WP-Safety

Postqueue Security & Risk Analysis

wordpress.org/plugins/postqueue

Allows you to create you very own loop order of posts

10 active installs v1.5.1 PHP 7.4+ WP 5.0+ Updated Feb 19, 2026
looporder-postsqueue
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Postqueue Safe to Use in 2026?

Generally Safe

Score 100/100

Postqueue has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The postqueue v1.5.1 plugin exhibits a mixed security posture. While it avoids dangerous functions and performs the vast majority of its SQL queries using prepared statements, several areas raise concerns. A significant portion of the attack surface, specifically 3 out of 9 AJAX handlers, are not protected by authentication checks. This presents a direct risk of unauthorized actions if these handlers are exploitable. Furthermore, the taint analysis indicates flows with unsanitized paths, although currently without critical or high severity, this warrants attention as it could lead to vulnerabilities if further exploited. The plugin's lack of recorded vulnerabilities in its history is a positive sign, suggesting a history of good security practices or a lack of exploitation. However, this doesn't negate the risks identified in the static analysis, particularly the unprotected AJAX endpoints.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths (taint analysis)
  • Low percentage of properly escaped output
  • Missing nonce checks on AJAX handlers
Vulnerabilities
None known

Postqueue Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Postqueue Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
11 prepared
Unescaped Output
25
14 escaped
Nonce Checks
0
Capability Checks
8
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

92% prepared12 total queries

Output Escaping

36% escaped39 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
ajax_callback_add_post (classes\MetaBox.php:89)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Postqueue Attack Surface

Entry Points9
Unprotected3

AJAX Handlers 9

authwp_ajax_ph_postqueue_create_queueclasses\Ajax.php:14
authwp_ajax_ph_postqueue_delete_queueclasses\Ajax.php:18
authwp_ajax_ph_postqueue_load_queueclasses\Ajax.php:22
authwp_ajax_ph_postqueue_save_post_itemsclasses\Ajax.php:26
authwp_ajax_ph_postqueue_delete_postclasses\Ajax.php:30
authwp_ajax_ph_postqueue_search_postsclasses\Ajax.php:34
authwp_ajax_postqueue_add_postclasses\MetaBox.php:25
authwp_ajax_postqueue_remove_postclasses\MetaBox.php:26
authwp_ajax_postqueue_data_scriptclasses\Shortcode.php:17
WordPress Hooks 17
filterblockx_add_templates_pathsclasses\BlockX.php:11
actionblockx_collectclasses\BlockX.php:15
actionwp_enqueue_scriptsclasses\Component\Assets.php:15
actionadmin_enqueue_scriptsclasses\Component\Assets.php:18
actioninitclasses\Component\Plugin.php:75
actionadmin_menuclasses\Editor.php:13
actiongrid_load_classesclasses\Grid.php:10
filtergrid_templates_pathsclasses\Grid.php:11
actionplugins_loadedclasses\Headless.php:12
actioninitclasses\MetaBox.php:9
actionadd_meta_boxesclasses\MetaBox.php:20
actiondelete_postclasses\Post.php:14
actionrest_api_initclasses\REST.php:15
actionadmin_print_footer_scriptsclasses\Shortcode.php:10
filtermce_buttons_2classes\Shortcode.php:12
filtermce_external_pluginsclasses\Shortcode.php:13
filtermce_cssclasses\Shortcode.php:15
Maintenance & Trust

Postqueue Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedFeb 19, 2026
PHP min version7.4
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Postqueue Alternatives

Postqueue Feeds

Postqueue Feeds

postqueue-feeds

A
100

Gives you feeds for Postqueues.

0 No CVEs
Intuitive Custom Post Order

Intuitive Custom Post Order

intuitive-custom-post-order

A
99

Intuitively reorder Posts, Pages, Custom Post Types, Taxonomies, and Sites with a simple drag-and-drop interface.

400K 4 CVEs
Simple Custom Post Order

Simple Custom Post Order

simple-custom-post-order

A
99

Easily reorder posts, pages, custom post types, and taxonomies with intuitive drag-and-drop sorting in the WordPress admin.

300K 1 CVE
Flexible SSL for CloudFlare

Flexible SSL for CloudFlare

cloudflare-flexible-ssl

A
100

Fix For Redirect Loops on WordPress with CloudFlare's Flexible/Universal SSL.

100K No CVEs
Elementor Custom Skin

Elementor Custom Skin

ele-custom-skin

A
92

Create new skins for Elementor PRO 3.x page builder. Design your own skins for Post and Post Archive Widgets using Elementor Loop Templates.

100K No CVEs
Developer Profile

Postqueue Developer Profile

EdwardBock

22 plugins · 2K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
107 days
View full developer profile
Detection Fingerprints

How We Detect Postqueue

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/postqueue/dist/meta-box.css/wp-content/plugins/postqueue/dist/meta-box.js/wp-content/plugins/postqueue/dist/postqueue-editor.css/wp-content/plugins/postqueue/dist/postqueue-editor.js
Script Paths
/wp-content/plugins/postqueue/dist/meta-box.js/wp-content/plugins/postqueue/dist/postqueue-editor.js
Version Parameters
postqueue-metabox-csspostqueue-metaboxpostqueue-csspostqueue-js

HTML / DOM Fingerprints

CSS Classes
postqueue-metaboxpostqueue-editor
Data Attributes
data-postqueue-editor-loaded
JS Globals
PostqueueMetaBoxL10n
REST Endpoints
/wp-json/postqueue/v1/items/wp-json/postqueue/v1/items/(?P<id>[\d]+)/wp-json/postqueue/v1/postqueue/(?P<id>[\d]+)/wp-json/postqueue/v1/postqueue/wp-json/postqueue/v1/queue
Shortcode Output
[postqueue]
FAQ

Frequently Asked Questions about Postqueue