WP-Safety

Package Installator Security & Risk Analysis

wordpress.org/plugins/package-installator

A plugin to manage system packages (e.g., php-xml) with a modern React-based UI via SSH.

0 active installs v1.2.1 PHP 8.2+ WP 5.0+ Updated Mar 3, 2026
debianpackage-managerreact-uisshsystem-packages
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Package Installator Safe to Use in 2026?

Generally Safe

Score 100/100

Package Installator has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "package-installator" v1.2.1 plugin exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The plugin demonstrates good practices by implementing nonce checks and capability checks on its entry points, and it has a clean history with no recorded CVEs. The code analysis shows a high percentage of properly escaped output, which is a positive indicator for preventing cross-site scripting vulnerabilities.

However, a notable concern lies in the handling of SQL queries. The analysis reveals one SQL query that is not using prepared statements. This represents a significant risk, as it makes the plugin vulnerable to SQL injection attacks, particularly if any user-supplied data is incorporated into this query without proper sanitization. While the taint analysis did not reveal any unsanitized paths or critical/high severity flows, the raw SQL query is a direct and present danger.

In conclusion, the plugin's lack of historical vulnerabilities and its diligent use of authentication checks and output escaping are strengths. Nevertheless, the un-prepared SQL query is a critical weakness that must be addressed to mitigate the risk of SQL injection. The plugin's overall security could be significantly improved by refactoring the SQL query to utilize prepared statements.

Key Concerns

  • Raw SQL query without prepared statements
Vulnerabilities
None known

Package Installator Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Package Installator Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
6
42 escaped
Nonce Checks
7
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

88% escaped48 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
wpkginst_settings_page (package-installator.php:154)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Package Installator Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 6

authwp_ajax_wpkginst_fetch_packagesincludes\ajax-handlers.php:25
authwp_ajax_wpkginst_install_packageincludes\ajax-handlers.php:66
authwp_ajax_wpkginst_uninstall_packageincludes\ajax-handlers.php:99
authwp_ajax_wpkginst_fetch_package_progressincludes\ajax-handlers.php:125
authwp_ajax_wpkginst_test_ssh_connectionincludes\ajax-handlers.php:136
authwp_ajax_wpkginst_run_commandpackage-installator.php:439
WordPress Hooks 5
actionadmin_initpackage-installator.php:25
actionshutdownpackage-installator.php:28
actionadmin_enqueue_scriptspackage-installator.php:87
filterscript_loader_tagpackage-installator.php:89
actionadmin_menupackage-installator.php:102
Maintenance & Trust

Package Installator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version8.2
Downloads319

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Package Installator Alternatives

SSH SFTP Updater Support

SSH SFTP Updater Support

ssh-sftp-updater-support

A
100

"SSH SFTP Updater Support" is the easiest way to keep your WordPress installation up-to-date with SFTP.

10K No CVEs
Simple Syntax Highlighting

Simple Syntax Highlighting

simple-syntax-highlighting

A
85

Simple, clean and lightweight syntax highlighting WordPress plugin.

60 No CVEs
debianfix

debianfix

debianfix

A
85

Fixes for Debian php stuff

10 No CVEs
Display SSH Keys

Display SSH Keys

display-ssh

A
85

A simple plugin to show public keys of the authors.

10 No CVEs
Interactive Posts

Interactive Posts

interactive-posts-ippm

A
92

Interactive Posts allows you to upload and attach assets to posts from packages enhancing the experience of any post.

0 No CVEs
Developer Profile

Package Installator Developer Profile

Thomas Lloancy

9 plugins · 120 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Package Installator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/package-installator/assets/js/vendor/react.min.js/wp-content/plugins/package-installator/assets/js/vendor/react-dom.min.js/wp-content/plugins/package-installator/assets/js/vendor/axios.min.js/wp-content/plugins/package-installator/assets/js/vendor/react-select.min.js/wp-content/plugins/package-installator/assets/js/package-manager.js/wp-content/plugins/package-installator/assets/css/tailwind.min.css/wp-content/plugins/package-installator/assets/css/styles.css
Script Paths
/wp-content/plugins/package-installator/assets/js/package-manager.js
Version Parameters
package-installator/assets/css/styles.css?ver=package-installator/assets/js/package-manager.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpkginst-package-managerwpkginst_ssh_private_key_rowwpkginst_ssh_password_rowwpkginst-settingswpkginst-terminalwpkginst-log
Data Attributes
wpkginst_ssh_auth_typewpkginst_ssh_hostwpkginst_ssh_usernamewpkginst_ssh_portwpkginst_ssh_private_keywpkginst_ssh_password+1 more
JS Globals
wpkginstAjaxReactReactDOMaxiosSelect
FAQ

Frequently Asked Questions about Package Installator