Does Nonprofit Manager have any unpatched vulnerabilities?

No. All known vulnerabilities in Nonprofit Manager have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Nonprofit Manager compatible with WordPress 6.8.5?

According to WordPress.org data, Nonprofit Manager 1.1.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Nonprofit Manager compatible with PHP 7.4+?

Nonprofit Manager requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Nonprofit Manager updated?

Nonprofit Manager was last updated on Nov 22, 2025. Frequent updates are generally a positive security signal.

What is Nonprofit Manager's security score?

Nonprofit Manager has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Nonprofit Manager Security Review — Score 100/100 (safe)

Safety Verdict

Is Nonprofit Manager Safe to Use in 2026?

Generally Safe

Score 100/100

Nonprofit Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago

Risk Assessment

The nonprofit-manager plugin exhibits a generally good security posture, with a notable lack of known historical vulnerabilities and a strong implementation of nonces and capability checks. The static analysis reveals a moderate attack surface, with a few potential concerns. Specifically, two AJAX handlers are identified as lacking authentication checks, which presents a direct risk of unauthorized execution of functions. While the taint analysis did not identify critical or high-severity issues, the presence of flows with unsanitized paths, though not explicitly categorized as vulnerabilities in the provided data, warrants attention as a potential precursor to more serious issues if user input is not handled with utmost care.

The plugin's vulnerability history is a significant strength, indicating a proactive approach to security or a lack of exploitable flaws to date. However, the presence of unprotected AJAX endpoints, even without a documented exploit history, represents a tangible weakness. The static analysis also shows a reasonably high percentage of properly escaped output, which is positive, but the remaining percentage could still lead to XSS vulnerabilities. Overall, while the plugin is not riddled with critical flaws, the unprotected AJAX handlers are the most immediate concern requiring mitigation.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Output escaping not fully proper

Vulnerabilities

None known

Nonprofit Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Nonprofit Manager Code Analysis

Dangerous Functions

0

Raw SQL Queries

2

6 prepared

Unescaped Output

249

857 escaped

Nonce Checks

49

Capability Checks

19

File Operations

0

External Requests

4

Bundled Libraries

0

SQL Query Safety

75% prepared8 total queries

Output Escaping

77% escaped1106 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

25 flows7 with unsanitized paths

npmp_render_newsletter_archive (includes\email-newsletter\editor.php:86)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Nonprofit Manager Attack Surface

Entry Points17

Unprotected2

AJAX Handlers 8

authwp_ajax_npmp_send_test_newsletterincludes\email-newsletter\editor.php:349

authwp_ajax_npmp_send_newsletter_nowincludes\email-newsletter\editor.php:385

authwp_ajax_npmp_log_donationincludes\payments\npmp-payment-gateways.php:687

noprivwp_ajax_npmp_log_donationincludes\payments\npmp-payment-gateways.php:688

authwp_ajax_npmp_create_stripe_sessionincludes\payments\npmp-payment-gateways.php:757

noprivwp_ajax_npmp_create_stripe_sessionincludes\payments\npmp-payment-gateways.php:758

authwp_ajax_npmp_log_paypal_donationincludes\payments\npmp-paypal.php:108

noprivwp_ajax_npmp_log_paypal_donationincludes\payments\npmp-paypal.php:109

Shortcodes 9

[npmp_can_spam] includes\email-newsletter\can-spam-shortcode.php:27

[npmp_nl_template] includes\email-newsletter\templates.php:283

[email_content] includes\email-newsletter\templates.php:296

[npmp_events] includes\npmp-calendar.php:890

[npmp_calendar] includes\npmp-calendar.php:891

[npmp_email_signup] includes\npmp-membership-forms.php:407

[npmp_email_unsubscribe] includes\npmp-membership-forms.php:426

[npmp_donation_form] includes\npmp-payments-settings.php:716

[npmp_donation_form] includes\payments\npmp-paypal.php:103

WordPress Hooks 58

actionplugins_loadedincludes\activation-hooks.php:138

actionupdate_option_npmp_enabled_featuresincludes\activation-hooks.php:413

actionnpmp_process_queued_newslettersincludes\activation-hooks.php:422

actionplugins_loadedincludes\activation-hooks.php:425

filtercron_schedulesincludes\activation-hooks.php:440

actionphpmailer_initincludes\email\smtp.php:83

filterwp_mail_fromincludes\email\smtp.php:101

filterwp_mail_from_nameincludes\email\smtp.php:119

actionwp_mail_failedincludes\email\smtp.php:143

actionwp_mail_succeededincludes\email\smtp.php:164

actionadmin_noticesincludes\email\smtp.php:196

actiontemplate_redirectincludes\email-newsletter\class-newsletter-tracker.php:30

actioninitincludes\email-newsletter\editor.php:7

actioninitincludes\email-newsletter\editor.php:26

actionadd_meta_boxesincludes\email-newsletter\editor.php:239

actionsave_post_npmp_newsletterincludes\email-newsletter\editor.php:498

filterpost_row_actionsincludes\email-newsletter\editor.php:526

actionadmin_action_npmp_duplicate_newsletterincludes\email-newsletter\editor.php:587

actionadmin_initincludes\email-newsletter\settings.php:34

actioninitincludes\email-newsletter\templates.php:7

actionadd_meta_boxesincludes\email-newsletter\templates.php:34

actionsave_post_npmp_nl_templateincludes\email-newsletter\templates.php:97

actionadd_meta_boxesincludes\email-newsletter\templates.php:306

actionsave_post_npmp_newsletterincludes\email-newsletter\templates.php:381

actionadmin_headincludes\npmp-admin-helpers.php:214

actionadmin_initincludes\npmp-admin-settings.php:12

actioninitincludes\npmp-blocks.php:6

actioninitincludes\npmp-calendar.php:19

actionadmin_menuincludes\npmp-calendar.php:71

actionadd_meta_boxes_npmp_eventincludes\npmp-calendar.php:361

actionsave_post_npmp_eventincludes\npmp-calendar.php:477

filterthe_contentincludes\npmp-calendar.php:929

actioninitincludes\npmp-calendar.php:990

filterparent_fileincludes\npmp-calendar.php:1195

filtersubmenu_fileincludes\npmp-calendar.php:1221

filterthe_contentincludes\npmp-calendar.php:1245

actionplugins_loadedincludes\npmp-content-types.php:137

actioninitincludes\npmp-content-types.php:139

actionwp_dashboard_setupincludes\npmp-dashboard-widgets.php:70

filterparent_fileincludes\npmp-email-newsletter.php:36

filtersubmenu_fileincludes\npmp-email-newsletter.php:37

actionadmin_enqueue_scriptsincludes\npmp-email-newsletter.php:76

actionwp_mail_failedincludes\npmp-email-settings.php:282

actionadmin_initincludes\npmp-general-settings.php:12

actioninitincludes\npmp-members-settings.php:50

actionplugins_loadedincludes\npmp-members-settings.php:151

filterthe_contentincludes\npmp-membership-forms.php:431

actionadmin_post_nopriv_npmp_handle_formincludes\npmp-membership-forms.php:453

actionadmin_post_npmp_handle_formincludes\npmp-membership-forms.php:454

filterthe_contentincludes\npmp-payments-settings.php:751

actionwp_enqueue_scriptsincludes\npmp-scripts.php:91

actionadmin_enqueue_scriptsincludes\npmp-scripts.php:193

actionadmin_initincludes\npmp-setup-wizard.php:24

actionadmin_menuincludes\npmp-setup-wizard.php:43

actionadmin_initincludes\npmp-setup-wizard.php:60

filteradmin_footer_textincludes\npmp-version.php:156

actionnpmp_render_paypal_settings_sectionincludes\payments\npmp-paypal.php:135

actionadmin_menunonprofit-manager.php:94

Scheduled Events 1

npmp_process_queued_newsletters

Maintenance & Trust

Nonprofit Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 22, 2025

PHP min version7.4

Downloads202

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Nonprofit Manager Alternatives

Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages

convertkit

A

97

Build your email subscriber lists, send email marketing newsletters, sell more products and build your membership site with Kit (formerly ConvertKit).

40K 4 CVEs

Donorbox – Free Recurring Donation Plugin and Fundraising Platform

donorbox-donation-form

A

99

Donorbox is a powerful and secure donation management plugin for WordPress. We are the only donation plugin for WordPress that offers a fast feature-f …

9K 2 CVEs

Wild Apricot Login

wild-apricot-login

A

100

Provides single sign-on service for Wild Apricot members to provide access to restricted Wild Apricot content.

800 No CVEs

Birthday Emails

birthday-emails

A

85

Automatically send an email to WordPress or BuddyPress users on their birthday.

300 No CVEs

CiviEvent Widget

civievent-widget

A

85

Display widgets for CiviCRM events: the next public event or a whole list. Embed widgets as shortcodes, too!

200 No CVEs

Developer Profile

Nonprofit Manager Developer Profile

Eric Rosenberg

2 plugins · 10 total installs

94

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Nonprofit Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/nonprofit-manager/js/npmp-settings.js/wp-content/plugins/nonprofit-manager/js/npmp-dashboard.js/wp-content/plugins/nonprofit-manager/js/npmp-forms.js/wp-content/plugins/nonprofit-manager/js/npmp-members.js/wp-content/plugins/nonprofit-manager/js/npmp-calendar.js/wp-content/plugins/nonprofit-manager/css/npmp-admin.css/wp-content/plugins/nonprofit-manager/css/npmp-dashboard.css/wp-content/plugins/nonprofit-manager/css/npmp-calendar.css

Script Paths

/wp-content/plugins/nonprofit-manager/js/npmp-settings.js/wp-content/plugins/nonprofit-manager/js/npmp-dashboard.js/wp-content/plugins/nonprofit-manager/js/npmp-forms.js/wp-content/plugins/nonprofit-manager/js/npmp-members.js/wp-content/plugins/nonprofit-manager/js/npmp-calendar.js

Version Parameters

nonprofit-manager/js/npmp-settings.js?ver=nonprofit-manager/js/npmp-dashboard.js?ver=nonprofit-manager/js/npmp-forms.js?ver=nonprofit-manager/js/npmp-members.js?ver=nonprofit-manager/js/npmp-calendar.js?ver=nonprofit-manager/css/npmp-admin.css?ver=nonprofit-manager/css/npmp-dashboard.css?ver=nonprofit-manager/css/npmp-calendar.css?ver=

HTML / DOM Fingerprints

CSS Classes

npmp-settings-sectionnpmp-dashboard-widgetnpmp-form-fieldnpmp-member-rownpmp-calendar-event

HTML Comments

+4 more

Data Attributes

data-npmp-featuredata-npmp-iddata-npmp-type

JS Globals

npmp_settings_datanpmp_dashboard_datanpmp_members_datanpmp_calendar_data

REST Endpoints

/wp-json/nonprofit-manager/v1/settings/wp-json/nonprofit-manager/v1/members/wp-json/nonprofit-manager/v1/donations

Shortcode Output

[nonprofit_manager_membership_form][nonprofit_manager_donation_form][nonprofit_manager_event_calendar]

FAQ

Nonprofit Manager Security & Risk Analysis