WP-Safety

Post Status Scheduler Security & Risk Analysis

wordpress.org/plugins/post-status-scheduler

Change status, categories/tags or postmeta of any post type at a scheduled timestamp.

30 active installs v1.3.1 PHP + WP 3.9+ Updated May 23, 2017
categoriespagespostmetapoststags
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Post Status Scheduler Safe to Use in 2026?

Generally Safe

Score 85/100

Post Status Scheduler has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The post-status-scheduler plugin v1.3.1 exhibits a mixed security posture. While it boasts a small attack surface with no identified unauthenticated entry points and no known past vulnerabilities, several code signals raise concerns. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution (RCE) if data passed to it is not rigorously sanitized. Furthermore, the plugin uses SQL queries without prepared statements, which makes it susceptible to SQL injection attacks. The low percentage of properly escaped output also increases the risk of Cross-Site Scripting (XSS) vulnerabilities.

Despite the absence of documented vulnerabilities, the potential for RCE via unserialization and SQL injection remains. The lack of nonce checks on its single shortcode (the only entry point analyzed) is also a weakness, though it's unclear if this entry point is intended to handle user-supplied data in a way that would be exploitable. The vulnerability history being clean is positive, suggesting developers may be responsive to security, but the current code analysis reveals latent risks that need addressing. Overall, the plugin has potential, but critical security flaws in data handling and database interaction need immediate attention.

Key Concerns

  • Use of unserialize without clear sanitization
  • SQL queries not using prepared statements
  • Low percentage of properly escaped output
  • No nonce checks on entry points
Vulnerabilities
None known

Post Status Scheduler Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Post Status Scheduler Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
0 prepared
Unescaped Output
20
10 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$tmp_categories = unserialize( $tmp_categories );classes\event.php:52

SQL Query Safety

0% prepared2 total queries

Output Escaping

33% escaped30 total outputs
Attack Surface

Post Status Scheduler Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[pss_scheduled_time] classes\shortcode.php:17
WordPress Hooks 10
actionplugins_loadedclasses\scheduler.php:42
actionschedule_post_status_changeclasses\scheduler.php:45
actiondelete_postclasses\scheduler.php:48
actionwp_trash_postclasses\scheduler.php:49
actionpost_submitbox_misc_actionsclasses\scheduler.php:61
actionadmin_enqueue_scriptsclasses\scheduler.php:64
actionsave_postclasses\scheduler.php:67
filterrequestclasses\scheduler.php:110
actionadmin_menuclasses\settings.php:32
actionadmin_initclasses\settings.php:33

Scheduled Events 1

schedule_post_status_change
Maintenance & Trust

Post Status Scheduler Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedMay 23, 2017
PHP min version
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs30
Alternatives

Post Status Scheduler Alternatives

Essential Widgets

Essential Widgets

essential-widgets

A
98

Essential Widgets is a WordPress plugin for widgets that allows you to create and add amazing widgets with high customization option

10K 2 CVEs
SEO Auto Linker

SEO Auto Linker

wpa-seo-auto-linker

B
70

SEO Auto Linker assists in creating cornerstone SEO content. This is not a full replacement for SEO plugins.

4K 1 unpatched
SEO Links Generator

SEO Links Generator

seo-links-generator

A
85

With SEO Links Generator you can easily add links (automatically) for keywords and phrases in posts, pages and comments.

10 No CVEs
Post Tags and Categories for Pages

Post Tags and Categories for Pages

post-tags-and-categories-for-pages

A
100

Adds the built in WordPress categories and tags to your pages.

20K No CVEs
Flexible Posts Widget

Flexible Posts Widget

flexible-posts-widget

A
85

An advanced posts display widget with many options. Display posts in your sidebars any way you'd like!

8K No CVEs
Developer Profile

Post Status Scheduler Developer Profile

farne

2 plugins · 40 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Post Status Scheduler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-status-scheduler/assets/css/backend.css/wp-content/plugins/post-status-scheduler/assets/js/backend.js
Script Paths
/wp-content/plugins/post-status-scheduler/assets/js/backend.js
Version Parameters
post-status-scheduler/assets/css/backend.css?ver=post-status-scheduler/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
pss-post-status-scheduler-optionspss-post-status-scheduler-field
Data Attributes
data-pss-datedata-pss-timedata-pss-statusdata-pss-category-actiondata-pss-meta-key
JS Globals
post_status_scheduler_params
FAQ

Frequently Asked Questions about Post Status Scheduler