin\includes\locations\class-acf-location.php:47
filteracf/location/rule_valuesadmin\includes\locations\class-acf-location.php:48
actionacf/enqueue_scriptsadmin\includes\media.php:26
actionacf/save_postadmin\includes\media.php:27
filterwp_handle_upload_prefilteradmin\includes\media.php:31
filterwp_prepare_attachment_for_jsadmin\includes\media.php:161
actionwp_restore_post_revisionadmin\includes\revisions.php:28
filterwp_save_post_revision_check_for_changesadmin\includes\revisions.php:32
filter_wp_post_revision_fieldsadmin\includes\revisions.php:33
filter_wp_post_revision_fieldsadmin\includes\revisions.php:34
filteracf/validate_post_idadmin\includes\revisions.php:35
filtertabify_posttypesadmin\includes\third-party.php:35
actiontabify_add_meta_boxesadmin\includes\third-party.php:36
filterpts_allowed_pagesadmin\includes\third-party.php:41
filteracf/get_post_typesadmin\includes\third-party.php:46
actiondoing_dark_modeadmin\includes\third-party.php:51
filterpre_set_site_transient_update_pluginsadmin\includes\updates.php:36
filterplugins_apiadmin\includes\updates.php:39
actionwp_upgradeadmin\includes\upgrades.php:450
actionacf/validate_save_postadmin\includes\validation.php:32
actionacf/verify_ajaxadmin\includes\wpml.php:35
filterget_translatable_documentsadmin\includes\wpml.php:38
actionacf/upgrade_500_field_groupadmin\includes\wpml.php:44
actionicl_make_duplicateadmin\includes\wpml.php:45
filteracf/settings/save_jsonadmin\includes\wpml.php:48
filteracf/settings/load_jsonadmin\includes\wpml.php:49
filteracf/settings/show_adminnavthemes-employee-ratings.php:15
actionadmin_enqueue_scriptsnavthemes-employee-ratings.php:29
actionwp_enqueue_scriptsnavthemes-employee-ratings.php:38
actioninitnavthemes-employee-ratings.php:57
actioninitnavthemes-employee-ratings.php:75
actionacf/save_postnavthemes-employee-ratings.php:123
actionadmin_menunavthemes-employee-ratings.php:133
actionadmin_footernavthemes-employee-ratings.php:197
Maintenance & Trust

NavThemes Employee Ratings Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedMar 18, 2019
PHP min version5.2.4
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

NavThemes Employee Ratings Alternatives

Team Showcase – Team Members & Staff Profiles Showcase

Team Showcase – Team Members & Staff Profiles Showcase

team-showcase-awesome

A
92

Create and display team members and staff profiles showcase. Easy to create. Easy to customize

200 No CVEs
Rate

Rate

rate

A
85

Most ratings plugins contain too much code: inline JavaScript, messy markup, weird CSS. Rate is simple, hardly intrusive, and completely overridable.

40 No CVEs
Pay Check Mate

Pay Check Mate

pay-check-mate

A
92

Manage payroll and HR information for your employees with Pay Check Mate.

30 No CVEs
Active Directory Employee Listing

Active Directory Employee Listing

active-directory-employee-list

A
85

Retrieve lists of active directory users and display them in WordPress.

10 No CVEs
Integration for BazaarVoice

Integration for BazaarVoice

integration-for-baazarvoice

A
85

An plugin that will integrate with the Bazaarvoice rating system.

10 No CVEs
Developer Profile

NavThemes Employee Ratings Developer Profile

NavThemes

7 plugins · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect NavThemes Employee Ratings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/navthemes-employee-ratings/assets/style.css/wp-content/plugins/navthemes-employee-ratings/assets/timesheetstyle.css
Version Parameters
navthemes-employee-ratings/assets/style.css?ver=navthemes-employee-ratings/assets/timesheetstyle.css?ver=

HTML / DOM Fingerprints

CSS Classes
nt_rating_maincontainer
HTML Comments
Enqueue Admin Styles And ScriptsEnqueue Timesheet FrontEnd StylesRegister Employee Rating Custom Post TypeTask update from front end+2 more
Data Attributes
data-field_id="field_5c0540d6f0868"data-field_id="field_5c0540e7f0869"data-field_id="field_5c0540f6f086a"data-field_id="field_5c29a4774085b"
JS Globals
ajaxurl
Shortcode Output
[nt_timesheet]
FAQ

Frequently Asked Questions about NavThemes Employee Ratings