Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Security & Risk Analysis

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K active installs v4.9.4 PHP 7.4+ WP 6.7+ Updated Dec 22, 2025

automatic-changesschedule-changesunpublish-postsupdate-postsworkflows

A · Safe

CVEs total5

Unpatched0

Last CVEJan 11, 2026

Plugin page Download

Safety Verdict

Is Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Safe to Use in 2026?

Generally Safe

Score 95/100

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 11, 2026Updated 3mo ago

Risk Assessment

The Post Expirator plugin, version 4.9.4, exhibits a generally positive security posture, adhering to many best practices. The static analysis reveals a robust use of prepared statements for SQL queries (95%) and proper output escaping for the majority of outputs (87%). Furthermore, the plugin implements a significant number of nonce and capability checks, indicating an effort to secure its functionalities. The absence of critical or high-severity taint flows, alongside a lack of unpatched CVEs, further reinforces this positive outlook.

However, there are areas for concern. The presence of 5 taint flows with unsanitized paths, specifically identified as high severity, is a notable risk. While the static analysis did not directly label these as exploitable vulnerabilities, unsanitized paths can often lead to privilege escalation or data exposure if combined with other factors. The plugin's history of 5 medium-severity CVEs, primarily related to missing or incorrect authorization, suggests a recurring pattern of authorization enforcement issues. While these are currently patched, this history warrants vigilance. The plugin also has a very small attack surface with no unprotected entry points, which is a significant strength.

Key Concerns

High severity unsanitized path taint flows (2)
5 medium severity CVEs in history
5 unsanitized path taint flows
13% of SQL queries not using prepared statements
13% of outputs not properly escaped

Vulnerabilities

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

2 CVEs in 2025

2025

2 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-69361medium · 4.3Missing Authorization

Post Expirator <= 4.9.3 - Missing Authorization

Jan 11, 2026 Patched in 4.9.4 (4d)

CVE-2025-14718medium · 5.4Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation

Jan 8, 2026 Patched in 4.9.4 (1d)

CVE-2025-13741medium · 4.3Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure

Dec 15, 2025 Patched in 4.9.3 (1d)

CVE-2025-13149medium · 4.3Missing Authorization

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification

Nov 20, 2025 Patched in 4.9.2 (1d)

CVE-2021-24783medium · 4.3Incorrect Authorization

Post Expirator <= 2.5.1 - Contributor+ Arbitrary Post Schedule Deletion

Oct 11, 2021 Patched in 2.6.0 (834d)

Code Analysis

Analyzed Mar 16, 2026

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Code Analysis

Dangerous Functions

Raw SQL Queries

73 prepared

Unescaped Output

324 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

95% prepared77 total queries

Output Escaping

87% escaped373 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths

redirectToWorkflowEditor (src\Modules\Workflows\Controllers\WorkflowEditor.php:87)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[futureaction] src\Modules\Expirator\Controllers\ShortcodeController.php:48

[postexpirator] src\Modules\Expirator\Controllers\ShortcodeController.php:53

WordPress Hooks 3

filterpost-expirator_wp_reviews_allow_display_noticelegacy\classes\Reviews.class.php:22

actioninitpost-expirator.php:132

actioninitpost-expirator.php:136

Maintenance & Trust

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 22, 2025

PHP min version7.4

Downloads4.0M

Community Trust

Rating90/100

Number of ratings172

Active installs100K

Alternatives

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Alternatives

Mailchimp for WooCommerce

mailchimp-for-woocommerce

Connect your store to your Mailchimp audience to track sales, create targeted emails, send abandoned cart emails, and more.

300K 2 CVEs

theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce

themarketer

Collect subscribers. Send newsletters. Create 1:1 personalised emails using dynamic blocks. Activate one of almost 30 predefined workflows.

600 1 CVE

Gravity Forms: Post Updates

gravity-forms-post-updates

Allows you to use Gravity Forms to update any post on the front end.

300 No CVEs

Everlytic for WooCommerce

everlytic

100

Connect your store to Everlytic for E-Commerce

30 No CVEs

Vextras for WooCommerce

vextras-woocommerce

100

Vextras is a must-have plugin for any WooCommerce store that wants to drive sales, stay organized and help their customers.

10 No CVEs

Developer Profile

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Developer Profile

PublishPress

11 plugins · 272K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

321 days

View full developer profile

Detection Fingerprints

How We Detect Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/post-expirator/assets/css/frontend.css/wp-content/plugins/post-expirator/assets/css/frontend.min.css/wp-content/plugins/post-expirator/assets/css/settings.css/wp-content/plugins/post-expirator/assets/css/settings.min.css/wp-content/plugins/post-expirator/assets/js/frontend.js/wp-content/plugins/post-expirator/assets/js/frontend.min.js/wp-content/plugins/post-expirator/assets/js/settings.js/wp-content/plugins/post-expirator/assets/js/settings.min.js

Script Paths

/wp-content/plugins/post-expirator/assets/js/frontend.js/wp-content/plugins/post-expirator/assets/js/settings.js

Version Parameters

post-expirator/assets/css/frontend.css?ver=post-expirator/assets/css/settings.css?ver=post-expirator/assets/js/frontend.js?ver=post-expirator/assets/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes

post-expirator-frontendpost-expirator-settings-page

HTML Comments

Data Attributes

data-post-expirator-fielddata-post-expirator-post-id

JS Globals

postExpiratorSettingsPostExpiratorFrontend

REST Endpoints

/wp-json/post-expirator/v1/settings/wp-json/post-expirator/v1/status

Shortcode Output

[post-expirator-status]

FAQ