Does Page-list have any unpatched vulnerabilities?

No. All known vulnerabilities in Page-list have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Page-list compatible with WordPress 6.8.5?

According to WordPress.org data, Page-list 5.9 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Page-list updated?

Page-list was last updated on Sep 29, 2025. Frequent updates are generally a positive security signal.

What is Page-list's security score?

Page-list has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Page-list Security & Risk Analysis

wordpress.org/plugins/page-list

[pagelist], [subpages], [siblings] and [pagelist_ext] shortcodes

40K active installs v5.9 PHP + WP 3.0+ Updated Sep 29, 2025

page-listpagelistsiblingssitemapsubpages

A · Safe

CVEs total3

Unpatched0

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Page-list Safe to Use in 2026?

Generally Safe

Score 97/100

Page-list has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Sep 22, 2025Updated 6mo ago

Risk Assessment

The "page-list" v5.9 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals excellent practices regarding SQL queries, output escaping, and a lack of dangerous functions, file operations, or external HTTP requests. This suggests a generally well-written codebase that adheres to secure coding principles in these areas. However, the complete absence of nonce checks and capability checks across all entry points, including the 9 shortcodes, is a significant concern. While the taint analysis shows no immediate critical or high-severity issues, the lack of authorization checks opens the door to potential privilege escalation or unauthorized data manipulation if any of the shortcodes' functionality is exploitable. The plugin's vulnerability history, with 3 previous medium-severity Cross-site Scripting (XSS) vulnerabilities, further highlights a past tendency for input sanitization issues. Although no currently unpatched CVEs are reported and the last vulnerability was in 2025, this history underscores the importance of robust input validation and output escaping, which are currently not comprehensively enforced through authorization mechanisms.

Key Concerns

No nonce checks on shortcodes
No capability checks on shortcodes
History of medium severity XSS vulnerabilities

Vulnerabilities

Page-list Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-58030medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page-list <= 5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 5.9 (156d)

CVE-2024-47382medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page-list <= 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 5.7 (11d)

CVE-2022-4485medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page-list <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 27, 2022 Patched in 5.3 (392d)

Code Analysis

Analyzed Mar 16, 2026

Page-list Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped31 total outputs

Attack Surface

Page-list Attack Surface

Entry Points9

Unprotected0

Shortcodes 9

[pagelist] page-list.php:88

[page_list] page-list.php:89

[page-list] page-list.php:90

[sitemap] page-list.php:91

[subpages] page-list.php:133

[sub_pages] page-list.php:134

[siblings] page-list.php:180

[pagelist_ext] page-list.php:408

[pagelistext] page-list.php:409

WordPress Hooks 2

actionwp_enqueue_scriptspage-list.php:46

filterplugin_row_metapage-list.php:509

Maintenance & Trust

Page-list Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 29, 2025

PHP min version

Downloads530K

Community Trust

Rating94/100

Number of ratings89

Active installs40K

Alternatives

Page-list Alternatives

GNA Page List

gna-page-list

100

[pagelist] shortcodes with any post, page and widget.

10 No CVEs

WP Sitemap Page

wp-sitemap-page

100

Add a sitemap on any of your page using the simple shortcode [wp_sitemap_page]. Improve the SEO and navigation of your website.

300K 1 CVE

CC Child Pages

cc-child-pages

Display WordPress child pages in a responsive grid or list using a shortcode, Gutenberg block or Elementor widget.

10K 2 CVEs

WP Sitemap Pages and Posts

wp-sitemap-pages-and-posts

An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wpspap_sitemap] on any of y …

1K No CVEs

Easy HTML Sitemap

easy-html-sitemap

Easy HTML Sitemap - Display an HTML Sitemap for your wordpress pages using a shortcode. The sitemap is updated in realtime.

700 No CVEs

Developer Profile

Page-list Developer Profile

webvitaly

14 plugins · 128K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

396 days

View full developer profile

Detection Fingerprints

How We Detect Page-list

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/page-list/css/page-list.css

Version Parameters

page-list/css/page-list.css?ver=5.9

HTML / DOM Fingerprints

CSS Classes

page-listsubpages-page-listsiblings-page-list

HTML Comments

Shortcode Output

<ul class="page-list<ul class="page-list subpages-page-list<ul class="page-list siblings-page-list

FAQ