Does OptionTree have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is OptionTree compatible with WordPress 5.2.24?

According to WordPress.org data, OptionTree 2.7.3 has been tested up to WordPress 5.2.24. Check the plugin's changelog for the latest compatibility information.

Is OptionTree compatible with PHP 5.3.0+?

OptionTree requires PHP 5.3.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is OptionTree updated?

OptionTree was last updated on May 19, 2019. Frequent updates are generally a positive security signal.

What is OptionTree's security score?

OptionTree has a WP-Safety security score of 82/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

OptionTree Security & Risk Analysis

wordpress.org/plugins/option-tree

Theme Options UI Builder for WordPress. A simple way to create & save Theme Options and Meta Boxes for free or premium themes.

50K active installs v2.7.3 PHP 5.3.0+ WP 3.8+ Updated May 19, 2019

meta-boxesoptionssettingstheme-options

B · Generally Safe

CVEs total5

Unpatched0

Last CVEAug 16, 2019

Plugin page Download

Safety Verdict

Is OptionTree Safe to Use in 2026?

Mostly Safe

Score 82/100

OptionTree is generally safe to use though it hasn't been updated recently. 5 past CVEs were resolved.

5 known CVEsLast CVE: Aug 16, 2019Updated 7yr ago

Risk Assessment

The Option Tree plugin, despite having a substantial attack surface of 10 AJAX handlers, appears to implement proper authentication checks on all of them. This is a strong security practice. The code analysis also reveals a healthy percentage of SQL queries using prepared statements and a significant amount of output escaping, indicating good coding habits. However, the presence of unsanitized paths in the taint analysis, even if not flagged as critical or high severity, warrants attention as it represents a potential avenue for input manipulation.

The plugin's vulnerability history is a significant concern. With a total of 5 known CVEs, including 3 high and 2 medium severity vulnerabilities, and a last recorded vulnerability in 2019, it suggests a past pattern of security weaknesses. The common vulnerability types of deserialization and XSS are particularly worrying, as they can lead to severe compromise. While there are currently no unpatched CVEs, the historical prevalence of these types of issues indicates a need for ongoing vigilance and potential for undiscovered vulnerabilities or regressions.

In conclusion, Option Tree v2.7.3 demonstrates some good security practices, particularly in its handling of AJAX entry points. However, the significant historical vulnerability record, combined with a concerning taint analysis result regarding unsanitized paths, presents a notable risk. Users should be aware of the past security issues and the potential for future ones, even though current patching status is clean. A cautious approach is recommended.

Key Concerns

Flows with unsanitized paths found
High severity vulnerabilities in history (3)
Medium severity vulnerabilities in history (2)
Taint analysis indicating potential input issues

Vulnerabilities

5 published

OptionTree Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

4 CVEs in 2019

2019

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2016-10895medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Option Tree <= 2.5.5 - Cross-Site Scripting

Aug 16, 2019 Patched in 2.6 (1621d)

CVE-2019-15320high · 8.1Deserialization of Untrusted Data

Option Tree <= 2.7.2 - Object Injection Bypass

May 19, 2019 Patched in 2.7.3 (1710d)

CVE-2019-15321high · 8.1Deserialization of Untrusted Data

Option Tree <= 2.7.2 - Object Injection Bypass

May 19, 2019 Patched in 2.7.3 (1710d)

CVE-2019-15319high · 8.1Deserialization of Untrusted Data

Option Tree <= 2.6.0 - PHP Object Injection

Apr 16, 2019 Patched in 2.7.0 (1743d)

CVE-2015-9320medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Option Tree <= 2.5.3 - Cross-Site Scripting

Apr 22, 2015 Patched in 2.5.4 (3198d)

Version History

OptionTree Release Timeline

v2.7.3Current

v2.7.22 CVEs

CVE-2019-15320 CVE-2019-15321

v2.7.12 CVEs

CVE-2019-15320 CVE-2019-15321

v2.7.02 CVEs

CVE-2019-15320 CVE-2019-15321

v2.6.03 CVEs

CVE-2019-15320 CVE-2019-15319 CVE-2019-15321

v2.5.54 CVEs

CVE-2019-15320 CVE-2016-10895 CVE-2019-15319 +1 more

v2.5.44 CVEs

CVE-2019-15320 CVE-2016-10895 CVE-2019-15319 +1 more

v2.5.35 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.5.25 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.5.15 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.5.05 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.65 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.55 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.45 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.35 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.25 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.15 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.4.05 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.3.45 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

v2.3.35 CVEs

CVE-2015-9320 CVE-2019-15320 CVE-2016-10895 +2 more

Code Analysis

Analyzed Mar 16, 2026

OptionTree Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

393

716 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

67% prepared12 total queries

Output Escaping

65% escaped1109 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

12 flows1 with unsanitized paths

display_page (includes\class-ot-settings.php:227)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

OptionTree Attack Surface

Entry Points10

Unprotected0

AJAX Handlers 10

authwp_ajax_add_sectionot-loader.php:406

authwp_ajax_add_settingot-loader.php:409

authwp_ajax_add_the_contextual_helpot-loader.php:412

authwp_ajax_add_choiceot-loader.php:415

authwp_ajax_add_list_item_settingot-loader.php:418

authwp_ajax_add_layoutot-loader.php:421

authwp_ajax_add_list_itemot-loader.php:424

authwp_ajax_add_social_linksot-loader.php:427

authwp_ajax_ot_google_fontot-loader.php:430

authwp_ajax_gallery_updateot-loader.php:436

WordPress Hooks 54

actionadmin_headincludes\class-ot-cleanup.php:37

actionadmin_menuincludes\class-ot-cleanup.php:40

actionot_pre_consolidate_postsincludes\class-ot-cleanup.php:43

actionadmin_noticesincludes\class-ot-cleanup.php:78

actionadd_meta_boxesincludes\class-ot-meta-box.php:55

actionsave_postincludes\class-ot-meta-box.php:57

actionadmin_initincludes\class-ot-post-formats.php:43

filterpre_pingincludes\class-ot-post-formats.php:46

actionadmin_menuincludes\class-ot-settings.php:74

actionadmin_initincludes\class-ot-settings.php:77

actionadmin_initincludes\class-ot-settings.php:80

actionadmin_initincludes\class-ot-settings.php:83

actionadmin_initincludes\class-ot-settings.php:86

actionadmin_noticesincludes\ot-functions-admin.php:107

filtersafe_style_cssincludes\ot-functions-admin.php:599

filterwp_kses_allowed_htmlincludes\ot-functions-admin.php:600

filterot_recognized_font_familiesincludes\ot-functions-admin.php:2415

actionot_after_theme_options_saveincludes\ot-functions-admin.php:5170

actionsplit_shared_termincludes\ot-functions-admin.php:6087

actionadmin_initincludes\ot-functions-compat.php:13

filterot_option_types_arrayincludes\ot-functions-compat.php:14

filterot_recognized_font_stylesincludes\ot-functions-compat.php:15

filterot_recognized_font_weightsincludes\ot-functions-compat.php:16

filterot_recognized_font_variantsincludes\ot-functions-compat.php:17

filterot_recognized_font_familiesincludes\ot-functions-compat.php:18

filterot_recognized_background_repeatincludes\ot-functions-compat.php:19

filterot_recognized_background_positionincludes\ot-functions-compat.php:20

filterot_measurement_unit_typesincludes\ot-functions-compat.php:21

filterot_theme_modeot-loader.php:17

actionadmin_noticesot-loader.php:26

actionafter_setup_themeot-loader.php:47

actioninitot-loader.php:303

actioninitot-loader.php:307

actionadmin_headot-loader.php:310

actioninitot-loader.php:346

actioninitot-loader.php:351

actioninitot-loader.php:356

actionadmin_print_scripts-post-new.phpot-loader.php:363

actionadmin_print_scripts-post.phpot-loader.php:364

actionadmin_print_styles-post-new.phpot-loader.php:367

actionadmin_print_styles-post.phpot-loader.php:368

actionadmin_bar_menuot-loader.php:373

actionadmin_initot-loader.php:376

actionadmin_initot-loader.php:379

actionadmin_initot-loader.php:382

actionadmin_initot-loader.php:385

actionadmin_initot-loader.php:388

actionadmin_initot-loader.php:391

actionadmin_initot-loader.php:394

actionwp_enqueue_scriptsot-loader.php:397

actionwp_enqueue_scriptsot-loader.php:400

actionot_after_theme_options_saveot-loader.php:403

filtermedia_view_settingsot-loader.php:433

filtergettextot-loader.php:439

Maintenance & Trust

OptionTree Maintenance & Trust

Maintenance Signals

WordPress version tested5.2.24

Last updatedMay 19, 2019

PHP min version5.3.0

Downloads1.3M

Community Trust

Rating94/100

Number of ratings105

Active installs50K

Alternatives

OptionTree Alternatives

One Click Demo Import

one-click-demo-import

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs

Catch Themes Demo Import

catch-themes-demo-import

Catch Themes Demo Import is a simple and easy-to-use demo importer WordPress plugin that allows you to import the theme demo data Based on One Click D …

6K 2 CVEs

WP Site Options

wp-site-options

The Site Options plugin is a simple and free product for adding your custom site options on default page Settings -> Reading.

20 No CVEs

Customizer Toolkits

customizer-toolkits

Customizer Toolkits is a nice wordpress plugin. You can use this plugin any wordpress site for create Customizer Options. Customizer Toolkits is one o …

0 No CVEs

PuppyFW

puppyfw

PuppyFW is a lightweight but powerful options framework for WordPress themes and plugins which supports tab, group, repeatable, field dependencies.

0 No CVEs

Developer Profile

OptionTree Developer Profile

Derek Herman

1 plugin · 50K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

1996 days

View full developer profile

Detection Fingerprints

How We Detect OptionTree

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

OptionTree Security & Risk Analysis

Is OptionTree Safe to Use in 2026?

Mostly Safe

Key Concerns

OptionTree Security Vulnerabilities

CVEs by Year

Severity Breakdown

OptionTree Release Timeline

OptionTree Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

OptionTree Attack Surface

AJAX Handlers 10

OptionTree Maintenance & Trust

Maintenance Signals

Community Trust

OptionTree Alternatives

One Click Demo Import

Catch Themes Demo Import

WP Site Options

Customizer Toolkits

PuppyFW

OptionTree Developer Profile

How We Detect OptionTree

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about OptionTree