Does PilotPress have any unpatched vulnerabilities?

Yes — PilotPress currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is PilotPress compatible with WordPress 6.8.5?

According to WordPress.org data, PilotPress 2.0.36 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is PilotPress updated?

PilotPress was last updated on Sep 24, 2025. Frequent updates are generally a positive security signal.

What is PilotPress's security score?

PilotPress has a WP-Safety security score of 55/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PilotPress Security & Risk Analysis

wordpress.org/plugins/pilotpress

PilotPress allows you to have a website, membership site, customer center, and a partner center integrated together with ONTRAPORT.

1K active installs v2.0.36 PHP + WP 3.6+ Updated Sep 24, 2025

moonrayofficeautopilotontraportsendpepper

C · Use Caution

CVEs total3

Unpatched2

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is PilotPress Safe to Use in 2026?

Use With Caution

Score 55/100

PilotPress has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

3 known CVEs 2 unpatched Last CVE: Sep 22, 2025Updated 6mo ago

Risk Assessment

The pilotpress plugin exhibits a mixed security posture. While it avoids dangerous functions and file operations, and has a reasonable number of capability checks, significant concerns arise from its unprotected AJAX handlers. A substantial portion of its attack surface is exposed without authentication, creating a direct pathway for potential unauthorized actions. The output escaping is also a major weakness, with a very low percentage of outputs being properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, although limited in scope, flagged flows with unsanitized paths, reinforcing the XSS concerns. The plugin's vulnerability history, with three known medium-severity CVEs, two of which remain unpatched, further exacerbates these risks. The common types of past vulnerabilities, XSS and missing authorization, directly align with the current findings in the code analysis. This indicates a pattern of recurring security weaknesses that have not been fully addressed. In conclusion, while pilotpress demonstrates some good practices, the high number of unprotected AJAX handlers, poor output escaping, and ongoing unpatched vulnerabilities present a significant security risk that requires immediate attention.

Key Concerns

Unprotected AJAX handlers
Low percentage of properly escaped output
Unpatched CVEs (2 medium severity)
Flows with unsanitized paths
Vulnerability history of XSS and Missing Auth

Vulnerabilities

PilotPress Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-58238medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PilotPress <= 2.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

CVE-2025-58221medium · 5.4Missing Authorization

PilotPress <= 2.0.36 - Missing Authorization

Sep 22, 2025Unpatched

CVE-2024-23524medium · 5.4Missing Authorization

PilotPress <= 2.0.30 - Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions

Jan 31, 2024 Patched in 2.0.31 (52d)

Code Analysis

Analyzed Mar 16, 2026

PilotPress Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

47% prepared32 total queries

Output Escaping

14% escaped97 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

8 flows5 with unsanitized paths

admin_preview_redirect (pilotpress.php:1161)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

PilotPress Attack Surface

Entry Points17

Unprotected6

AJAX Handlers 8

authwp_ajax_pp_update_aff_detailspilotpress.php:1019

authwp_ajax_pp_update_cc_detailspilotpress.php:1020

authwp_ajax_pp_insert_formpilotpress.php:1038

authwp_ajax_pp_insert_videopilotpress.php:1039

authwp_ajax_pp_get_aff_reportpilotpress.php:1040

authwp_ajax_purge_transientspilotpress.php:1061

authwp_ajax_admin_preview_redirectpilotpress.php:1062

authwp_ajax_pp_category_overrideppprotect-categories.php:55

Shortcodes 9

[protected] pilotpress.php:1078

[show_if] pilotpress.php:1079

[login_page] pilotpress.php:1080

[field] pilotpress.php:1081

[pilotpress_protected] pilotpress.php:1083

[pilotpress_show_if] pilotpress.php:1084

[pilotpress_login_page] pilotpress.php:1085

[pilotpress_field] pilotpress.php:1086

[pilotpress_sync_contact] pilotpress.php:1087

WordPress Hooks 76

actionwidgets_initpilotpress.php:33

actionadmin_footer-widgets.phppilotpress.php:35

actioninitpilotpress.php:1011

actioninitpilotpress.php:1012

actioninitpilotpress.php:1013

actionwp_print_stylespilotpress.php:1014

actionwp_print_footer_scriptspilotpress.php:1015

actionretrieve_passwordpilotpress.php:1016

actionprofile_updatepilotpress.php:1017

actionadmin_menupilotpress.php:1023

filteradmin_initpilotpress.php:1024

filteradmin_initpilotpress.php:1025

filteradmin_initpilotpress.php:1026

actionadmin_enqueue_scriptspilotpress.php:1027

actionadmin_noticespilotpress.php:1028

actionadmin_menupilotpress.php:1030

actionpre_post_updatepilotpress.php:1031

actionmedia_buttonspilotpress.php:1033

actionmedia_upload_formspilotpress.php:1034

actionmedia_upload_imagespilotpress.php:1035

actionmedia_upload_videospilotpress.php:1036

actionmedia_upload_fieldspilotpress.php:1037

filtertiny_mce_before_initpilotpress.php:1042

filtertiny_mce_versionpilotpress.php:1043

filtermce_external_pluginspilotpress.php:1044

filtermce_buttons_3pilotpress.php:1045

actionadmin_footerpilotpress.php:1046

actionadmin_footerpilotpress.php:1047

filtermanage_posts_columnspilotpress.php:1049

actionmanage_posts_custom_columnpilotpress.php:1050

filtermanage_pages_columnspilotpress.php:1051

actionmanage_pages_custom_columnpilotpress.php:1052

filteruser_has_cappilotpress.php:1053

filtermedia_upload_tabspilotpress.php:1054

actionwp_loadedpilotpress.php:1055

actionadmin_headpilotpress.php:1058

actionadmin_headpilotpress.php:1059

filterrewrite_rules_arraypilotpress.php:1068

actionwppilotpress.php:1069

filterget_pagespilotpress.php:1070

filterwp_nav_menupilotpress.php:1071

filterwp_nav_menu_objectspilotpress.php:1072

filterposts_wherepilotpress.php:1073

filterquery_varspilotpress.php:1074

filterthe_contentpilotpress.php:1075

filterlogin_messagepilotpress.php:1076

actionwp_authenticatepilotpress.php:1090

actionwp_login_failedpilotpress.php:1091

actionlostpassword_postpilotpress.php:1092

actionwp_logoutpilotpress.php:1093

actioninitpilotpress.php:1094

actionuser_registerpilotpress.php:1095

filtercomments_openpilotpress.php:3077

filterget_comments_numberpilotpress.php:3078

actionadmin_headpilotpress.php:3589

actionwp_headpilotpress.php:3590

filterwidget_textpilotpress.php:3598

filtermce_external_pluginspilotpress.php:4388

filtermce_buttons_3pilotpress.php:4389

actionadmin_enqueue_scriptsppprotect-categories.php:31

actioncategory_edit_form_fieldsppprotect-categories.php:34

actioncategory_add_form_fieldsppprotect-categories.php:35

actioncreated_categoryppprotect-categories.php:38

actionedited_categoryppprotect-categories.php:39

actionpre_get_postsppprotect-categories.php:42

filterwidget_posts_argsppprotect-categories.php:43

actiontemplate_redirectppprotect-categories.php:46

actiontemplate_redirectppprotect-categories.php:49

actionedit_form_after_editorppprotect-categories.php:52

actionadmin_footerppprotect-categories.php:58

actiondelete_categoryppprotect-categories.php:60

filterthe_contentppprotect-categories.php:506

filterthe_contentppprotect-categories.php:595

filtercomments_openppprotect-categories.php:596

filterget_comments_numberppprotect-categories.php:597

actionadmin_footerppprotect-categories.php:887

Maintenance & Trust

PilotPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 24, 2025

PHP min version

Downloads104K

Community Trust

Rating44/100

Number of ratings5

Active installs1K

Alternatives

PilotPress Alternatives

SegMetrics Marketing Analytics

segmetrics

Connect your SegMetrics account to get unparalleled insights into your visitor journey.

100 No CVEs

Developer Profile

PilotPress Developer Profile

ONTRAPORT

1 plugin · 1K total installs

trust score

Avg Security Score

55/100

Avg Patch Time

52 days

View full developer profile

Detection Fingerprints

How We Detect PilotPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pilotpress/js/jquery-ui.css/wp-content/plugins/pilotpress/js/tracking.js/wp-content/plugins/pilotpress/js/moonrayJS-only-wp-forms.css/wp-content/plugins/pilotpress/js/moonray.css

Script Paths

HTML / DOM Fingerprints

CSS Classes

pilotpress-widget

Data Attributes

data-ppc-formdata-ppc-form-id

JS Globals

pilotpress_widget_js

Shortcode Output

[pilotpress_customer_center][pilotpress_partner_center]

FAQ