WP-Safety

Query Monitor – The developer tools panel for WordPress Security & Risk Analysis

wordpress.org/plugins/query-monitor

Query Monitor is the developer tools panel for WordPress and WooCommerce.

200K active installs v3.20.2 PHP 7.4+ WP 6.1+ Updated Dec 11, 2025
debugdebug-bardevelopmentperformancequery-monitor
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Query Monitor – The developer tools panel for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

Query Monitor – The developer tools panel for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The Query Monitor plugin, version 3.20.2, exhibits a generally strong security posture. The static analysis reveals a well-defined attack surface with all identified entry points (AJAX handlers) protected by authorization checks. The absence of known CVEs and a clean vulnerability history further bolster this positive assessment, suggesting a history of responsible development and patching.

However, there are areas that warrant attention. The presence of 'exec' and 'unserialize' functions, while not immediately indicative of a vulnerability without further context, are inherently risky and could be exploited if user-supplied data is passed to them without proper sanitization. While the taint analysis shows no unsanitized paths, the potential for misuse of these dangerous functions remains a concern. Additionally, a significant portion of the plugin's output (42%) is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if dynamic content is not handled carefully.

In conclusion, Query Monitor is a plugin with a strong track record and a secure entry point design. The primary risks lie in the potential misuse of powerful functions like 'exec' and 'unserialize', and a notable percentage of unescaped output. Developers should prioritize addressing the unescaped output and carefully review how 'exec' and 'unserialize' are used to ensure robust sanitization.

Key Concerns

  • Presence of 'exec' dangerous function
  • Presence of 'unserialize' dangerous function
  • Significant percentage of unescaped output
Vulnerabilities
None known

Query Monitor – The developer tools panel for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Query Monitor – The developer tools panel for WordPress Code Analysis

Dangerous Functions
2
Raw SQL Queries
1
5 prepared
Unescaped Output
298
405 escaped
Nonce Checks
3
Capability Checks
4
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

exec$php_u = exec( 'whoami' ); // phpcs:ignorecollectors\environment.php:304
unserialize$var = unserialize( serialize( $var ) ); // phpcs:ignoredispatchers\Html.php:805

SQL Query Safety

83% prepared6 total queries

Output Escaping

58% escaped703 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<Html> (dispatchers\Html.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Query Monitor – The developer tools panel for WordPress Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_qm_auth_ondispatchers\Html.php:44
authwp_ajax_qm_auth_offdispatchers\Html.php:45
authwp_ajax_qm_editor_setdispatchers\Html.php:46
noprivwp_ajax_qm_auth_offdispatchers\Html.php:47
WordPress Hooks 189
filterpre_update_option_active_pluginsclasses\Activation.php:15
filterpre_update_site_option_active_sitewide_pluginsclasses\Activation.php:16
actioninitclasses\Backtrace.php:606
actionadmin_print_footer_scriptsclasses\Collector_Assets.php:42
actionwp_print_footer_scriptsclasses\Collector_Assets.php:43
actionadmin_headclasses\Collector_Assets.php:44
actionwp_headclasses\Collector_Assets.php:45
actionlogin_headclasses\Collector_Assets.php:46
actionembed_headclasses\Collector_Assets.php:47
actionwp_headclasses\debug_bar.php:15
filterdebug_bar_classesclasses\debug_bar_panel.php:31
actioninitclasses\Dispatcher.php:45
actionsend_headersclasses\Dispatcher.php:153
actionplugins_loadedclasses\QueryMonitor.php:16
actioninitclasses\QueryMonitor.php:17
actionmembers_register_capsclasses\QueryMonitor.php:18
actionmembers_register_cap_groupsclasses\QueryMonitor.php:19
actionqm/ceaseclasses\QueryMonitor.php:20
filteruser_has_capclasses\QueryMonitor.php:23
filterure_built_in_wp_capsclasses\QueryMonitor.php:24
filterure_capabilities_groups_treeclasses\QueryMonitor.php:25
filternetwork_admin_plugin_action_links_query-monitor/query-monitor.phpclasses\QueryMonitor.php:26
filterplugin_action_links_query-monitor/query-monitor.phpclasses\QueryMonitor.php:27
filterplugin_row_metaclasses\QueryMonitor.php:28
filterqm/collectorscollectors\admin.php:140
filterqm/collectorscollectors\assets_scripts.php:61
filterqm/collectorscollectors\assets_styles.php:42
filterpre_render_blockcollectors\block_editor.php:44
filterrender_block_contextcollectors\block_editor.php:45
filterrender_block_datacollectors\block_editor.php:46
filterrender_blockcollectors\block_editor.php:47
filterqm/collectorscollectors\block_editor.php:223
filterqm/collectorscollectors\cache.php:130
filteruser_has_capcollectors\caps.php:45
filtermap_meta_capcollectors\caps.php:46
filterqm/collectorscollectors\caps.php:311
filterqm/collectorscollectors\conditionals.php:127
filterqm/collectorscollectors\db_callers.php:54
filterqm/collectorscollectors\db_components.php:54
filterqm/collectorscollectors\db_dupes.php:131
filterqm/collectorscollectors\db_queries.php:274
actioninitcollectors\debug_bar.php:141
actiondoing_it_wrong_runcollectors\doing_it_wrong.php:34
actiondeprecated_function_runcollectors\doing_it_wrong.php:35
actiondeprecated_constructor_runcollectors\doing_it_wrong.php:36
actiondeprecated_file_includedcollectors\doing_it_wrong.php:37
actiondeprecated_argument_runcollectors\doing_it_wrong.php:38
actiondeprecated_hook_runcollectors\doing_it_wrong.php:39
actiondeprecated_class_runcollectors\doing_it_wrong.php:40
filterdeprecated_function_trigger_errorcollectors\doing_it_wrong.php:42
filterdeprecated_constructor_trigger_errorcollectors\doing_it_wrong.php:43
filterdeprecated_file_trigger_errorcollectors\doing_it_wrong.php:44
filterdeprecated_argument_trigger_errorcollectors\doing_it_wrong.php:45
filterdeprecated_hook_trigger_errorcollectors\doing_it_wrong.php:46
filterdoing_it_wrong_trigger_errorcollectors\doing_it_wrong.php:47
filterdeprecated_class_trigger_errorcollectors\doing_it_wrong.php:48
filterqm/collectorscollectors\environment.php:327
filterhttp_request_argscollectors\http.php:62
filterpre_http_requestcollectors\http.php:63
actionhttp_api_debugcollectors\http.php:64
actionrequests-curl.after_requestcollectors\http.php:66
actionrequests-fsockopen.after_requestcollectors\http.php:67
filterload_textdomain_mofilecollectors\languages.php:30
filterload_translation_filecollectors\languages.php:31
filterload_script_translation_filecollectors\languages.php:32
actioninitcollectors\languages.php:33
actionqm/assertcollectors\logger.php:45
actionqm/logcollectors\logger.php:46
actionswitch_blogcollectors\multisite.php:23
actionshutdowncollectors\overview.php:29
filterqm/collectorscollectors\overview.php:114
filterqm/collectorscollectors\raw_request.php:100
filterwp_redirectcollectors\redirects.php:28
filterqm/collectorscollectors\request.php:333
filterbody_classcollectors\theme.php:62
filtertimber/outputcollectors\theme.php:63
actiontemplate_redirectcollectors\theme.php:64
actionget_template_partcollectors\theme.php:65
actionget_headercollectors\theme.php:66
actionget_sidebarcollectors\theme.php:67
actionget_footercollectors\theme.php:68
actionrender_block_core_template_part_postcollectors\theme.php:69
actionrender_block_core_template_part_filecollectors\theme.php:70
actionrender_block_core_template_part_nonecollectors\theme.php:71
actiongutenberg_render_block_core_template_part_postcollectors\theme.php:72
actiongutenberg_render_block_core_template_part_filecollectors\theme.php:73
actiongutenberg_render_block_core_template_part_nonecollectors\theme.php:74
filtertemplate_includecollectors\theme.php:238
filterqm/collectorscollectors\theme.php:576
actionqm/startcollectors\timing.php:47
actionqm/stopcollectors\timing.php:48
actionqm/lapcollectors\timing.php:49
actionshutdowndispatchers\AJAX.php:22
filterqm/dispatchersdispatchers\AJAX.php:153
actionadmin_bar_menudispatchers\Html.php:43
actionshutdowndispatchers\Html.php:52
actionwp_footerdispatchers\Html.php:54
actionadmin_footerdispatchers\Html.php:55
actionlogin_footerdispatchers\Html.php:56
actiongp_footerdispatchers\Html.php:57
actionadmin_noticesdispatchers\Html.php:178
actionwp_enqueue_scriptsdispatchers\Html.php:181
actionadmin_enqueue_scriptsdispatchers\Html.php:182
actionlogin_enqueue_scriptsdispatchers\Html.php:183
actionenqueue_embed_scriptsdispatchers\Html.php:184
actiongp_headdispatchers\Html.php:186
filterqm/dispatchersdispatchers\Html.php:1055
filterwp_redirectdispatchers\Redirect.php:19
filterqm/dispatchersdispatchers\Redirect.php:101
filterrest_post_dispatchdispatchers\REST.php:19
filterqm/dispatchersdispatchers\REST.php:118
filterrest_envelope_responsedispatchers\REST_Envelope.php:15
filterqm/dispatchersdispatchers\REST_Envelope.php:80
actionshutdowndispatchers\WP_Die.php:25
filterwp_die_handlerdispatchers\WP_Die.php:27
filterqm/dispatchersdispatchers\WP_Die.php:168
filterqm/outputter/headersoutput\headers\overview.php:73
filterqm/outputter/headersoutput\headers\php_errors.php:86
filterqm/outputter/headersoutput\headers\redirects.php:53
filterqm/output/menusoutput\html\admin.php:23
filterqm/outputter/htmloutput\html\admin.php:139
filterqm/output/menusoutput\html\assets.php:23
filterqm/output/menu_classoutput\html\assets.php:24
filterqm/outputter/htmloutput\html\assets_scripts.php:57
filterqm/outputter/htmloutput\html\assets_styles.php:57
filterqm/output/menusoutput\html\block_editor.php:23
filterqm/outputter/htmloutput\html\block_editor.php:360
filterqm/output/menusoutput\html\caps.php:23
filterqm/outputter/htmloutput\html\caps.php:243
filterqm/output/menusoutput\html\conditionals.php:23
filterqm/output/panel_menusoutput\html\conditionals.php:24
filterqm/outputter/htmloutput\html\conditionals.php:131
filterqm/output/panel_menusoutput\html\db_callers.php:23
filterqm/outputter/htmloutput\html\db_callers.php:154
filterqm/output/panel_menusoutput\html\db_components.php:23
filterqm/outputter/htmloutput\html\db_components.php:151
filterqm/output/menusoutput\html\db_dupes.php:23
filterqm/output/panel_menusoutput\html\db_dupes.php:24
filterqm/outputter/htmloutput\html\db_dupes.php:193
filterqm/output/menusoutput\html\db_queries.php:28
filterqm/output/panel_menusoutput\html\db_queries.php:29
filterqm/output/titleoutput\html\db_queries.php:30
filterqm/output/menu_classoutput\html\db_queries.php:31
filterqm/outputter/htmloutput\html\db_queries.php:620
filterqm/output/menusoutput\html\debug_bar.php:23
filterqm/outputter/htmloutput\html\debug_bar.php:114
filterqm/output/menusoutput\html\doing_it_wrong.php:23
filterqm/output/menu_classoutput\html\doing_it_wrong.php:24
filterqm/outputter/htmloutput\html\doing_it_wrong.php:194
filterqm/output/menusoutput\html\environment.php:23
filterqm/outputter/htmloutput\html\environment.php:320
filterqm/output/panel_menusoutput\html\headers.php:23
filterqm/outputter/htmloutput\html\headers.php:146
filterqm/output/menusoutput\html\hooks.php:23
filterqm/outputter/htmloutput\html\hooks.php:256
filterqm/output/menusoutput\html\http.php:23
filterqm/output/menu_classoutput\html\http.php:24
filterqm/outputter/htmloutput\html\http.php:443
filterqm/output/menusoutput\html\languages.php:23
filterqm/outputter/htmloutput\html\languages.php:212
filterqm/output/menusoutput\html\logger.php:23
filterqm/output/menu_classoutput\html\logger.php:24
filterqm/outputter/htmloutput\html\logger.php:250
filterqm/output/menusoutput\html\multisite.php:23
filterqm/outputter/htmloutput\html\multisite.php:167
filterqm/output/titleoutput\html\overview.php:23
filterqm/outputter/htmloutput\html\overview.php:414
filterqm/output/menusoutput\html\php_errors.php:23
filterqm/output/panel_menusoutput\html\php_errors.php:24
filterqm/output/menu_classoutput\html\php_errors.php:25
filterqm/outputter/htmloutput\html\php_errors.php:365
filterqm/output/menusoutput\html\request.php:23
filterqm/outputter/htmloutput\html\request.php:252
filterqm/output/menusoutput\html\theme.php:23
filterqm/output/panel_menusoutput\html\theme.php:24
filterqm/outputter/htmloutput\html\theme.php:299
filterqm/output/menusoutput\html\timing.php:23
filterqm/outputter/htmloutput\html\timing.php:244
filterqm/output/menusoutput\html\transients.php:23
filterqm/outputter/htmloutput\html\transients.php:175
filterqm/outputter/rawoutput\raw\cache.php:60
filterqm/outputter/rawoutput\raw\conditionals.php:47
filterqm/outputter/rawoutput\raw\db_queries.php:126
filterqm/outputter/rawoutput\raw\http.php:75
filterqm/outputter/rawoutput\raw\logger.php:64
filterqm/outputter/rawoutput\raw\transients.php:73
actionall_admin_noticesquery-monitor.php:46
actionall_admin_noticesquery-monitor.php:51
actionall_admin_noticeswp-content\db.php:74
Maintenance & Trust

Query Monitor – The developer tools panel for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 11, 2025
PHP min version7.4
Downloads19.2M

Community Trust

Rating98/100
Number of ratings463
Active installs200K
Alternatives

Query Monitor – The developer tools panel for WordPress Alternatives

Script Report

Script Report

script-report

A
100

Debug and audit JavaScript and CSS loading in WordPress. Analyze dependencies, detect issues, and improve performance on any page.

0 No CVEs
Black Bar

Black Bar

blackbar

A
100

Black Bar is an unobtrusive Debug Bar for WordPress developers that attaches itself to the bottom of the browser window.

600 No CVEs
Debug Bar List Script & Style Dependencies

Debug Bar List Script & Style Dependencies

debug-bar-list-dependencies

A
85

Debug Bar List Script & Style Dependencies is an add-on to WordPress Debug Bar

200 No CVEs
DebugPress: Debugger in Popup

DebugPress: Debugger in Popup

debugpress

A
100

Easy-to-use plugin for debugging and profiling website loading, SQL queries analysis, help with development, bug fixing, all in configurable popup.

100 No CVEs
Debug Bar Query Tracer

Debug Bar Query Tracer

debug-bar-query-tracer

A
100

A Debug Bar plugin that lets you trace what plugins are causing database queries.

10 No CVEs
Developer Profile

Query Monitor – The developer tools panel for WordPress Developer Profile

John Blackbourn

3 plugins · 700K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
1160 days
View full developer profile
Detection Fingerprints

How We Detect Query Monitor – The developer tools panel for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/query-monitor/query-monitor.css/wp-content/plugins/query-monitor/query-monitor.js/wp-content/plugins/query-monitor/classes/php/PHP.css/wp-content/plugins/query-monitor/classes/php/PHP.js/wp-content/plugins/query-monitor/assets/dist/css/query-monitor.css/wp-content/plugins/query-monitor/assets/dist/js/query-monitor.js
Script Paths
/wp-content/plugins/query-monitor/query-monitor.js/wp-content/plugins/query-monitor/classes/php/PHP.js/wp-content/plugins/query-monitor/assets/dist/js/query-monitor.js
Version Parameters
query-monitor/query-monitor.css?ver=query-monitor/query-monitor.js?ver=query-monitor/classes/php/PHP.css?ver=query-monitor/classes/php/PHP.js?ver=query-monitor/assets/dist/css/query-monitor.css?ver=query-monitor/assets/dist/js/query-monitor.js?ver=

HTML / DOM Fingerprints

CSS Classes
qm-debug-barqm-debug-bar-itemqm-debug-bar-item-sourceqm-debug-bar-item-source-sqlqm-debug-bar-item-source-phpqm-debug-bar-item-source-templateqm-debug-bar-item-source-hooksqm-debug-bar-item-source-http+15 more
HTML Comments
<!-- Query Monitor --><!-- /Query Monitor --><!-- Query Monitor :: This is a drop-in replacement for the standard WordPress database class -->
Data Attributes
data-qm-iddata-qm-datadata-qm-target
JS Globals
QueryMonitor
REST Endpoints
/wp-json/query-monitor/v1/debug
FAQ

Frequently Asked Questions about Query Monitor – The developer tools panel for WordPress