Does Posts To-Do List have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Posts To-Do List compatible with WordPress 6.9.4?

According to WordPress.org data, Posts To-Do List 1.4.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Posts To-Do List updated?

Posts To-Do List was last updated on Dec 6, 2025. Frequent updates are generally a positive security signal.

What is Posts To-Do List's security score?

Posts To-Do List has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Posts To-Do List Security & Risk Analysis

wordpress.org/plugins/posts-to-do-list

Share post ideas with writers, suggest them writing topics and keep track of the posts ideas with a to-do list.

60 active installs v1.4.4 PHP + WP 3.0+ Updated Dec 6, 2025

multi-authorpost-managementpoststo-do-list

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Posts To-Do List Safe to Use in 2026?

Generally Safe

Score 100/100

Posts To-Do List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5mo ago

Risk Assessment

The "posts-to-do-list" plugin version 1.4.4 presents a significant security risk due to a large, unprotected attack surface. All 11 identified AJAX entry points lack authentication checks, making them prime targets for unauthorized actions. The presence of the `unserialize` function, while not explicitly shown to be exploited in taint analysis, is a known dangerous function that can lead to remote code execution if used with untrusted input. Furthermore, only 25% of output is properly escaped, increasing the risk of cross-site scripting (XSS) vulnerabilities. The absence of any recorded vulnerabilities in its history is positive, but this could be due to a lack of sophisticated testing or obscurity, rather than inherent security. The plugin demonstrates a concerning disregard for basic WordPress security practices, particularly concerning AJAX endpoints and output sanitization. While it does utilize prepared statements for a majority of its SQL queries, this is overshadowed by the critical lack of authorization on its primary interaction points.

Key Concerns

11 unprotected AJAX handlers
Dangerous function: unserialize
Only 25% of outputs properly escaped
Only 1 capability check on 11 entry points

Vulnerabilities

None known

Posts To-Do List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Posts To-Do List Release Timeline

v1.4.5

v1.4.4Current

v1.4.3

v1.4.2

v1.4.1

v1.4

v1.3

v1.2

v1.1

v1.0

v0.99

v0.98

v0.97

v0.96

v0.95

v0.94

v0.9.5

v0.9.3

v0.9.1

v0.9

Code Analysis

Analyzed Mar 16, 2026

Posts To-Do List Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

18 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$item_done_details = @unserialize( $single->item_done );posts-to-do-list-print-functions.php:97

unserialize$item_done = @unserialize( $single->item_done );posts-to-do-list.php:781

SQL Query Safety

36% prepared36 total queries

Output Escaping

25% escaped73 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths

posts_to_do_list_metabox_stats (posts-to-do-list.php:611)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

Posts To-Do List Attack Surface

Entry Points11

Unprotected11

AJAX Handlers 11

authwp_ajax_posts_to_do_list_ajax_retrieve_titleposts-to-do-list.php:98

authwp_ajax_posts_to_do_list_ajax_get_users_by_roleposts-to-do-list.php:99

authwp_ajax_posts_to_do_list_ajax_new_item_submitposts-to-do-list.php:100

authwp_ajax_posts_to_do_list_ajax_print_item_after_addingposts-to-do-list.php:101

authwp_ajax_posts_to_do_list_ajax_mark_as_doneposts-to-do-list.php:102

authwp_ajax_posts_to_do_list_ajax_get_pageposts-to-do-list.php:103

authwp_ajax_posts_to_do_list_ajax_delete_itemposts-to-do-list.php:104

authwp_ajax_posts_to_do_list_ajax_i_ll_take_itposts-to-do-list.php:105

authwp_ajax_posts_to_do_list_ajax_i_dont_want_it_anymoreposts-to-do-list.php:106

noprivwp_ajax_posts_to_do_list_ajax_save_user_noteposts-to-do-list.php:107

authwp_ajax_posts_to_do_list_ajax_save_user_noteposts-to-do-list.php:108

WordPress Hooks 12

actionadmin_menuposts-to-do-list.php:65

actionwpmu_new_blogposts-to-do-list.php:71

actionadd_meta_boxesposts-to-do-list.php:74

actionload-settings_page_posts_to_do_list_optionsposts-to-do-list.php:75

actionload-dashboard_page_posts_to_do_listposts-to-do-list.php:76

actionwp_dashboard_setupposts-to-do-list.php:77

filterplugin_action_linksposts-to-do-list.php:80

filterplugin_row_metaposts-to-do-list.php:81

actionadmin_head-settings_page_posts_to_do_list_optionsposts-to-do-list.php:84

actionwidgets_initposts-to-do-list.php:87

actioninitposts-to-do-list.php:91

actionplugins_loadedposts-to-do-list.php:867

Maintenance & Trust

Posts To-Do List Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 6, 2025

PHP min version

Downloads11K

Community Trust

Rating94/100

Number of ratings7

Active installs60

Alternatives

Posts To-Do List Alternatives

Delete Posts By URL

delete-posts-by-url

100

Advanced bulk deletion of WordPress posts with multiple filtering options and powerful features for content management.

80 No CVEs

Auto-Schedule Posts

auto-schedule-posts

Auto-Schedule Posts allows users to separate their writing schedule from their publishing schedule - write when you want and have posts publish at the …

50 No CVEs

Auto Post Publisher

auto-post-publisher

100

Automatically publishes scheduled posts that may have missed their scheduled time.

20 No CVEs

My Posts

my-posts

Add 'My Posts' to the admin menu. Perfect for multi-author blogs.

10 No CVEs

Duplicate Page

duplicate-page

Duplicate Posts, Pages and Custom Posts easily using single click

3.0M 3 CVEs

Developer Profile

Posts To-Do List Developer Profile

Stefano

6 plugins · 3K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1578 days

View full developer profile

Detection Fingerprints

How We Detect Posts To-Do List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/posts-to-do-list/style/images/ajax-loader.gif

Version Parameters

posts-to-do-list/style/images/ajax-loader.gif?ver=

HTML / DOM Fingerprints

CSS Classes

ptdl_widget_title

Data Attributes

data-widget-id

FAQ