WP-Safety

Oasis Workflow Security & Risk Analysis

wordpress.org/plugins/oasis-workflow

Automate your WordPress Editorial Workflow with Oasis Workflow. Simple, intuitive drag and drop workflow builder to streamline your editorial process.

700 active installs v6.5.4 PHP + WP 4.4+ Updated Jan 11, 2026
assignmentpublishreviewwork-flowworkflow
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Oasis Workflow Safe to Use in 2026?

Generally Safe

Score 100/100

Oasis Workflow has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The oasis-workflow plugin version 6.5.4 exhibits a generally good security posture with a large number of capability checks and a high percentage of prepared SQL statements and properly escaped outputs. The absence of known CVEs and common vulnerability types in its history suggests a history of security diligence. However, the static analysis reveals some concerning areas. Specifically, the presence of 3 AJAX handlers and 1 REST API route without proper authentication or permission checks creates a significant attack surface that could be exploited by unauthenticated users. Additionally, the detection of 24 flows with unsanitized paths, including 15 of high severity, indicates potential for serious security vulnerabilities, even if not currently classified as critical. The use of the `unserialize` function, a known risky operation, further warrants caution, especially if user-supplied data is passed to it without robust sanitization.

While the plugin has a clean vulnerability history, this does not negate the risks identified in the static analysis. The high number of unsanitized flows and unprotected entry points are immediate concerns that should be addressed. The bundled Select2 v3.5.1 library is also outdated and could contain known vulnerabilities, adding another layer of risk. In conclusion, oasis-workflow has strong foundational security practices, but the identified vulnerabilities in its attack surface and taint analysis necessitate immediate attention to mitigate potential exploitation.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • High severity taint flows with unsanitized paths
  • Dangerous function unserialize
  • Bundled outdated library Select2 v3.5.1
Vulnerabilities
None known

Oasis Workflow Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Oasis Workflow Code Analysis

Dangerous Functions
4
Raw SQL Queries
52
140 prepared
Unescaped Output
124
864 escaped
Nonce Checks
60
Capability Checks
104
File Operations
2
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$additional_info = @unserialize($workflow->wf_additional_info); // phpcs:ignoreincludes\class-ow-process-flow.php:3170
unserialize$additional_info = @unserialize( $workflow->wf_additional_info ); // phpcs:ignoreincludes\class-ow-workflow-service.php:1378
unserialize$additional_info = unserialize( $workflow->wf_additional_info );includes\pages\subpages\submit-workflow.php:53
unserialize$additional_info = @unserialize( $workflow->wf_additional_info ); // phpcs:ignoreincludes\pages\workflow-create.php:21

Bundled Libraries

Select23.5.1

SQL Query Safety

73% prepared192 total queries

Output Escaping

87% escaped988 total outputs
Data Flows
24 unsanitized

Data Flow Analysis

25 flows24 with unsanitized paths
get_table_header (includes\class-ow-history-service.php:706)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Oasis Workflow Attack Surface

Entry Points50
Unprotected4

AJAX Handlers 34

authwp_ajax_get_all_custom_statusesincludes\class-ow-custom-statuses.php:37
authwp_ajax_submit_deactivation_feedbackincludes\class-ow-deactivate-feedback.php:24
authwp_ajax_purge_workflow_historyincludes\class-ow-history-service.php:30
authwp_ajax_get_edit_inline_htmlincludes\class-ow-inbox-service.php:29
authwp_ajax_get_step_signoff_pageincludes\class-ow-inbox-service.php:30
authwp_ajax_get_reassign_pageincludes\class-ow-inbox-service.php:31
authwp_ajax_get_step_comment_pageincludes\class-ow-inbox-service.php:32
authwp_ajax_get_submit_step_detailsincludes\class-ow-process-flow.php:30
authwp_ajax_validate_submit_to_workflowincludes\class-ow-process-flow.php:31
authwp_ajax_execute_sign_off_decisionincludes\class-ow-process-flow.php:33
authwp_ajax_get_sign_off_step_detailsincludes\class-ow-process-flow.php:34
authwp_ajax_submit_post_to_stepincludes\class-ow-process-flow.php:35
authwp_ajax_check_for_claim_ajaxincludes\class-ow-process-flow.php:37
authwp_ajax_claim_processincludes\class-ow-process-flow.php:38
authwp_ajax_reassign_processincludes\class-ow-process-flow.php:39
authwp_ajax_workflow_completeincludes\class-ow-process-flow.php:41
authwp_ajax_workflow_cancelincludes\class-ow-process-flow.php:42
authwp_ajax_workflow_abort_commentsincludes\class-ow-process-flow.php:44
authwp_ajax_workflow_abortincludes\class-ow-process-flow.php:45
authwp_ajax_multi_workflow_abortincludes\class-ow-process-flow.php:46
authwp_ajax_get_post_publish_date_edit_formatincludes\class-ow-process-flow.php:47
authwp_ajax_oasiswf_delete_postincludes\class-ow-process-flow.php:49
authwp_ajax_check_applicable_rolesincludes\class-ow-process-flow.php:59
authwp_ajax_hide_ratingincludes\class-ow-review-rating.php:30
authwp_ajax_set_rating_intervalincludes\class-ow-review-rating.php:31
authwp_ajax_create_new_workflowincludes\class-ow-workflow-service.php:28
authwp_ajax_validate_workflow_nameincludes\class-ow-workflow-service.php:29
authwp_ajax_save_workflow_stepincludes\class-ow-workflow-service.php:31
authwp_ajax_load_step_infoincludes\class-ow-workflow-service.php:32
authwp_ajax_copy_stepincludes\class-ow-workflow-service.php:33
authwp_ajax_get_first_stepincludes\class-ow-workflow-service.php:34
authwp_ajax_delete_workflow_confirmationincludes\class-ow-workflow-service.php:36
authwp_ajax_delete_workflowincludes\class-ow-workflow-service.php:37
authwp_ajax_validate_workflowincludes\class-ow-workflow-validator.php:32

REST API Routes 16

GET/wp-json/oasis-workflow/v1/settings/includes\api\api-settings.php:8
GET/wp-json/oasis-workflow/v1/usercap/includes\api\api-usercap.php:8
GET/wp-json/oasis-workflow/v1/priorities/includes\api\api-utility.php:7
GET/wp-json/oasis-workflow/v1/workflows/postId=(?P<post_id>\d+)includes\api\api-workflow.php:8
GET/wp-json/oasis-workflow/v1/workflows/submit/firstStep/workflowId=(?P<wf_id>\d+)/postId=(?P<post_id>\d+)includes\api\api-workflow.php:17
GET/wp-json/oasis-workflow/v1/workflows/submit/checkRoleCapability/postId=(?P<post_id>\d+)/postType=(?P<post_type>[a-zA-Z0-9-_]+)includes\api\api-workflow.php:26
POST/wp-json/oasis-workflow/v1/workflows/submit/includes\api\api-workflow.php:35
POST/wp-json/oasis-workflow/v1/workflows/abort/includes\api\api-workflow.php:44
GET/wp-json/oasis-workflow/v1/workflows/signoff/stepActions/actionHistoryId=(?P<action_history_id>\d+)includes\api\api-workflow.php:53
GET/wp-json/oasis-workflow/v1/workflows/signoff/nextSteps/actionHistoryId=(?P<action_history_id>\d+)/decision=(?P<decision>[a-zA-Z0-9-]+)/postId=(?P<post_id>\d+)includes\api\api-workflow.php:62
GET/wp-json/oasis-workflow/v1/workflows/signoff/stepDetails/actionHistoryId=(?P<action_history_id>\d+)/stepId=(?P<step_id>\d+)/postId=(?P<post_id>\d+)includes\api\api-workflow.php:71
POST/wp-json/oasis-workflow/v1/workflows/signoff/includes\api\api-workflow.php:80
POST/wp-json/oasis-workflow/v1/workflows/signoff/workflowComplete/includes\api\api-workflow.php:89
POST/wp-json/oasis-workflow/v1/workflows/signoff/workflowCancel/includes\api\api-workflow.php:98
GET/wp-json/oasis-workflow/v1/workflows/claim/actionHistoryId=(?P<action_history_id>\d+)includes\api\api-workflow.php:107
POST/wp-json/oasis-workflow/v1/workflows/claim/includes\api\api-workflow.php:116
WordPress Hooks 58
actionrest_api_initincludes\api\api-settings.php:3
actionrest_api_initincludes\api\api-usercap.php:3
actionrest_api_initincludes\api\api-utility.php:3
actionrest_api_initincludes\api\api-workflow.php:3
actioninitincludes\class-ow-custom-statuses.php:27
actioninitincludes\class-ow-custom-statuses.php:28
actionadmin_initincludes\class-ow-custom-statuses.php:31
actionadmin_initincludes\class-ow-custom-statuses.php:32
actionadmin_initincludes\class-ow-custom-statuses.php:33
filterdisplay_post_statesincludes\class-ow-custom-statuses.php:35
actionadmin_noticesincludes\class-ow-custom-statuses.php:111
actionadmin_noticesincludes\class-ow-custom-statuses.php:123
actionadmin_noticesincludes\class-ow-custom-statuses.php:202
actionadmin_footerincludes\class-ow-deactivate-feedback.php:25
actionadmin_initincludes\class-ow-email-settings.php:52
actiontransition_post_statusincludes\class-ow-email.php:32
actionoasiswf_email_scheduleincludes\class-ow-email.php:35
actionowf_submit_to_workflowincludes\class-ow-email.php:613
actionowf_workflow_abortincludes\class-ow-email.php:616
actionadmin_initincludes\class-ow-history-service.php:31
actionwp_trash_postincludes\class-ow-process-flow.php:50
actiondeleted_userincludes\class-ow-process-flow.php:55
actionredirect_post_locationincludes\class-ow-process-flow.php:57
actionadmin_footerincludes\class-ow-process-flow.php:4609
filterredirect_post_locationincludes\class-ow-process-flow.php:4610
filterget_edit_post_linkincludes\class-ow-process-flow.php:4611
actionsave_postincludes\class-ow-process-flow.php:4614
actionowf_workflow_completeincludes\class-ow-review-rating.php:34
actionadmin_initincludes\class-ow-review-rating.php:37
actionadmin_noticesincludes\class-ow-review-rating.php:93
actionadmin_noticesincludes\class-ow-review-rating.php:98
actionadmin_noticesincludes\class-ow-review-rating.php:103
actionadmin_menuincludes\class-ow-settings-base.php:47
actionadmin_noticesincludes\class-ow-tools-service.php:82
actionadmin_noticesincludes\class-ow-tools-service.php:103
actionadmin_noticesincludes\class-ow-tools-service.php:355
actionadmin_noticesincludes\class-ow-tools-service.php:365
actionadmin_noticesincludes\class-ow-tools-service.php:373
actionadmin_noticesincludes\class-ow-tools-service.php:386
actionadmin_initincludes\class-ow-tools-service.php:645
actionadmin_initincludes\class-ow-workflow-settings.php:59
actionadmin_initincludes\class-ow-workflow-terminology-settings.php:45
actioninitoasiswf.php:83
actioninitoasiswf.php:86
actioninitoasiswf.php:89
actionadmin_menuoasiswf.php:91
actionwpmu_new_blogoasiswf.php:93
actiondelete_blogoasiswf.php:94
actionadmin_enqueue_scriptsoasiswf.php:95
actionadmin_initoasiswf.php:96
actionadmin_initoasiswf.php:99
actionwp_dashboard_setupoasiswf.php:102
actionadmin_enqueue_scriptsoasiswf.php:103
actionenqueue_block_assetsoasiswf.php:108
actionadmin_print_stylesoasiswf.php:1211
actionadmin_print_scriptsoasiswf.php:1212
actionadmin_footeroasiswf.php:1213
actionadmin_print_footer_scriptsoasiswf.php:1321

Scheduled Events 1

oasiswf_email_schedule
Maintenance & Trust

Oasis Workflow Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 11, 2026
PHP min version
Downloads103K

Community Trust

Rating96/100
Number of ratings51
Active installs700
Alternatives

Oasis Workflow Alternatives

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

post-expirator

A
95

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K 5 CVEs
PublishPress Statuses – Custom Post Status and Workflow

PublishPress Statuses – Custom Post Status and Workflow

publishpress-statuses

A
100

The PublishPress Statuses plugin allows you to create additional statuses for your posts. You can use each status to create publishing workflows.

1K No CVEs
Editorial Workflow Manager – Editorial Checklist for Gutenberg

Editorial Workflow Manager – Editorial Checklist for Gutenberg

editorial-workflow-manager

A
100

Editorial checklist and pre-publish workflow for the WordPress block editor (Gutenberg). Create reusable checklists with required/optional items and g &hellip;

100 No CVEs
Pending Status

Pending Status

pending-status

A
100

Get notified when your site has posts pending review.

100 No CVEs
Content Approval Workflow

Content Approval Workflow

content-approval-workflow

A
92

Enhance collaboration with this plugin. Easily assign reviewers, track status, and get timely notifications for a seamless content review process.

80 No CVEs
Developer Profile

Oasis Workflow Developer Profile

nuggetsol

1 plugin · 700 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Oasis Workflow

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/oasis-workflow/assets/css/dashboard.css/wp-content/plugins/oasis-workflow/assets/css/owf-admin-styles.css/wp-content/plugins/oasis-workflow/assets/css/post-workflow-transition.css/wp-content/plugins/oasis-workflow/assets/css/screen.css/wp-content/plugins/oasis-workflow/assets/css/settings.css/wp-content/plugins/oasis-workflow/assets/js/ace-builds/src-min/ace.js/wp-content/plugins/oasis-workflow/assets/js/backend-script.js/wp-content/plugins/oasis-workflow/assets/js/bootstrap-datepicker.js+16 more
Script Paths
/wp-content/plugins/oasis-workflow/assets/js/ace-builds/src-min/ace.js/wp-content/plugins/oasis-workflow/assets/js/backend-script.js/wp-content/plugins/oasis-workflow/assets/js/bootstrap-datepicker.js/wp-content/plugins/oasis-workflow/assets/js/bootstrap-timepicker.js/wp-content/plugins/oasis-workflow/assets/js/chart.js/wp-content/plugins/oasis-workflow/assets/js/jquery.colorbox-min.js+13 more
Version Parameters
oasis-workflow/assets/css/dashboard.css?ver=oasis-workflow/assets/css/owf-admin-styles.css?ver=oasis-workflow/assets/css/post-workflow-transition.css?ver=oasis-workflow/assets/css/screen.css?ver=oasis-workflow/assets/css/settings.css?ver=oasis-workflow/assets/js/ace-builds/src-min/ace.js?ver=oasis-workflow/assets/js/backend-script.js?ver=oasis-workflow/assets/js/bootstrap-datepicker.js?ver=oasis-workflow/assets/js/bootstrap-timepicker.js?ver=oasis-workflow/assets/js/chart.js?ver=oasis-workflow/assets/js/jquery.colorbox-min.js?ver=oasis-workflow/assets/js/jquery.dataTables.min.js?ver=oasis-workflow/assets/js/jquery.jeditable.js?ver=oasis-workflow/assets/js/jquery.nestable.js?ver=oasis-workflow/assets/js/jquery.validate.min.js?ver=oasis-workflow/assets/js/moment.min.js?ver=oasis-workflow/assets/js/owf-workflow-template.js?ver=oasis-workflow/assets/js/post-workflow-transition.js?ver=oasis-workflow/assets/js/select2.full.js?ver=oasis-workflow/assets/js/settings.js?ver=oasis-workflow/assets/js/settings-dashboard-widget.js?ver=oasis-workflow/assets/js/tinymce/plugins/workflow/plugin.js?ver=oasis-workflow/assets/js/workflow-routes.js?ver=oasis-workflow/assets/js/workflow-routes-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes
owf-workflow-settingsowf-post-workflow-transitionowf-dashboard-widgetowf-workflow-template-listowf-workflow-routesowf-workflow-routes-editor
HTML Comments
<!-- Oasis Workflow Version <!-- Oasis Workflow Custom Post Meta --><!-- Oasis Workflow dashboard widget --><!-- Oasis Workflow: Workflow Routes -->
Data Attributes
data-owf-workflow-iddata-owf-step-iddata-owf-route-iddata-owf-post-id
JS Globals
owf_paramsOwfWorkflowowf_workflow_routes_paramsowf_workflow_routes_editor_params
REST Endpoints
/wp-json/oasis-workflow/v1/settings/wp-json/oasis-workflow/v1/workflow-templates/wp-json/oasis-workflow/v1/workflows
FAQ

Frequently Asked Questions about Oasis Workflow