WP-Safety

QA Assistant Security & Risk Analysis

wordpress.org/plugins/qa-assistant

A comprehensive tool for Software Quality Assurance Engineers with advanced Git branch management capabilities.

0 active installs v2.0.3 PHP 8.0+ WP 5.0+ Updated Feb 26, 2026
helpqa-assistantquality-assurancesqa-helper-tool
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is QA Assistant Safe to Use in 2026?

Generally Safe

Score 100/100

QA Assistant has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The qa-assistant plugin, version 2.0.3, exhibits a strong security posture in several key areas. It demonstrates an excellent practice of utilizing prepared statements for all SQL queries and ensures all output is properly escaped. Furthermore, the plugin correctly implements nonce and capability checks for all its AJAX handlers and has no known historical vulnerabilities, suggesting a mature and well-maintained codebase. The absence of external HTTP requests also reduces the potential for supply chain attacks.

However, the static analysis reveals two significant concerns. The presence of two instances of the `exec` function is a critical red flag, as it can be used to execute arbitrary operating system commands if not handled with extreme care and strict input validation. Additionally, the taint analysis indicates two flows with unsanitized paths. While the severity is not rated high or critical, unsanitized paths can still lead to vulnerabilities if user-supplied data is not properly validated before being used in sensitive operations, especially when combined with the presence of `exec`.

In conclusion, while the plugin boasts strong defenses against common web vulnerabilities like SQL injection and XSS, the use of `exec` and unsanitized input flows represent potential avenues for more severe exploits. These specific issues outweigh the positive aspects and require immediate attention.

Key Concerns

  • Presence of dangerous function 'exec'
  • Flows with unsanitized paths
Vulnerabilities
None known

QA Assistant Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

QA Assistant Release Timeline

v2.0.3Current
v2.0.2
v2.0.1
v2.0.0
v1.0.3
Code Analysis
Analyzed Mar 17, 2026

QA Assistant Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
0
51 escaped
Nonce Checks
18
Capability Checks
10
File Operations
1
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

execexec('git --version 2>&1', $git_output);includes\Ajax.php:896
execexec('which git 2>&1', $git_path_output);includes\Ajax.php:901

Bundled Libraries

Select2

Output Escaping

100% escaped51 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
get_branches_for_repo (includes\Ajax.php:762)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

QA Assistant Attack Surface

Entry Points18
Unprotected0

AJAX Handlers 17

authwp_ajax_qa_assistant_switch_branchincludes\Ajax.php:32
authwp_ajax_qa_assistant_get_repo_statusincludes\Ajax.php:35
authwp_ajax_qa_assistant_pull_branchincludes\Ajax.php:38
authwp_ajax_qa_assistant_check_pull_statusincludes\Ajax.php:39
authwp_ajax_qa_assistant_refresh_branchesincludes\Ajax.php:42
authwp_ajax_qa_assistant_stash_changesincludes\Ajax.php:45
authwp_ajax_qa_assistant_commit_changesincludes\Ajax.php:46
authwp_ajax_qa_assistant_get_branch_dataincludes\Ajax.php:49
authwp_ajax_qa_assistant_clone_repoincludes\Ajax.php:52
authwp_ajax_qa_assistant_toggle_monitorincludes\Ajax.php:55
authwp_ajax_qa_assistant_get_pluginsincludes\Ajax.php:58
authwp_ajax_qa_assistant_save_display_settingsincludes\Ajax.php:61
authwp_ajax_qa_assistant_get_repositoriesincludes\Ajax.php:64
authwp_ajax_qa_assistant_get_branchesincludes\Ajax.php:65
authwp_ajax_qa_assistant_get_system_statusincludes\Ajax.php:68
authwp_ajax_qa_assistant_get_activity_logsincludes\Ajax.php:69
authwp_ajax_qa_assistant_clear_activity_logsincludes\Ajax.php:70

Shortcodes 1

[qa-assistant] includes\Frontend\Shortcode.php:19
WordPress Hooks 12
actionadmin_bar_menuincludes\Admin\AdminBar.php:36
actionadmin_footerincludes\Admin\AdminBar.php:39
actionwp_footerincludes\Admin\AdminBar.php:40
actionadmin_menuincludes\Admin\Menu.php:21
actionrest_api_initincludes\API.php:19
actionwp_enqueue_scriptsincludes\Assets.php:21
actionadmin_enqueue_scriptsincludes\Assets.php:22
actionadmin_enqueue_scriptsincludes\Assets.php:24
actionwp_enqueue_scriptsincludes\Assets.php:26
actionadmin_enqueue_scriptsincludes\Assets.php:28
actionwp_enqueue_scriptsincludes\Assets.php:29
actionplugins_loadedqa-assistant.php:70
Maintenance & Trust

QA Assistant Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version8.0
Downloads300

Community Trust

Rating100/100
Number of ratings2
Active installs0
Alternatives

QA Assistant Alternatives

3CX Free Live Chat, Calls & Messaging

3CX Free Live Chat, Calls & Messaging

wp-live-chat-support

A
94

Chat with your website visitors in real-time for free! Engage with your customers and increase sales.

100K 15 CVEs
Cresta Help Chat

Cresta Help Chat

cresta-whatsapp-chat

A
100

Allow your users and customers to contact you via WhatsApp with a single click.

10K No CVEs
Fluent Support – Helpdesk & Customer Support Ticket System

Fluent Support – Helpdesk & Customer Support Ticket System

fluent-support

A
89

Feature Rich and Super Fast Support and Customer Ticketing System for WordPress.

10K 7 CVEs
SupportCandy – Helpdesk & Customer Support Ticket System

SupportCandy – Helpdesk & Customer Support Ticket System

supportcandy

B
76

Enhance your WordPress site with our helpdesk and support ticket system. Manage customer support, tickets, and email tickets efficiently.

10K 17 CVEs
WP Help

WP Help

wp-help

A
85

Site operators can create detailed, hierarchical documentation for the site's authors, editors, and contributors, viewable in the WordPress admin …

10K No CVEs
Developer Profile

QA Assistant Developer Profile

Mohammad Obayed Mamur

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect QA Assistant

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/qa-assistant/assets/css/qa-assistant.css/wp-content/plugins/qa-assistant/assets/css/bootstrap.min.css/wp-content/plugins/qa-assistant/assets/css/select2.min.css/wp-content/plugins/qa-assistant/assets/js/qa-assistant.js/wp-content/plugins/qa-assistant/assets/js/bootstrap.min.js/wp-content/plugins/qa-assistant/assets/js/popper.min.js/wp-content/plugins/qa-assistant/assets/js/jquery-3.5.1.slim.min.js/wp-content/plugins/qa-assistant/assets/js/select2.min.js
Script Paths
/wp-content/plugins/qa-assistant/assets/js/qa-assistant.js/wp-content/plugins/qa-assistant/assets/js/bootstrap.min.js/wp-content/plugins/qa-assistant/assets/js/popper.min.js/wp-content/plugins/qa-assistant/assets/js/jquery-3.5.1.slim.min.js/wp-content/plugins/qa-assistant/assets/js/select2.min.js
Version Parameters
qa-assistant/assets/css/qa-assistant.css?ver=qa-assistant/assets/css/bootstrap.min.css?ver=qa-assistant/assets/css/select2.min.css?ver=qa-assistant/assets/js/qa-assistant.js?ver=qa-assistant/assets/js/bootstrap.min.js?ver=qa-assistant/assets/js/popper.min.js?ver=qa-assistant/assets/js/jquery-3.5.1.slim.min.js?ver=qa-assistant/assets/js/select2.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
qa-assistant-settings-pageqa-assistant-plugin-listqa-assistant-plugin-item
HTML Comments
<!-- Test uncommitted change for git pull modal -->
Data Attributes
data-plugin-basename
JS Globals
qa_assistant_ajax_object
REST Endpoints
/wp-json/qa-assistant/v1/settings/wp-json/qa-assistant/v1/plugins/wp-json/qa-assistant/v1/git/branch
FAQ

Frequently Asked Questions about QA Assistant