WP-Safety

Push World Security & Risk Analysis

wordpress.org/plugins/push-world

This plugin help send personal and mass push notifications. It also can return customers to abandoned WooCommerce cart through push notifications.

10 active installs v2.0.2 PHP + WP 4.6+ Updated Unknown
browser-notificationschromechrome-notificationschrome-pushchrome-push-notifications
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Push World Safe to Use in 2026?

Generally Safe

Score 100/100

Push World has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "push-world" v2.0.2 plugin presents a significant security risk due to its exposed attack surface. All five identified AJAX handlers lack authentication checks, meaning any unauthenticated user could potentially trigger these functions. This is a critical oversight that bypasses WordPress's built-in security mechanisms.

While the plugin demonstrates some good practices, such as the absence of dangerous functions and a lack of critical or high severity taint flows, these strengths are overshadowed by the critical lack of authorization on its AJAX endpoints. The presence of nonce checks on only one AJAX handler further exacerbates this risk. Although there is no known vulnerability history, the current code analysis reveals a high likelihood of exploitable vulnerabilities due to the unprotected entry points. The plugin's file operations and external HTTP requests, while not inherently risky, could become vectors for exploitation if combined with the unauthenticated AJAX handlers.

In conclusion, while the plugin doesn't appear to have a history of vulnerabilities and avoids some common pitfalls, the lack of authentication on all its AJAX handlers is a severe weakness. This makes it highly susceptible to unauthorized actions and requires immediate attention. The development team should prioritize implementing proper authentication and authorization checks on all AJAX handlers to mitigate these risks.

Key Concerns

  • 5 AJAX handlers without auth checks
  • Only 1 nonce check on AJAX handlers
  • SQL queries: 50% using prepared statements
  • Output escaping: 64% properly escaped
Vulnerabilities
None known

Push World Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Push World Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
2 prepared
Unescaped Output
8
14 escaped
Nonce Checks
1
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

50% prepared4 total queries

Output Escaping

64% escaped22 total outputs
Attack Surface
5 unprotected

Push World Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

authwp_ajax_push_testcore\push.php:10
authwp_ajax_check_abandonedcore\pw-wc-integration.php:23
noprivwp_ajax_check_abandonedcore\pw-wc-integration.php:24
authwp_ajax_order_completecore\pw-wc-integration.php:26
noprivwp_ajax_order_completecore\pw-wc-integration.php:27
WordPress Hooks 16
actionadmin_menucore\core.php:56
actionadmin_initcore\core.php:57
actionadmin_initcore\core.php:58
actionadmin_initcore\core.php:59
actionadmin_initcore\core.php:60
filtercron_schedulescore\cron.php:3
actioncron_check_abandonedcore\cron.php:20
actionwp_footercore\pw-wc-integration.php:18
actionwoocommerce_new_ordercore\pw-wc-integration.php:20
actionwoocommerce_order_status_changedcore\pw-wc-integration.php:21
actionplugins_loadedpush-world.php:1164
actionwp_footerpush-world.php:1187
actionwp_headpush-world.php:1190
actionadmin_enqueue_scriptspush-world.php:1224
actionadmin_enqueue_scriptspush-world.php:1225
actionplugins_loadedpush-world.php:1228

Scheduled Events 1

cron_check_abandoned
Maintenance & Trust

Push World Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedUnknown
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Push World Alternatives

PushCrew

PushCrew

pushcrew

A
85

With PushCrew, any website on the web can get up and running with browser push notifications in less than a minute.

500 No CVEs
Web Push Notifications by Aimtell

Web Push Notifications by Aimtell

aimtell-web-push-notifications

A
100

Aimtell enables users to re-engage their website visitors with highly targeted mobile & desktop web push notifications.

60 No CVEs
EP Pushcrew (now VWO Engage)

EP Pushcrew (now VWO Engage)

ep-pushcrew-now-vwo-engage

A
85

With EP PushCrew, You can add PushCrew (now VWO Engage) browser push notifications to your website in less than a minute.

10 No CVEs
informvisitors

informvisitors

informvisitors

A
100

With informvisitors, you can start sending browser push notifications to your clients in less than a minute.Just install the plugin and enjoy.

10 No CVEs
PopNotifi

PopNotifi

popnotifi

A
100

The Push Notifications Revolution by PopNotifi

0 No CVEs
Developer Profile

Push World Developer Profile

pushworld

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Push World

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/push-world/css/app.css/wp-content/plugins/push-world/js/app.js
Script Paths
/wp-content/plugins/push-world/js/app.js
Version Parameters
push-world/style.css?ver=push-world/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
pw-check-filepw-file__successpw-file__errorpw-btn__checkjs-push-testpw-enable-woocommercejs-tabsb-tabs+6 more
HTML Comments
<!-- Close tab: Regular fields --><!-- Checkbox -->
Data Attributes
data-checkdata-for
JS Globals
Sunrise7
FAQ

Frequently Asked Questions about Push World