WP-Safety

OER Curriculum Security & Risk Analysis

wordpress.org/plugins/oer-curriculum

Manage and display collections of Open Educational Resources in lesson plans or curriculums with alignment to Common Core State Standards.

0 active installs v0.5.5 PHP 7.0+ WP 4.4+ Updated Oct 14, 2022
curriculumeducationlearningoerteaching
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is OER Curriculum Safe to Use in 2026?

Generally Safe

Score 85/100

OER Curriculum has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The "oer-curriculum" v0.5.5 plugin exhibits a concerning security posture due to a significant number of unprotected entry points. With 24 total entry points, all of which lack authentication or permission checks, the plugin presents a wide attack surface. The static analysis reveals a high number of dangerous function usages, specifically 'unserialize', which is a known risk for object injection vulnerabilities if user-controlled data is involved. While the plugin appears to use prepared statements for most SQL queries and properly escape a high percentage of outputs, the absence of nonce checks on AJAX handlers is a critical oversight that could lead to Cross-Site Request Forgery (CSRF) attacks.

The plugin's vulnerability history is currently clean, with no recorded CVEs. This is a positive indicator, suggesting that past versions may not have had exploitable flaws or that any found were promptly patched. However, the lack of historical vulnerabilities should not overshadow the significant risks identified in the current code analysis. The combination of numerous unprotected entry points and the presence of 'unserialize' without any apparent sanitization or nonce checks presents a substantial risk. A balanced conclusion is that while the plugin has good practices in SQL querying and output escaping, the extensive lack of authorization on its entry points and potential for unserialize vulnerabilities are major weaknesses that need immediate attention.

Key Concerns

  • 24 unprotected entry points
  • 18 AJAX handlers without auth checks
  • 6 REST API routes without permission callbacks
  • 42 dangerous function usages (unserialize)
  • 0 Nonce checks
  • 2 Flows with unsanitized paths
Vulnerabilities
None known

OER Curriculum Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

OER Curriculum Code Analysis

Dangerous Functions
42
Raw SQL Queries
1
14 prepared
Unescaped Output
75
854 escaped
Nonce Checks
0
Capability Checks
3
File Operations
2
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$oer_curriculum_grades = (isset($post_meta_data['oer_curriculum_grades'][0]) ? unserialize($post_metincludes\init.php:258
unserialize$primary_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($pincludes\init.php:1143
unserialize$elements_orders = isset($post_meta_data['oer_curriculum_order'][0]) ? unserialize($post_meta_data['includes\oer-curriculum-functions.php:823
unserialize$module = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_data[$elementKey][0]) : "includes\oer-curriculum-functions.php:842
unserialize$oer_curriculum_activity_title = isset($post_meta_data['oer_curriculum_activity_title'][0]) ? unserincludes\oer-curriculum-meta-fields.php:17
unserialize$oer_curriculum_activity_type = isset($post_meta_data['oer_curriculum_activity_type'][0]) ? unseriincludes\oer-curriculum-meta-fields.php:18
unserialize$oer_curriculum_activity_detail = isset($post_meta_data['oer_curriculum_activity_detail'][0]) ? unseincludes\oer-curriculum-meta-fields.php:19
unserialize$elements_orders = isset($post_meta_data['oer_curriculum_order'][0]) ? unserialize($post_metaincludes\oer-curriculum-meta-fields.php:21
unserialize$authors = (isset($post_meta_data['oer_curriculum_authors'][0]) ? unserialize($post_meta_data['oer_cincludes\oer-curriculum-meta-fields.php:346
unserialize$primary_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($pincludes\oer-curriculum-meta-fields.php:493
unserialize$materials = (isset($post_meta_data['oer_curriculum_oer_materials'][0]) ? unserialize($post_meta_datincludes\oer-curriculum-meta-fields.php:838
unserialize$oer_curriculum_iq = isset($post_meta_data['oer_curriculum_iq'][0]) ? unserialize($post_meta_data['includes\oer-curriculum-meta-fields.php:900
unserialize$text_features = isset($post_meta_data['oer_curriculum_required_materials'][0]) ? unserialize($post_includes\oer-curriculum-meta-fields.php:965
unserialize$text_features = isset($post_meta_data['oer_curriculum_additional_sections'][0]) ? unserialize($postincludes\oer-curriculum-meta-fields.php:1087
unserialize$oer_curriculum_times_label = isset($post_meta_data['oer_curriculum_times_label'][0]) ? unserializeincludes\oer-curriculum-meta-fields.php:1207
unserialize$oer_curriculum_times_number = isset($post_meta_data['oer_curriculum_times_number'][0]) ? unserializincludes\oer-curriculum-meta-fields.php:1208
unserialize$oer_curriculum_times_type = isset($post_meta_data['oer_curriculum_times_type'][0]) ? unserialize(includes\oer-curriculum-meta-fields.php:1209
unserialize$oer_curriculum_related_objective = isset($post_meta_data['oer_curriculum_related_objective'][0]) ?includes\oer-curriculum-meta-fields.php:1344
unserialize$oer_curriculum_assessment_type = (isset($post_meta_data['oer_curriculum_assessment_type'][0]) ? unsincludes\oer-curriculum-meta-fields.php:1502
unserialize$oer_curriculum_custom_editor = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_datincludes\oer-curriculum-meta-fields.php:1568
unserialize$oer_curriculum_custom_editor = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_datincludes\oer-curriculum-meta-fields.php:1607
unserialize$oer_curriculum_custom_text_list = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_includes\oer-curriculum-meta-fields.php:1646
unserialize$materials = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_data[$elementKey][0]) includes\oer-curriculum-meta-fields.php:1702
unserialize$oer_curriculum_assessment_type = (isset($post_meta_data['oer_curriculum_assessment_type'][0]) ? unsincludes\oer-curriculum-meta-fields.php:2522
unserialize$oer_curriculum_assessment_type = (isset($post_meta_data['oer_curriculum_assessment_type'][0]) ? unsincludes\oer-curriculum-meta-fields.php:3189
unserialize$elements_orders = isset($post_meta_data['oer_curriculum_order'][0]) ? unserialize($post_meta_data['templates\module.php:21
unserialize$module = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_data[$elementKey][0]) : "templates\module.php:49
unserialize$primary_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($ptemplates\module.php:92
unserialize$primary_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($ptemplates\primary-source.php:63
unserialize$elements_orders = isset($post_meta_data['oer_curriculum_order'][0]) ? unserialize($post_meta_data['templates\single-oer-curriculum.php:32
unserialize$oer_curriculum_grade = (isset($post_meta_data['oer_curriculum_grades'][0]) && $post_meta_data['oer_templates\single-oer-curriculum.php:35
unserialize$oer_curriculum_related_objectives = isset($post_meta_data['oer_curriculum_related_objective'][0])? templates\single-oer-curriculum.php:42
unserialize$authors = (isset($post_meta_data['oer_curriculum_authors'][0]) ? unserialize($post_meta_data['oer_ctemplates\single-oer-curriculum.php:44
unserialize$oer_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($post_templates\single-oer-curriculum.php:47
unserialize$related_curriculum_collection = (isset($post_meta_data['oer_curriculum_related_curriculum'][0]) ? utemplates\single-oer-curriculum.php:148
unserialize$iq_data = (isset($post_meta_data['oer_curriculum_iq'][0]) ? unserialize($post_meta_data['oer_currictemplates\single-oer-curriculum.php:332
unserialize$req_materials = (isset($post_meta_data['oer_curriculum_required_materials'][0]) ? unserialize($posttemplates\single-oer-curriculum.php:373
unserialize$additional_sections = isset($post_meta_data['oer_curriculum_additional_sections'][0]) ? unserializetemplates\single-oer-curriculum.php:395
unserialize$addtl_materials = (isset($post_meta_data['oer_curriculum_oer_materials'][0]) ? unserialize($post_metemplates\single-oer-curriculum.php:419
unserialize$primary_resources = (isset($post_meta_data['oer_curriculum_primary_resources'][0]) ? unserialize($ptemplates\single-oer-curriculum.php:542
unserialize$oer_curriculum_custom_editor = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_dattemplates\single-oer-curriculum.php:644
unserialize$oer_curriculum_custom_editor = (isset($post_meta_data[$elementKey][0]) ? unserialize($post_meta_dattemplates\single-oer-curriculum.php:671

SQL Query Safety

93% prepared15 total queries

Output Escaping

92% escaped929 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
oercurr_create_module_callback (includes\init.php:849)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
24 unprotected

OER Curriculum Attack Surface

Entry Points24
Unprotected24

AJAX Handlers 18

authwp_ajax_oercurr_cb_rebuild_post_blockincludes\blocks\curriculum-block\init.php:279
noprivwp_ajax_oercurr_cb_rebuild_post_blockincludes\blocks\curriculum-block\init.php:280
authwp_ajax_oercurr_add_more_activity_callbackincludes\init.php:632
noprivwp_ajax_oercurr_add_more_activity_callbackincludes\init.php:633
authwp_ajax_oercurr_add_more_prime_resource_callbackincludes\init.php:701
noprivwp_ajax_oercurr_add_more_prime_resource_callbackincludes\init.php:702
authwp_ajax_oercurr_create_module_callbackincludes\init.php:846
noprivwp_ajax_oercurr_create_module_callbackincludes\init.php:847
authwp_ajax_oercurr_get_resource_info_callbackincludes\init.php:872
noprivwp_ajax_oercurr_get_resource_info_callbackincludes\init.php:873
authwp_ajax_oercurr_dismiss_notice_callbackincludes\init.php:1063
noprivwp_ajax_oercurr_dismiss_notice_callbackincludes\init.php:1064
authwp_ajax_oercurr_searched_standards_callbackincludes\init.php:1072
noprivwp_ajax_oercurr_searched_standards_callbackincludes\init.php:1073
authwp_ajax_oercurr_get_source_callbackincludes\init.php:1103
noprivwp_ajax_oercurr_get_source_callbackincludes\init.php:1104
authwp_ajax_oercurr_add_text_feature_callbackincludes\init.php:1162
noprivwp_ajax_oercurr_add_text_feature_callbackincludes\init.php:1163

REST API Routes 6

GET/wp-json/curriculum/v2taxqueryincludes\blocks\curriculum-block\init.php:97
GET/wp-json/curriculum/v2catqueryincludes\blocks\curriculum-block\init.php:103
GET/wp-json/curriculum/v2tagsqueryincludes\blocks\curriculum-block\init.php:109
GET/wp-json/curriculum/featdataqueryincludes\blocks\curriculum-featured-block\init.php:99
GET/wp-json/oercurr/thumbnailoptionqueryincludes\blocks\curriculum-thumbnail-block\init.php:101
GET/wp-json/oercurr/thumbnailgetcurriculumincludes\blocks\curriculum-thumbnail-block\init.php:108
WordPress Hooks 47
actioninitincludes\blocks\curriculum-block\init.php:71
actioninitincludes\blocks\curriculum-block\init.php:73
actionwp_enqueue_scriptsincludes\blocks\curriculum-block\init.php:90
actionrest_api_initincludes\blocks\curriculum-block\init.php:95
actionadmin_headincludes\blocks\curriculum-block\init.php:267
actioninitincludes\blocks\curriculum-featured-block\init.php:67
actioninitincludes\blocks\curriculum-featured-block\init.php:69
actionadmin_headincludes\blocks\curriculum-featured-block\init.php:77
actionwp_enqueue_scriptsincludes\blocks\curriculum-featured-block\init.php:86
actionadmin_enqueue_scriptsincludes\blocks\curriculum-featured-block\init.php:92
actionrest_api_initincludes\blocks\curriculum-featured-block\init.php:97
actionadmin_footerincludes\blocks\curriculum-featured-block\init.php:507
actionwp_footerincludes\blocks\curriculum-featured-block\init.php:592
actionadmin_initincludes\blocks\curriculum-featured-block\init.php:599
actioninitincludes\blocks\curriculum-thumbnail-block\init.php:64
actioninitincludes\blocks\curriculum-thumbnail-block\init.php:66
actionrest_api_initincludes\blocks\curriculum-thumbnail-block\init.php:71
actioninitincludes\init.php:9
filterget_terms_argsincludes\init.php:133
actionadmin_enqueue_scriptsincludes\init.php:317
actionwp_enqueue_scriptsincludes\init.php:387
actionsave_postincludes\init.php:420
filterregister_post_type_argsincludes\init.php:1231
actionadmin_footerincludes\init.php:1246
actionadmin_menuincludes\init.php:1252
filterwp_default_editorincludes\init.php:1258
filtermce_cssincludes\init.php:1270
actionadmin_noticesoer-curriculum.php:132
filtersingle_templateoer-curriculum.php:167
actioninitoer-curriculum.php:170
filterquery_varsoer-curriculum.php:199
actiontemplate_includeoer-curriculum.php:207
actioninitoer-curriculum.php:239
actioninitoer-curriculum.php:249
actionrest_api_initoer-curriculum.php:288
actionwp_enqueue_scriptsoer-curriculum.php:354
actionplugins_loadedoer-curriculum.php:361
filterallowed_block_types_alloer-curriculum.php:396
filterallowed_block_typesoer-curriculum.php:398
actionadmin_initoer-curriculum.php:402
filterblock_categories_alloer-curriculum.php:579
filterblock_categoriesoer-curriculum.php:581
actionadmin_headoer-curriculum.php:622
actionwp_headoer-curriculum.php:623
filterbody_classtemplates\module.php:3
filterbody_classtemplates\oer-curriculum-tag.php:5
filterbody_classtemplates\primary-source.php:3
Maintenance & Trust

OER Curriculum Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedOct 14, 2022
PHP min version7.0
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

OER Curriculum Alternatives

BU Learning Blocks

BU Learning Blocks

bu-learning-blocks

A
85

BU Learning BLocks is a plugin to facilitate online learning.

10 No CVEs
Tutor LMS – eLearning and online course solution

Tutor LMS – eLearning and online course solution

tutor

B
75

A complete WordPress LMS plugin to create any eLearning website easily.

100K 61 CVEs
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

learnpress

B
76

A WordPress LMS Plugin to create WordPress Learning Management System. Turn your WordPress to LMS WordPress Website with Courses, Lessons, Quizzes &am …

80K 64 CVEs
LearnPress – Course Review

LearnPress – Course Review

learnpress-course-review

A
99

LearnPress Course Review - An extension plugin for LearnPress.

30K 1 CVE
LearnPress – Course Wishlist

LearnPress – Course Wishlist

learnpress-wishlist

A
100

LearnPress Wishlist add wishlist feature to your LearnPress course in your site.

20K No CVEs
Developer Profile

OER Curriculum Developer Profile

Navigation North

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect OER Curriculum

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/oer-curriculum/includes/blocks/curriculum-featured-block/jquery.bxslider.css/wp-content/plugins/oer-curriculum/includes/blocks/curriculum-featured-block/jquery.bxslider.js
Script Paths
/wp-content/plugins/oer-curriculum/includes/blocks/curriculum-featured-block/build/index.js
Version Parameters
oer-curriculum/includes/blocks/curriculum-featured-block/jquery.bxslider.js?ver=1.0oer-curriculum/includes/blocks/curriculum-featured-block/build/index.js?ver=

HTML / DOM Fingerprints

Data Attributes
id="oercurr_featured_slider_data"
JS Globals
window.oercurr_cfb_legacy_markerwindow.curr_cfs_block
REST Endpoints
/wp-json/curriculum/feat/dataquery
FAQ

Frequently Asked Questions about OER Curriculum