WP-Safety

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Security & Risk Analysis

wordpress.org/plugins/post-expirator

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K active installs v4.10.0 PHP 7.4+ WP 6.7+ Updated Apr 9, 2026
automatic-changesschedule-changesunpublish-postsupdate-postsworkflows
95
A · Safe
CVEs total7
Unpatched0
Last CVEMay 4, 2026
Plugin page Download
Safety Verdict

Is Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Safe to Use in 2026?

Generally Safe

Score 95/100

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

7 known CVEsLast CVE: May 4, 2026Updated 1mo ago
Risk Assessment

The Post Expirator plugin, version 4.9.4, exhibits a generally positive security posture, adhering to many best practices. The static analysis reveals a robust use of prepared statements for SQL queries (95%) and proper output escaping for the majority of outputs (87%). Furthermore, the plugin implements a significant number of nonce and capability checks, indicating an effort to secure its functionalities. The absence of critical or high-severity taint flows, alongside a lack of unpatched CVEs, further reinforces this positive outlook.

However, there are areas for concern. The presence of 5 taint flows with unsanitized paths, specifically identified as high severity, is a notable risk. While the static analysis did not directly label these as exploitable vulnerabilities, unsanitized paths can often lead to privilege escalation or data exposure if combined with other factors. The plugin's history of 5 medium-severity CVEs, primarily related to missing or incorrect authorization, suggests a recurring pattern of authorization enforcement issues. While these are currently patched, this history warrants vigilance. The plugin also has a very small attack surface with no unprotected entry points, which is a significant strength.

Key Concerns

  • High severity unsanitized path taint flows (2)
  • 5 medium severity CVEs in history
  • 5 unsanitized path taint flows
  • 13% of SQL queries not using prepared statements
  • 13% of outputs not properly escaped
Vulnerabilities
7 published

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2025
2025
4 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2026-5247medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

May 4, 2026 Patched in 4.10.1 (1d)
CVE-2026-39482medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Expirator <= 4.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 22, 2026 Patched in 4.10.0 (25d)
CVE-2025-69361medium · 4.3Missing Authorization

Post Expirator <= 4.9.3 - Missing Authorization

Jan 11, 2026 Patched in 4.9.4 (4d)
CVE-2025-14718medium · 5.4Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation

Jan 8, 2026 Patched in 4.9.4 (1d)
CVE-2025-13741medium · 4.3Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure

Dec 15, 2025 Patched in 4.9.3 (1d)
CVE-2025-13149medium · 4.3Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification

Nov 20, 2025 Patched in 4.9.2 (1d)
CVE-2021-24783medium · 4.3Incorrect Authorization

Post Expirator <= 2.5.1 - Contributor+ Arbitrary Post Schedule Deletion

Oct 11, 2021 Patched in 2.6.0 (834d)
Version History

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Release Timeline

v4.10.0Current1 CVE
CVE-2026-5247
v4.9.42 CVEs43 files changed
CVE-2026-39482 CVE-2026-5247
v4.9.34 CVEs59 files changed
CVE-2025-69361 CVE-2026-39482 CVE-2025-14718 +1 more
v4.9.25 CVEs37 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +2 more
v4.9.16 CVEs35 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.9.06 CVEs91 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.8.26 CVEs19 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.8.16 CVEs21 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.8.06 CVEs44 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.7.16 CVEs12 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.7.06 CVEs
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.6.06 CVEs176 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.5.06 CVEs
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.4.06 CVEs
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.3.36 CVEs68 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.3.26 CVEs27 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.3.16 CVEs200 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.3.06 CVEs211 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.2.06 CVEs111 files changed
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
v4.1.36 CVEs
CVE-2025-69361 CVE-2025-13741 CVE-2026-39482 +3 more
Code Analysis
Analyzed Mar 16, 2026

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
73 prepared
Unescaped Output
49
324 escaped
Nonce Checks
17
Capability Checks
24
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

95% prepared77 total queries

Output Escaping

87% escaped373 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
redirectToWorkflowEditor (src\Modules\Workflows\Controllers\WorkflowEditor.php:87)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[futureaction] src\Modules\Expirator\Controllers\ShortcodeController.php:48
[postexpirator] src\Modules\Expirator\Controllers\ShortcodeController.php:53
WordPress Hooks 3
filterpost-expirator_wp_reviews_allow_display_noticelegacy\classes\Reviews.class.php:22
actioninitpost-expirator.php:132
actioninitpost-expirator.php:136
Maintenance & Trust

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version7.4
Downloads4.1M

Community Trust

Rating90/100
Number of ratings171
Active installs100K
Alternatives

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Alternatives

Mailchimp for WooCommerce

Mailchimp for WooCommerce

mailchimp-for-woocommerce

A
99

Connect your store to your Mailchimp audience to track sales, create targeted emails, send abandoned cart emails, and more.

200K 2 CVEs
theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce

theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce

themarketer

A
99

Collect subscribers. Send newsletters. Create 1:1 personalised emails using dynamic blocks. Activate one of almost 30 predefined workflows.

700 1 CVE
Gravity Forms: Post Updates

Gravity Forms: Post Updates

gravity-forms-post-updates

A
85

Allows you to use Gravity Forms to update any post on the front end.

300 No CVEs
Everlytic for WooCommerce

Everlytic for WooCommerce

everlytic

A
100

Connect your store to Everlytic for E-Commerce

30 No CVEs
Vextras for WooCommerce

Vextras for WooCommerce

vextras-woocommerce

A
85

Vextras is a must-have plugin for any WooCommerce store that wants to drive sales, stay organized and help their customers.

10 No CVEs
Developer Profile

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Developer Profile

PublishPress

11 plugins · 272K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
242 days
View full developer profile
Detection Fingerprints

How We Detect Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-expirator/assets/css/frontend.css/wp-content/plugins/post-expirator/assets/css/frontend.min.css/wp-content/plugins/post-expirator/assets/css/settings.css/wp-content/plugins/post-expirator/assets/css/settings.min.css/wp-content/plugins/post-expirator/assets/js/frontend.js/wp-content/plugins/post-expirator/assets/js/frontend.min.js/wp-content/plugins/post-expirator/assets/js/settings.js/wp-content/plugins/post-expirator/assets/js/settings.min.js
Script Paths
/wp-content/plugins/post-expirator/assets/js/frontend.js/wp-content/plugins/post-expirator/assets/js/settings.js
Version Parameters
post-expirator/assets/css/frontend.css?ver=post-expirator/assets/css/settings.css?ver=post-expirator/assets/js/frontend.js?ver=post-expirator/assets/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
post-expirator-frontendpost-expirator-settings-page
HTML Comments
<!-- Post Expirator Settings -->
Data Attributes
data-post-expirator-fielddata-post-expirator-post-id
JS Globals
postExpiratorSettingsPostExpiratorFrontend
REST Endpoints
/wp-json/post-expirator/v1/settings/wp-json/post-expirator/v1/status
Shortcode Output
[post-expirator-status]
FAQ

Frequently Asked Questions about Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories