Does Push Syndication have any unpatched vulnerabilities?

No. All known vulnerabilities in Push Syndication have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Push Syndication compatible with WordPress 5.0.25?

According to WordPress.org data, Push Syndication 1.0 has been tested up to WordPress 5.0.25. Check the plugin's changelog for the latest compatibility information.

How often is Push Syndication updated?

Push Syndication was last updated on Dec 14, 2018. Frequent updates are generally a positive security signal.

What is Push Syndication's security score?

Push Syndication has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Push Syndication Security & Risk Analysis

wordpress.org/plugins/push-syndication

Syndication helps users manage posts across multiple sites. It's useful when managing posts on different platforms. With a single click you can p …

90 active installs v1.0 PHP + WP 3.4+ Updated Dec 14, 2018

wordpress-com-restxmlrpc

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Push Syndication Safe to Use in 2026?

Generally Safe

Score 85/100

Push Syndication has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The push-syndication plugin v1.0 exhibits a generally good security posture with a small attack surface and a lack of recorded vulnerabilities. The static analysis shows that all identified entry points (AJAX handlers, REST API routes, and shortcodes) are either absent or have proper authentication and permission checks. Furthermore, all SQL queries are securely prepared, and the majority of output is properly escaped, indicating adherence to common WordPress security best practices. The absence of known CVEs and historical vulnerabilities further strengthens this positive assessment.

However, there are areas of concern that warrant attention. The presence of dangerous functions like `create_function` and `unserialize` introduces potential risks, especially if they are used with user-supplied input. While the taint analysis did not reveal critical or high severity issues, one flow with unsanitized paths suggests a potential for unexpected behavior or information disclosure if not handled carefully. The use of external HTTP requests also presents a minor risk, as these can be susceptible to various attacks if not properly validated and sanitized.

In conclusion, push-syndication v1.0 is a relatively secure plugin, primarily due to its limited attack surface and strong track record. The plugin developers have implemented several security controls effectively. However, the use of legacy dangerous functions and the single identified unsanitized path represent weaknesses that could be exploited. Addressing these specific code signals would further enhance the plugin's overall security.

Key Concerns

Dangerous functions found: create_function, unserialize
Flow with unsanitized paths detected
External HTTP requests present

Vulnerabilities

None known

Push Syndication Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Push Syndication Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

41 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:138

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:141

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:144

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:147

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:150

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", includes\class-wp-xmlrpc-client.php:237

unserializereturn @unserialize( $data );includes\push-syndicate-encryption.php:16

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", push-syndication.php:429

create_functionadd_filter('redirect_post_location', create_function( '$location', 'return add_query_arg("message", push-syndication.php:435

SQL Query Safety

100% prepared5 total queries

Output Escaping

80% escaped51 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

get_api_token (push-syndication.php:279)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Push Syndication Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 20

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:138

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:141

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:144

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:147

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:150

filterredirect_post_locationincludes\class-wp-xmlrpc-client.php:237

actioninitpush-syndication.php:35

actionadmin_initpush-syndication.php:36

actionadmin_menupush-syndication.php:39

actionsave_postpush-syndication.php:42

actionadmin_enqueue_scriptspush-syndication.php:45

filterpost_updated_messagespush-syndication.php:48

actionadd_meta_boxespush-syndication.php:51

actionsave_postpush-syndication.php:52

actionwp_trash_postpush-syndication.php:53

actiontransition_post_statuspush-syndication.php:56

actionsyn_syndicate_contentpush-syndication.php:57

actionsyn_delete_contentpush-syndication.php:58

filterredirect_post_locationpush-syndication.php:429

filterredirect_post_locationpush-syndication.php:435

Scheduled Events 2

syn_syndicate_content

syn_delete_content

Maintenance & Trust

Push Syndication Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25

Last updatedDec 14, 2018

PHP min version

Downloads10K

Community Trust

Rating86/100

Number of ratings4

Active installs90

Alternatives

Push Syndication Alternatives

Disable XML-RPC

disable-xml-rpc

100

Disables the XML-RPC API in WordPress 3.5+, which is enabled by default.

200K No CVEs

Disable XML-RPC-API

disable-xml-rpc-api

100

A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website

100K No CVEs

Remove & Disable XML-RPC Pingback

remove-xmlrpc-pingback-ping

Prevent pingback, XML-RPC and denial of service DDOS attacks by disabling the XML-RPC pingback functionality.

9K No CVEs

Manage XML-RPC

manage-xml-rpc

Enable/Disable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.

6K No CVEs

Stop XML-RPC Attacks

stop-xml-rpc-attacks

100

Blocks dangerous XML-RPC methods while preserving Jetpack, WooCommerce, and mobile apps compatibility.

6K No CVEs

Developer Profile

Push Syndication Developer Profile

Automattic

213 plugins · 19.2M total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1384 days

View full developer profile

Detection Fingerprints

How We Detect Push Syndication

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/push-syndication/css/sites.css

HTML / DOM Fingerprints

HTML Comments

+11 more

FAQ