Does Posts To-Do List have any unpatched vulnerabilities?

No. All known vulnerabilities in Posts To-Do List have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Posts To-Do List compatible with WordPress 6.9.4?

According to WordPress.org data, Posts To-Do List 1.4.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Posts To-Do List updated?

Posts To-Do List was last updated on Dec 6, 2025. Frequent updates are generally a positive security signal.

What is Posts To-Do List's security score?

Posts To-Do List has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Posts To-Do List Security & Risk Analysis

wordpress.org/plugins/posts-to-do-list

Share post ideas with writers, suggest them writing topics and keep track of the posts ideas with a to-do list.

60 active installs v1.4.4 PHP + WP 3.0+ Updated Dec 6, 2025

multi-authorpost-managementpoststo-do-list

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Posts To-Do List Safe to Use in 2026?

Generally Safe

Score 100/100

Posts To-Do List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The "posts-to-do-list" plugin version 1.4.4 presents a significant security risk due to a large, unprotected attack surface. All 11 identified AJAX entry points lack authentication checks, making them prime targets for unauthorized actions. The presence of the `unserialize` function, while not explicitly shown to be exploited in taint analysis, is a known dangerous function that can lead to remote code execution if used with untrusted input. Furthermore, only 25% of output is properly escaped, increasing the risk of cross-site scripting (XSS) vulnerabilities. The absence of any recorded vulnerabilities in its history is positive, but this could be due to a lack of sophisticated testing or obscurity, rather than inherent security. The plugin demonstrates a concerning disregard for basic WordPress security practices, particularly concerning AJAX endpoints and output sanitization. While it does utilize prepared statements for a majority of its SQL queries, this is overshadowed by the critical lack of authorization on its primary interaction points.

Key Concerns

11 unprotected AJAX handlers
Dangerous function: unserialize
Only 25% of outputs properly escaped
Only 1 capability check on 11 entry points

Vulnerabilities

None known

Posts To-Do List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Posts To-Do List Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

18 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$item_done_details = @unserialize( $single->item_done );posts-to-do-list-print-functions.php:97

unserialize$item_done = @unserialize( $single->item_done );posts-to-do-list.php:781

SQL Query Safety

36% prepared36 total queries

Output Escaping

25% escaped73 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths

posts_to_do_list_metabox_stats (posts-to-do-list.php:611)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

Posts To-Do List Attack Surface

Entry Points11

Unprotected11

AJAX Handlers 11

authwp_ajax_posts_to_do_list_ajax_retrieve_titleposts-to-do-list.php:98

authwp_ajax_posts_to_do_list_ajax_get_users_by_roleposts-to-do-list.php:99

authwp_ajax_posts_to_do_list_ajax_new_item_submitposts-to-do-list.php:100

authwp_ajax_posts_to_do_list_ajax_print_item_after_addingposts-to-do-list.php:101

authwp_ajax_posts_to_do_list_ajax_mark_as_doneposts-to-do-list.php:102

authwp_ajax_posts_to_do_list_ajax_get_pageposts-to-do-list.php:103

authwp_ajax_posts_to_do_list_ajax_delete_itemposts-to-do-list.php:104

authwp_ajax_posts_to_do_list_ajax_i_ll_take_itposts-to-do-list.php:105

authwp_ajax_posts_to_do_list_ajax_i_dont_want_it_anymoreposts-to-do-list.php:106

noprivwp_ajax_posts_to_do_list_ajax_save_user_noteposts-to-do-list.php:107

authwp_ajax_posts_to_do_list_ajax_save_user_noteposts-to-do-list.php:108

WordPress Hooks 12

actionadmin_menuposts-to-do-list.php:65

actionwpmu_new_blogposts-to-do-list.php:71

actionadd_meta_boxesposts-to-do-list.php:74

actionload-settings_page_posts_to_do_list_optionsposts-to-do-list.php:75

actionload-dashboard_page_posts_to_do_listposts-to-do-list.php:76

actionwp_dashboard_setupposts-to-do-list.php:77

filterplugin_action_linksposts-to-do-list.php:80

filterplugin_row_metaposts-to-do-list.php:81

actionadmin_head-settings_page_posts_to_do_list_optionsposts-to-do-list.php:84

actionwidgets_initposts-to-do-list.php:87

actioninitposts-to-do-list.php:91

actionplugins_loadedposts-to-do-list.php:867

Maintenance & Trust

Posts To-Do List Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 6, 2025

PHP min version

Downloads11K

Community Trust

Rating94/100

Number of ratings7

Active installs60

Alternatives

Posts To-Do List Alternatives

Delete Posts By URL

delete-posts-by-url

100

Advanced bulk deletion of WordPress posts with multiple filtering options and powerful features for content management.

80 No CVEs

Auto-Schedule Posts

auto-schedule-posts

Auto-Schedule Posts allows users to separate their writing schedule from their publishing schedule - write when you want and have posts publish at the …

50 No CVEs