WP-Safety

Posts 2 Posts Security & Risk Analysis

wordpress.org/plugins/posts-to-posts

Efficient many-to-many connections between posts, pages, custom post types, users.

10K active installs v1.7.8 PHP 5.6+ WP 6.0+ Updated Mar 6, 2026
connectionscustom-post-typesmany-to-manyrelationshipsusers
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Posts 2 Posts Safe to Use in 2026?

Generally Safe

Score 100/100

Posts 2 Posts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 28d ago
Risk Assessment

The posts-to-posts plugin, version 1.7.8, exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The plugin effectively protects its single AJAX entry point with nonce and capability checks, and there are no public REST API routes, shortcodes, or cron events that could serve as attack vectors. The absence of known CVEs and a clean vulnerability history further indicate a well-maintained and secure codebase.

However, there are areas for improvement. The single SQL query present is not utilizing prepared statements, which poses a moderate risk of SQL injection, especially if user input is directly incorporated into this query. Additionally, a significant portion of output escaping (50%) is not properly implemented, creating a risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of a file operation also warrants attention, though without further context, its specific risk is difficult to assess.

In conclusion, while the plugin benefits from robust access control on its entry points and a clear history of security, the unescaped outputs and raw SQL query represent tangible vulnerabilities. Addressing these would elevate the plugin's security to a more comprehensive level.

Key Concerns

  • Raw SQL query without prepared statements
  • 50% of outputs not properly escaped
Vulnerabilities
None known

Posts 2 Posts Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Posts 2 Posts Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
7
7 escaped
Nonce Checks
2
Capability Checks
1
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

50% escaped14 total outputs
Attack Surface

Posts 2 Posts Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_p2p_boxadmin\box-factory.php:14
WordPress Hooks 19
actionadd_meta_boxesadmin\box-factory.php:12
actionsave_postadmin\box-factory.php:13
actionadmin_footeradmin\box.php:57
actionload-edit.phpadmin\column-factory.php:10
actionload-users.phpadmin\column-factory.php:11
actionadmin_print_stylesadmin\column-factory.php:21
actionpre_user_queryadmin\column-user.php:8
filtermanage_users_custom_columnadmin\column-user.php:10
actionload-edit.phpadmin\dropdown-factory.php:10
actionload-users.phpadmin\dropdown-factory.php:11
filterrequestadmin\dropdown-post.php:8
actionrestrict_manage_postsadmin\dropdown-post.php:10
actionpre_user_queryadmin\dropdown-user.php:8
actionrestrict_manage_usersadmin\dropdown-user.php:10
actionp2p_registered_connection_typeadmin\factory.php:10
actionadmin_initadmin\tools-page.php:12
actionadmin_noticesadmin\tools-page.php:14
actionp2p_registered_connection_typedebug-utils.php:5
actionwp_loadedposts-to-posts.php:71
Maintenance & Trust

Posts 2 Posts Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version5.6
Downloads404K

Community Trust

Rating96/100
Number of ratings101
Active installs10K
Alternatives

Posts 2 Posts Alternatives

Posts 2 Posts Relationships

Posts 2 Posts Relationships

posts-2-posts-relationships

A
85

Efficient many-to-many connections between posts, pages and custom post types.

40 No CVEs
MB Relationships

MB Relationships

mb-relationships

A
100

A lightweight solution for creating relationships between posts, terms and users in WordPress.

1K No CVEs
Custom Post Type Privacy

Custom Post Type Privacy

custom-post-type-privacy

A
85

Stable Tag 0.3 Custom Post Type Privacy allows WordPress authors to grant access to users and groups of users across all posts, pages and custom post …

10 No CVEs
Native Content Relationships

Native Content Relationships

native-content-relationships

A
100

Add first-class relationships between posts, users, and terms using a fast, structured, and scalable architecture.

0 No CVEs
Custom Post Type UI

Custom Post Type UI

custom-post-type-ui

A
93

Admin UI for creating custom content types like post types and taxonomies

1.0M 4 CVEs
Developer Profile

Posts 2 Posts Developer Profile

scribu

20 plugins · 28K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
4851 days
View full developer profile
Detection Fingerprints

How We Detect Posts 2 Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/posts-to-posts/box.css/wp-content/plugins/posts-to-posts/mustache.js/wp-content/plugins/posts-to-posts/box.js
Script Paths
/wp-content/plugins/posts-to-posts/box.js
Version Parameters
posts-to-posts/box.css?ver=posts-to-posts/box.js?ver=

HTML / DOM Fingerprints

CSS Classes
p2p-noticep2p-box
Data Attributes
data-p2p_typedata-duplicate_connectionsdata-cardinalitydata-direction
JS Globals
P2PAdminL10nP2P_BOX_NONCE
FAQ

Frequently Asked Questions about Posts 2 Posts