WP-Safety

Orion Data Merge Security & Risk Analysis

wordpress.org/plugins/orion-data-merge

Orion Data Merge is a WordPress plugin that allows a user to compare two wordpress websites (a staging and a production site for example), view the di …

10 active installs v1.0.0 PHP 7.0+ WP 5.0+ Updated Jan 8, 2022
wordpress-data-syncwordpress-databasewordpress-merge-databasewordpress-merging
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Orion Data Merge Safe to Use in 2026?

Generally Safe

Score 85/100

Orion Data Merge has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "orion-data-merge" plugin v1.0.0 presents a significant security risk due to a large number of unprotected entry points. All 8 AJAX handlers and 2 REST API routes lack authentication or permission checks, exposing them to unauthenticated attackers. While the code signals show good practices in SQL query preparation (97%) and output escaping (99%), the presence of dangerous functions like `unserialize` and `exec` in an exposed context is highly concerning. These functions, if exploited through the unprotected entry points, could lead to remote code execution or sensitive data deserialization vulnerabilities.

The plugin's vulnerability history is currently clean, with no recorded CVEs. This is a positive sign, but it should not be relied upon as a sole indicator of security. The lack of observed vulnerabilities might be due to the plugin not being widely used, or simply that no public exploits have been discovered or reported yet. The combination of a broad attack surface with critical vulnerabilities like `unserialize` and `exec` means that the potential for severe impact is high.

In conclusion, while the plugin demonstrates good hygiene in areas like prepared statements and output escaping, the critical lack of authorization on a substantial attack surface (10 unprotected entry points) combined with the presence of dangerous functions creates a dangerous security posture. The absence of historical vulnerabilities is a weak mitigating factor against the evident structural risks.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Dangerous function: unserialize
  • Dangerous function: exec
  • Bundled outdated library: DataTables v1.10.25
Vulnerabilities
None known

Orion Data Merge Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Orion Data Merge Code Analysis

Dangerous Functions
3
Raw SQL Queries
1
31 prepared
Unescaped Output
3
271 escaped
Nonce Checks
4
Capability Checks
0
File Operations
21
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialized_data[] = unserialize( $line );includes\class-wms-dumper.php:286
execexec(includes\class-wms-dumper.php:480
execexec( $mysqldump_path . ' --version', $output, $return_var );includes\functions.php:481

Bundled Libraries

DataTables1.10.25

SQL Query Safety

97% prepared32 total queries

Output Escaping

99% escaped274 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
get_key_field (admin\class-wms-admin.php:461)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Orion Data Merge Attack Surface

Entry Points10
Unprotected10

AJAX Handlers 8

authwp_ajax_generate-wms-keyincludes\class-wms.php:165
authwp_ajax_test_connectionincludes\class-wms.php:168
authwp_ajax_start_wms_syncincludes\class-wms.php:170
authwp_ajax_check_if_dump_is_completedincludes\class-wms.php:172
authwp_ajax_check_if_remote_dump_is_completedincludes\class-wms.php:173
noprivwp_ajax_check_if_remote_dump_is_completedincludes\class-wms.php:174
authwp_ajax_send_dump_to_kpaxincludes\class-wms.php:176
authwp_ajax_get-decode-resultsincludes\class-wms.php:177

REST API Routes 2

GET/wp-json/wms/v2/check_key/(?P<key>[/\w-]+)includes\class-wms-endpoints.php:20
GET/wp-json/wms/v2/get_remote_site_db_zip/(?P<key>[/\w-]+)/(?P<dump_folder_name>[/\w-]+)includes\class-wms-endpoints.php:29
WordPress Hooks 12
actionplugins_loadedincludes\class-wms.php:142
actionadmin_enqueue_scriptsincludes\class-wms.php:159
actionadmin_enqueue_scriptsincludes\class-wms.php:160
actioninitincludes\class-wms.php:161
actionadd_meta_boxesincludes\class-wms.php:162
actionadmin_menuincludes\class-wms.php:163
actionmanage_wms-sites_posts_custom_columnincludes\class-wms.php:164
actionsave_post_wms-sitesincludes\class-wms.php:166
actionrest_api_initincludes\class-wms.php:167
actionadmin_noticesincludes\class-wms.php:169
filtermanage_edit-wms-sites_columnsincludes\class-wms.php:171
actionwms_schedule_dump_with_phpincludes\class-wms.php:175

Scheduled Events 1

wms_schedule_dump_with_php
Maintenance & Trust

Orion Data Merge Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13
Last updatedJan 8, 2022
PHP min version7.0
Downloads1K

Community Trust

Rating60/100
Number of ratings2
Active installs10
Alternatives

Orion Data Merge Alternatives

Reset

Reset

reset

A
98

Reset Database returns all or a portion of the site's settings to their initial state by using reset options. Use of the integrated restore featu &hellip;

80 1 CVE
Domains Switcher

Domains Switcher

domains-switcher

A
85

Edit database to change wordpress site's domains

20 No CVEs
Simple Database Backup WP

Simple Database Backup WP

simple-database-backup-wp

A
100

Simple Database Backup WP is a plugin simple plugin to create database backup and download from the list. After install the plugin go to Tools -> D &hellip;

0 No CVEs
Developer Profile

Orion Data Merge Developer Profile

Hermann LAHAMI

3 plugins · 10K total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Orion Data Merge

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/orion-data-merge/admin/css/wms-admin.css/wp-content/plugins/orion-data-merge/admin/css/UI.css/wp-content/plugins/orion-data-merge/admin/css/datatables.min.css/wp-content/plugins/orion-data-merge/admin/js/jquery-tab.js/wp-content/plugins/orion-data-merge/admin/js/jquery-block-ui.js/wp-content/plugins/orion-data-merge/admin/js/datatables.min.js/wp-content/plugins/orion-data-merge/admin/js/wms-admin.js
Script Paths
/wp-content/plugins/orion-data-merge/admin/js/jquery-tab.js/wp-content/plugins/orion-data-merge/admin/js/jquery-block-ui.js/wp-content/plugins/orion-data-merge/admin/js/datatables.min.js/wp-content/plugins/orion-data-merge/admin/js/wms-admin.js
Version Parameters
orion-data-merge/admin/css/wms-admin.css?ver=orion-data-merge/admin/css/UI.css?ver=orion-data-merge/admin/css/datatables.min.css?ver=orion-data-merge/admin/js/jquery-tab.js?ver=orion-data-merge/admin/js/jquery-block-ui.js?ver=orion-data-merge/admin/js/datatables.min.js?ver=orion-data-merge/admin/js/wms-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wms-dump-status-messagewms-loadingwms-test-connection
HTML Comments
<!-- BEGIN WMS DATA MERGE OPTIONS --><!-- END WMS DATA MERGE OPTIONS -->
Data Attributes
data-wms-ajax-urldata-wms-noncedata-wms-ajax-action
JS Globals
wms_dataWMS_AJAX_URLWMS_AJAX_SECURITY
Shortcode Output
[wms_data_merge_settings]
FAQ

Frequently Asked Questions about Orion Data Merge