WP-Safety

Propovoice: All-in-One Client Management System Security & Risk Analysis

wordpress.org/plugins/propovoice

All-in-one client management system for freelancers & agencies on WordPress. Manage leads, deals, invoices & projects. Get paid faster!

1K active installs v1.7.8 PHP 7.4+ WP 6.2+ Updated Sep 15, 2025
business-managementclientclient-managementcustomerproject-management
70
B · Generally Safe
CVEs total3
Unpatched1
Last CVESep 10, 2025
Plugin page Download
Safety Verdict

Is Propovoice: All-in-One Client Management System Safe to Use in 2026?

Mostly Safe

Score 70/100

Propovoice: All-in-One Client Management System is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Sep 10, 2025Updated 6mo ago
Risk Assessment

The PropoInvoice plugin version 1.7.8 exhibits a mixed security posture. While it demonstrates good practices in many areas, such as nearly all SQL queries using prepared statements and a high percentage of properly escaped output, there are significant concerns that warrant attention. The presence of 10 'unserialize' calls is a notable risk, as unserialization of untrusted data can lead to code execution vulnerabilities. Additionally, one unprotected REST API route presents a direct entry point that could be exploited without proper authentication or authorization.

The plugin's vulnerability history is concerning, with three known CVEs, one of which remains unpatched. The types of past vulnerabilities – External Control of File Name or Path, Authorization Bypass, and Cross-Site Scripting – indicate a recurring pattern of exploitable weaknesses. The fact that these vulnerabilities have occurred relatively recently, with the last one in September 2025, suggests ongoing security challenges. Despite a generally robust approach to input validation and capability checks, the combination of legacy issues and new potential attack vectors necessitates a cautious approach.

In conclusion, PropoInvoice v1.7.8 has strengths in its general adherence to secure coding principles for SQL and output handling. However, the critical 'unserialize' function usage, an unprotected REST API endpoint, and a history of serious, unpatched vulnerabilities significantly increase its risk profile. Users should be aware of these risks and prioritize updating to a version that addresses the outstanding vulnerabilities.

Key Concerns

  • Unpatched CVE
  • Unprotected REST API route
  • Dangerous function 'unserialize' used
  • High number of past CVEs
Vulnerabilities
3

Propovoice: All-in-One Client Management System Security Vulnerabilities

CVEs by Year

2 CVEs in 2024 · unpatched
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
1

3 total CVEs

CVE-2025-8422high · 7.5External Control of File Name or Path

Propovoice <= 1.7.6.7 - Unauthenticated Arbitrary File Read

Sep 10, 2025 Patched in 1.7.7 (41d)
CVE-2024-43350medium · 5.3Authorization Bypass Through User-Controlled Key

Propovoice CRM <= 1.7.8 - Unauthenticated Insecure Direct Object Reference

Aug 16, 2024Unpatched
CVE-2024-4747high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Propovoice CRM <= 1.7.6.2 - Unauthenticated Stored Cross-Site Scripting

May 10, 2024 Patched in 1.7.6.3 (13d)
Code Analysis
Analyzed Mar 16, 2026

Propovoice: All-in-One Client Management System Code Analysis

Dangerous Functions
10
Raw SQL Queries
0
14 prepared
Unescaped Output
4
492 escaped
Nonce Checks
4
Capability Checks
158
File Operations
0
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$config = unserialize( $action->config );includes\Api\Type\Parts\Workflow\Actions.php:46
unserialize$action_data = unserialize( $action->action_data );includes\Api\Type\Parts\Workflow\Actions.php:48
unserialize$config = unserialize( $lead_action->config );includes\Api\Type\Parts\Workflow\Actions.php:68
unserialize$action_data = unserialize( $lead_action->action_data );includes\Api\Type\Parts\Workflow\Actions.php:70
unserialize$config = unserialize( $lead_action->config );includes\Api\Type\Parts\Workflow\Actions.php:83
unserialize$action_data = unserialize( $lead_action->action_data );includes\Api\Type\Parts\Workflow\Actions.php:85
unserialize$config = unserialize( $lead_action->config );includes\Api\Type\Parts\Workflow\Actions.php:98
unserialize$action_data = unserialize( $lead_action->action_data );includes\Api\Type\Parts\Workflow\Actions.php:100
unserialize$config = unserialize( $lead_action->config );includes\Api\Type\Parts\Workflow\Actions.php:117
unserialize$action_data = unserialize( $lead_action->action_data );includes\Api\Type\Parts\Workflow\Actions.php:119

SQL Query Safety

100% prepared14 total queries

Output Escaping

99% escaped496 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<form-template> (view\template\form-template.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Propovoice: All-in-One Client Management System Attack Surface

Entry Points99
Unprotected1

AJAX Handlers 1

authwp_ajax_ndpv_deactivate_feedbackincludes\Assist\Type\Feedback.php:11

REST API Routes 98

POST/wp-json/ndpv/v1/actionsincludes\Api\Type\Action.php:24
GET/wp-json/ndpv/v1/actions/(?P<id>\d+)includes\Api\Type\Action.php:34
PUT/wp-json/ndpv/v1/actions/(?P<id>[^/]+)includes\Api\Type\Action.php:51
DELETE/wp-json/ndpv/v1/actions/(?P<id>[0-9,]+)includes\Api\Type\Action.php:68
GET/wp-json/ndpv/v1/businesses/(?P<id>\d+)includes\Api\Type\Business.php:12
POST/wp-json/ndpv/v1/businessesincludes\Api\Type\Business.php:35
PUT/wp-json/ndpv/v1/businesses/(?P<id>\d+)includes\Api\Type\Business.php:43
DELETE/wp-json/ndpv/v1/businesses/(?P<id>[0-9,]+)includes\Api\Type\Business.php:58
GET/wp-json/ndpv/v1/clients/(?P<id>\d+)includes\Api\Type\Client.php:16
POST/wp-json/ndpv/v1/clientsincludes\Api\Type\Client.php:39
PUT/wp-json/ndpv/v1/clients/(?P<id>\d+)includes\Api\Type\Client.php:47
DELETE/wp-json/ndpv/v1/clients/(?P<id>[0-9,]+)includes\Api\Type\Client.php:62
GET/wp-json/ndpv/v1/contacts/(?P<id>\d+)includes\Api\Type\Contact.php:15
POST/wp-json/ndpv/v1/contactsincludes\Api\Type\Contact.php:38
PUT/wp-json/ndpv/v1/contacts/(?P<id>\d+)includes\Api\Type\Contact.php:46
DELETE/wp-json/ndpv/v1/contacts/(?P<id>[0-9,]+)includes\Api\Type\Contact.php:61
GET/wp-json/ndpv/v1/deals/(?P<id>\d+)includes\Api\Type\Deal.php:16
POST/wp-json/ndpv/v1/dealsincludes\Api\Type\Deal.php:39
PUT/wp-json/ndpv/v1/deals/(?P<id>\d+)includes\Api\Type\Deal.php:47
DELETE/wp-json/ndpv/v1/deals/(?P<id>[0-9,]+)includes\Api\Type\Deal.php:62
GET/wp-json/ndpv/v1/emails/(?P<id>\d+)includes\Api\Type\Email.php:20
POST/wp-json/ndpv/v1/emailsincludes\Api\Type\Email.php:44
DELETE/wp-json/ndpv/v1/emails/(?P<id>[0-9,]+)includes\Api\Type\Email.php:52
POST/wp-json/ndpv/v1/send-emailincludes\Api\Type\Email.php:66
POST/wp-json/ndpv/v1/email-logsincludes\Api\Type\Email.php:112
POST/wp-json/ndpv/v1/delete-email-logsincludes\Api\Type\Email.php:120
POST/wp-json/ndpv/v1/save-custom-emailincludes\Api\Type\Email.php:129
POST/wp-json/ndpv/v1/custom-email-templatesincludes\Api\Type\Email.php:137
POST/wp-json/ndpv/v1/delete-custom-email-templateincludes\Api\Type\Email.php:145
GET/wp-json/ndpv/v1/invoices/(?P<id>\d+)includes\Api\Type\EstInv.php:15
POST/wp-json/ndpv/v1/invoicesincludes\Api\Type\EstInv.php:42
PUT/wp-json/ndpv/v1/invoices/(?P<id>\d+)includes\Api\Type\EstInv.php:52
DELETE/wp-json/ndpv/v1/invoices/(?P<id>[0-9,]+)includes\Api\Type\EstInv.php:69
GET/wp-json/ndpv/v1/files/(?P<id>\d+)includes\Api\Type\File.php:13
POST/wp-json/ndpv/v1/filesincludes\Api\Type\File.php:36
PUT/wp-json/ndpv/v1/files/(?P<id>\d+)includes\Api\Type\File.php:44
DELETE/wp-json/ndpv/v1/files/(?P<id>[0-9,]+)includes\Api\Type\File.php:59
GET/wp-json/ndpv/v1/leads/(?P<id>\d+)includes\Api\Type\Lead.php:14
POST/wp-json/ndpv/v1/leadsincludes\Api\Type\Lead.php:37
PUT/wp-json/ndpv/v1/leads/(?P<id>\d+)includes\Api\Type\Lead.php:45
DELETE/wp-json/ndpv/v1/leads/(?P<id>[0-9,]+)includes\Api\Type\Lead.php:60
GET/wp-json/ndpv/v1/media/(?P<id>\d+)includes\Api\Type\Media.php:14
POST/wp-json/ndpv/v1/mediaincludes\Api\Type\Media.php:70
DELETE/wp-json/ndpv/v1/media/(?P<id>[0-9,]+)includes\Api\Type\Media.php:80
GET/wp-json/ndpv/v1/notes/(?P<id>\d+)includes\Api\Type\Note.php:11
POST/wp-json/ndpv/v1/notesincludes\Api\Type\Note.php:34
PUT/wp-json/ndpv/v1/notes/(?P<id>\d+)includes\Api\Type\Note.php:42
DELETE/wp-json/ndpv/v1/notes/(?P<id>[0-9,]+)includes\Api\Type\Note.php:57
GET/wp-json/ndpv/v1/orders/(?P<id>\d+)includes\Api\Type\Order.php:16
POST/wp-json/ndpv/v1/ordersincludes\Api\Type\Order.php:39
PUT/wp-json/ndpv/v1/orders/(?P<id>\d+)includes\Api\Type\Order.php:47
DELETE/wp-json/ndpv/v1/orders/(?P<id>[0-9,]+)includes\Api\Type\Order.php:62
GET/wp-json/ndpv/v1/organizations/(?P<id>\d+)includes\Api\Type\Org.php:14
POST/wp-json/ndpv/v1/organizationsincludes\Api\Type\Org.php:37
PUT/wp-json/ndpv/v1/organizations/(?P<id>\d+)includes\Api\Type\Org.php:45
DELETE/wp-json/ndpv/v1/organizations/(?P<id>[0-9,]+)includes\Api\Type\Org.php:60
GET/wp-json/ndpv/v1/packages/(?P<id>\d+)includes\Api\Type\Package.php:13
POST/wp-json/ndpv/v1/packagesincludes\Api\Type\Package.php:40
PUT/wp-json/ndpv/v1/packages/(?P<id>\d+)includes\Api\Type\Package.php:50
DELETE/wp-json/ndpv/v1/packages/(?P<id>[0-9,]+)includes\Api\Type\Package.php:67
GET/wp-json/ndpv/v1/payments/(?P<id>\d+)includes\Api\Type\Payment.php:13
POST/wp-json/ndpv/v1/paymentsincludes\Api\Type\Payment.php:40
PUT/wp-json/ndpv/v1/payments/(?P<id>\d+)includes\Api\Type\Payment.php:50
DELETE/wp-json/ndpv/v1/payments/(?P<id>[0-9,]+)includes\Api\Type\Payment.php:67
POST/wp-json/ndpv/v1/payment-processincludes\Api\Type\PaymentProcess.php:23
GET/wp-json/ndpv/v1/persons/(?P<id>\d+)includes\Api\Type\Person.php:14
POST/wp-json/ndpv/v1/personsincludes\Api\Type\Person.php:37
PUT/wp-json/ndpv/v1/persons/(?P<id>\d+)includes\Api\Type\Person.php:45
DELETE/wp-json/ndpv/v1/persons/(?P<id>[0-9,]+)includes\Api\Type\Person.php:60
GET/wp-json/ndpv/v1/projects/(?P<id>\d+)includes\Api\Type\Project.php:19
POST/wp-json/ndpv/v1/projectsincludes\Api\Type\Project.php:46
PUT/wp-json/ndpv/v1/projects/(?P<id>\d+)includes\Api\Type\Project.php:56
DELETE/wp-json/ndpv/v1/projects/(?P<id>[0-9,]+)includes\Api\Type\Project.php:73
GET/wp-json/ndpv/v1/requests/(?P<id>\d+)includes\Api\Type\Request.php:14
POST/wp-json/ndpv/v1/requestsincludes\Api\Type\Request.php:37
PUT/wp-json/ndpv/v1/requests/(?P<id>\d+)includes\Api\Type\Request.php:45
DELETE/wp-json/ndpv/v1/requests/(?P<id>[0-9,]+)includes\Api\Type\Request.php:60
GET/wp-json/ndpv/v1/savefornextincludes\Api\Type\SaveForNext.php:24
PUT/wp-json/ndpv/v1/savefornext/(?P<index>[a-zA-Z0-9\-]+)includes\Api\Type\SaveForNext.php:34
DELETE/wp-json/ndpv/v1/savefornext/(?P<index>[a-zA-Z0-9\-]+)includes\Api\Type\SaveForNext.php:42
POST/wp-json/ndpv/v1/settingsincludes\Api\Type\Setting.php:252
GET/wp-json/ndpv/v1/tasks/(?P<id>\d+)includes\Api\Type\Task.php:13
POST/wp-json/ndpv/v1/tasksincludes\Api\Type\Task.php:36
PUT/wp-json/ndpv/v1/tasks/(?P<id>\d+)includes\Api\Type\Task.php:44
DELETE/wp-json/ndpv/v1/tasks/(?P<id>[0-9,]+)includes\Api\Type\Task.php:59
GET/wp-json/ndpv/v1/taxonomies/(?P<id>\d+)includes\Api\Type\Taxonomy.php:13
POST/wp-json/ndpv/v1/taxonomiesincludes\Api\Type\Taxonomy.php:36
PUT/wp-json/ndpv/v1/taxonomies/(?P<id>\d+)includes\Api\Type\Taxonomy.php:44
DELETE/wp-json/ndpv/v1/taxonomies/(?P<id>[0-9,]+)/(?P<tax>[a-z,_]+)includes\Api\Type\Taxonomy.php:59
GET/wp-json/ndpv/v1/teams/(?P<id>\d+)includes\Api\Type\Team.php:15
POST/wp-json/ndpv/v1/teamsincludes\Api\Type\Team.php:38
PUT/wp-json/ndpv/v1/teams/(?P<id>\d+)includes\Api\Type\Team.php:46
DELETE/wp-json/ndpv/v1/teams/(?P<id>[0-9,]+)includes\Api\Type\Team.php:61
GET/wp-json/ndpv/v1/webhooks/(?P<id>\d+)includes\Api\Type\Webhook.php:12
POST/wp-json/ndpv/v1/webhooksincludes\Api\Type\Webhook.php:35
PUT/wp-json/ndpv/v1/webhooks/(?P<id>\d+)includes\Api\Type\Webhook.php:43
DELETE/wp-json/ndpv/v1/webhooks/(?P<id>[0-9,]+)includes\Api\Type\Webhook.php:58
GET/wp-json/ndpv/v1/intg-smtpincludes\Integrate\Smtp\SmtpList.php:11
WordPress Hooks 43
actionrest_api_initincludes\Api\Controller.php:97
filterrest_request_before_callbacksincludes\Api\Controller.php:102
actionndpvp_webhookincludes\Api\Type\Parts\Workflow\Actions.php:16
actioninitincludes\Asset\Manager.php:25
actionwp_enqueue_scriptsincludes\Asset\Manager.php:27
actionadmin_enqueue_scriptsincludes\Asset\Manager.php:28
filteradmin_footer_textincludes\Asset\Manager.php:32
filterupdate_footerincludes\Asset\Manager.php:33
filtershow_admin_barincludes\Asset\Manager.php:36
actioncurrent_screenincludes\Asset\Manager.php:38
actionadmin_enqueue_scriptsincludes\Asset\Manager.php:45
actionadmin_footerincludes\Asset\Manager.php:434
actioncurrent_screenincludes\Cleanup\Style.php:12
actionin_admin_headerincludes\Cleanup\Style.php:33
actionadmin_print_stylesincludes\Cleanup\Style.php:34
actioninitincludes\Hook\Type\Action\Role.php:40
actioninitincludes\Hook\Type\Action\Role.php:41
filterbody_classincludes\Hook\Type\Filter.php:7
filteradmin_body_classincludes\Hook\Type\Filter.php:8
filterajax_query_attachments_argsincludes\Hook\Type\Filter.php:9
filterwoocommerce_prevent_admin_accessincludes\Hook\Type\Filter.php:16
actionrest_api_initincludes\Integrate\Form\FormList.php:10
actionrest_api_initincludes\Integrate\Smtp\SmtpList.php:7
actionadmin_menuincludes\MenuPage\Type\Dashboard.php:10
actionadmin_menuincludes\MenuPage\Type\Welcome.php:8
actionadmin_headincludes\MenuPage\Type\Welcome.php:9
filtercron_schedulesincludes\Setup\InstallCtrl.php:14
actionadmin_initincludes\Setup\InstallCtrl.php:17
actionadmin_initincludes\Setup\InstallCtrl.php:18
actionadmin_noticesincludes\Setup\InstallCtrl.php:110
actioninitincludes\Taxonomy\TaxonomyCtrl.php:7
filtertheme_page_templatesincludes\Template\TemplateCtrl.php:8
filtertemplate_includeincludes\Template\TemplateCtrl.php:9
actionwp_enqueue_scriptsincludes\Template\TemplateCtrl.php:10
actionadmin_enqueue_scriptsincludes\Template\TemplateCtrl.php:11
actionelementor/elements/categories_registeredincludes\Widget\Elementor\ElementorCtrl.php:10
actionelementor/widgets/widgets_registeredincludes\Widget\Elementor\ElementorCtrl.php:11
actioninitpropovoice.php:173
actionwp_enqueue_scriptspropovoice.php:311
actionwp_enqueue_scriptsview\template\estimate-template.php:9
actionwp_enqueue_scriptsview\template\invoice-template.php:9
actionwp_enqueue_scriptsview\template\package-template.php:9
actionwp_enqueue_scriptsview\template\workspace-template.php:9

Scheduled Events 3

ndpv_hourly_event
ndpv_half_minute_event
ndpv_one_minute_event
Maintenance & Trust

Propovoice: All-in-One Client Management System Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 15, 2025
PHP min version7.4
Downloads45K

Community Trust

Rating78/100
Number of ratings30
Active installs1K
Alternatives

Propovoice: All-in-One Client Management System Alternatives

Client Power Tools Portal

Client Power Tools Portal

client-power-tools

A
99

A free, easy-to-use client portal built for designers, developers, consultants, lawyers, and other independent contractors and professionals.

40 1 CVE
ClientHub

ClientHub

clienthub

A
100

Professional client management hub with customizable dashboards, project tracking, and secure customer portal for WordPress.

10 No CVEs
Projectify Lite

Projectify Lite

projectify-lite

A
85

Projectify Lite is the World’s most advanced project management system which helps you to run your business efficiently and effectively, providing all &hellip;

10 No CVEs
Life Coach Hub

Life Coach Hub

lifecoachhub

A
100

Connect your WordPress site to your coaching business. Manage clients, sessions, and courses from your WordPress dashboard.

0 No CVEs
SWELLEnterprise

SWELLEnterprise

swellenterprise

A
85

A plugin that connects your website to the SWELLEnterprise services.

0 No CVEs
Developer Profile

Propovoice: All-in-One Client Management System Developer Profile

Propovoice

1 plugin · 1K total installs

73
trust score
Avg Security Score
70/100
Avg Patch Time
27 days
View full developer profile
Detection Fingerprints

How We Detect Propovoice: All-in-One Client Management System

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/propovoice/build/frontend.js/wp-content/plugins/propovoice/build/backend.js/wp-content/plugins/propovoice/build/index.js/wp-content/plugins/propovoice/assets/css/bootstrap.css/wp-content/plugins/propovoice/assets/css/datatable.css/wp-content/plugins/propovoice/assets/css/frontend.css/wp-content/plugins/propovoice/assets/css/styles.css/wp-content/plugins/propovoice/assets/css/select2.min.css+1 more
Script Paths
/wp-content/plugins/propovoice/build/frontend.js/wp-content/plugins/propovoice/build/backend.js/wp-content/plugins/propovoice/build/index.js
Version Parameters
propovoice/style.css?ver=propovoice/bootstrap.css?ver=propovoice/datatable.css?ver=propovoice/frontend.css?ver=propovoice/styles.css?ver=propovoice/select2.min.css?ver=propovoice/propovoice.style.css?ver=

HTML / DOM Fingerprints

CSS Classes
ndpv-admin-wrapperndpv-wrapperndpv-client-sectionndpv-deal-sectionndpv-estimate-sectionndpv-invoice-sectionndpv-project-sectionndpv-lead-section+3 more
HTML Comments
<!-- Created by Propovoice Team --><!-- Propovoice Admin Wrapper --><!-- Propovoice Frontend Wrapper -->
Data Attributes
data-ndpv-templatedata-ndpv-componentdata-ndpv-route
JS Globals
window.ndpv_frontend_paramswindow.ndpv_backend_paramsvar ndpv_frontend_params =var ndpv_backend_params =
REST Endpoints
/wp-json/propovoice/v1/clients/wp-json/propovoice/v1/deals/wp-json/propovoice/v1/estimates/wp-json/propovoice/v1/invoices/wp-json/propovoice/v1/projects/wp-json/propovoice/v1/leads/wp-json/propovoice/v1/billing
Shortcode Output
[propovoice_clients][propovoice_deals][propovoice_estimates][propovoice_invoices]
FAQ

Frequently Asked Questions about Propovoice: All-in-One Client Management System