WP-Safety

Query Monitor Security & Risk Analysis

wordpress.org/plugins/query-monitor

Query Monitor is the developer tools panel for WordPress and WooCommerce.

200K active installs v4.0.6 PHP 7.4+ WP 6.1+ Updated Apr 11, 2026
debugdebug-bardevelopmentperformancequery-monitor
97
A · Safe
CVEs total1
Unpatched0
Last CVEMar 30, 2026
Plugin page Download
Safety Verdict

Is Query Monitor Safe to Use in 2026?

Generally Safe

Score 97/100

Query Monitor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Mar 30, 2026Updated 1mo ago
Risk Assessment

The Query Monitor plugin, version 3.20.2, exhibits a generally strong security posture. The static analysis reveals a well-defined attack surface with all identified entry points (AJAX handlers) protected by authorization checks. The absence of known CVEs and a clean vulnerability history further bolster this positive assessment, suggesting a history of responsible development and patching.

However, there are areas that warrant attention. The presence of 'exec' and 'unserialize' functions, while not immediately indicative of a vulnerability without further context, are inherently risky and could be exploited if user-supplied data is passed to them without proper sanitization. While the taint analysis shows no unsanitized paths, the potential for misuse of these dangerous functions remains a concern. Additionally, a significant portion of the plugin's output (42%) is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if dynamic content is not handled carefully.

In conclusion, Query Monitor is a plugin with a strong track record and a secure entry point design. The primary risks lie in the potential misuse of powerful functions like 'exec' and 'unserialize', and a notable percentage of unescaped output. Developers should prioritize addressing the unescaped output and carefully review how 'exec' and 'unserialize' are used to ensure robust sanitization.

Key Concerns

  • Presence of 'exec' dangerous function
  • Presence of 'unserialize' dangerous function
  • Significant percentage of unescaped output
Vulnerabilities
1 published

Query Monitor Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2026-4267high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI

Mar 30, 2026 Patched in 3.20.4 (7d)
Version History

Query Monitor Release Timeline

v4.0.6Current
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.20.45 files changed
v3.20.31 CVE23 files changed
CVE-2026-4267
v3.20.21 CVE5 files changed
CVE-2026-4267
v3.20.11 CVE36 files changed
CVE-2026-4267
v3.20.01 CVE64 files changed
CVE-2026-4267
v3.19.01 CVE17 files changed
CVE-2026-4267
v3.18.01 CVE29 files changed
CVE-2026-4267
v3.17.21 CVE7 files changed
CVE-2026-4267
v3.17.11 CVE16 files changed
CVE-2026-4267
v3.17.01 CVE25 files changed
CVE-2026-4267
v3.16.41 CVE14 files changed
CVE-2026-4267
v3.16.31 CVE4 files changed
CVE-2026-4267
v3.16.21 CVE4 files changed
CVE-2026-4267
Code Analysis
Analyzed Mar 16, 2026

Query Monitor Code Analysis

Dangerous Functions
2
Raw SQL Queries
1
5 prepared
Unescaped Output
298
405 escaped
Nonce Checks
3
Capability Checks
4
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

exec$php_u = exec( 'whoami' ); // phpcs:ignorecollectors\environment.php:304
unserialize$var = unserialize( serialize( $var ) ); // phpcs:ignoredispatchers\Html.php:805

SQL Query Safety

83% prepared6 total queries

Output Escaping

58% escaped703 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<Html> (dispatchers\Html.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Query Monitor Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_qm_auth_ondispatchers\Html.php:44
authwp_ajax_qm_auth_offdispatchers\Html.php:45
authwp_ajax_qm_editor_setdispatchers\Html.php:46
noprivwp_ajax_qm_auth_offdispatchers\Html.php:47
WordPress Hooks 189
filterpre_update_option_active_pluginsclasses\Activation.php:15
filterpre_update_site_option_active_sitewide_pluginsclasses\Activation.php:16
actioninitclasses\Backtrace.php:606
actionadmin_print_footer_scriptsclasses\Collector_Assets.php:42
actionwp_print_footer_scriptsclasses\Collector_Assets.php:43
actionadmin_headclasses\Collector_Assets.php:44
actionwp_headclasses\Collector_Assets.php:45
actionlogin_headclasses\Collector_Assets.php:46
actionembed_headclasses\Collector_Assets.php:47
actionwp_headclasses\debug_bar.php:15
filterdebug_bar_classesclasses\debug_bar_panel.php:31
actioninitclasses\Dispatcher.php:45
actionsend_headersclasses\Dispatcher.php:153
actionplugins_loadedclasses\QueryMonitor.php:16
actioninitclasses\QueryMonitor.php:17
actionmembers_register_capsclasses\QueryMonitor.php:18
actionmembers_register_cap_groupsclasses\QueryMonitor.php:19
actionqm/ceaseclasses\QueryMonitor.php:20
filteruser_has_capclasses\QueryMonitor.php:23
filterure_built_in_wp_capsclasses\QueryMonitor.php:24
filterure_capabilities_groups_treeclasses\QueryMonitor.php:25
filternetwork_admin_plugin_action_links_query-monitor/query-monitor.phpclasses\QueryMonitor.php:26
filterplugin_action_links_query-monitor/query-monitor.phpclasses\QueryMonitor.php:27
filterplugin_row_metaclasses\QueryMonitor.php:28
filterqm/collectorscollectors\admin.php:140
filterqm/collectorscollectors\assets_scripts.php:61
filterqm/collectorscollectors\assets_styles.php:42
filterpre_render_blockcollectors\block_editor.php:44
filterrender_block_contextcollectors\block_editor.php:45
filterrender_block_datacollectors\block_editor.php:46
filterrender_blockcollectors\block_editor.php:47
filterqm/collectorscollectors\block_editor.php:223
filterqm/collectorscollectors\cache.php:130
filteruser_has_capcollectors\caps.php:45
filtermap_meta_capcollectors\caps.php:46
filterqm/collectorscollectors\caps.php:311
filterqm/collectorscollectors\conditionals.php:127
filterqm/collectorscollectors\db_callers.php:54
filterqm/collectorscollectors\db_components.php:54
filterqm/collectorscollectors\db_dupes.php:131
filterqm/collectorscollectors\db_queries.php:274
actioninitcollectors\debug_bar.php:141
actiondoing_it_wrong_runcollectors\doing_it_wrong.php:34
actiondeprecated_function_runcollectors\doing_it_wrong.php:35
actiondeprecated_constructor_runcollectors\doing_it_wrong.php:36
actiondeprecated_file_includedcollectors\doing_it_wrong.php:37
actiondeprecated_argument_runcollectors\doing_it_wrong.php:38
actiondeprecated_hook_runcollectors\doing_it_wrong.php:39
actiondeprecated_class_runcollectors\doing_it_wrong.php:40
filterdeprecated_function_trigger_errorcollectors\doing_it_wrong.php:42
filterdeprecated_constructor_trigger_errorcollectors\doing_it_wrong.php:43
filterdeprecated_file_trigger_errorcollectors\doing_it_wrong.php:44
filterdeprecated_argument_trigger_errorcollectors\doing_it_wrong.php:45
filterdeprecated_hook_trigger_errorcollectors\doing_it_wrong.php:46
filterdoing_it_wrong_trigger_errorcollectors\doing_it_wrong.php:47
filterdeprecated_class_trigger_errorcollectors\doing_it_wrong.php:48
filterqm/collectorscollectors\environment.php:327
filterhttp_request_argscollectors\http.php:62
filterpre_http_requestcollectors\http.php:63
actionhttp_api_debugcollectors\http.php:64
actionrequests-curl.after_requestcollectors\http.php:66
actionrequests-fsockopen.after_requestcollectors\http.php:67
filterload_textdomain_mofilecollectors\languages.php:30
filterload_translation_filecollectors\languages.php:31
filterload_script_translation_filecollectors\languages.php:32
actioninitcollectors\languages.php:33
actionqm/assertcollectors\logger.php:45
actionqm/logcollectors\logger.php:46
actionswitch_blogcollectors\multisite.php:23
actionshutdowncollectors\overview.php:29
filterqm/collectorscollectors\overview.php:114
filterqm/collectorscollectors\raw_request.php:100
filterwp_redirectcollectors\redirects.php:28
filterqm/collectorscollectors\request.php:333
filterbody_classcollectors\theme.php:62
filtertimber/outputcollectors\theme.php:63
actiontemplate_redirectcollectors\theme.php:64
actionget_template_partcollectors\theme.php:65
actionget_headercollectors\theme.php:66
actionget_sidebarcollectors\theme.php:67
actionget_footercollectors\theme.php:68
actionrender_block_core_template_part_postcollectors\theme.php:69
actionrender_block_core_template_part_filecollectors\theme.php:70
actionrender_block_core_template_part_nonecollectors\theme.php:71
actiongutenberg_render_block_core_template_part_postcollectors\theme.php:72
actiongutenberg_render_block_core_template_part_filecollectors\theme.php:73
actiongutenberg_render_block_core_template_part_nonecollectors\theme.php:74
filtertemplate_includecollectors\theme.php:238
filterqm/collectorscollectors\theme.php:576
actionqm/startcollectors\timing.php:47
actionqm/stopcollectors\timing.php:48
actionqm/lapcollectors\timing.php:49
actionshutdowndispatchers\AJAX.php:22
filterqm/dispatchersdispatchers\AJAX.php:153
actionadmin_bar_menudispatchers\Html.php:43
actionshutdowndispatchers\Html.php:52
actionwp_footerdispatchers\Html.php:54
actionadmin_footerdispatchers\Html.php:55
actionlogin_footerdispatchers\Html.php:56
actiongp_footerdispatchers\Html.php:57
actionadmin_noticesdispatchers\Html.php:178
actionwp_enqueue_scriptsdispatchers\Html.php:181
actionadmin_enqueue_scriptsdispatchers\Html.php:182
actionlogin_enqueue_scriptsdispatchers\Html.php:183
actionenqueue_embed_scriptsdispatchers\Html.php:184
actiongp_headdispatchers\Html.php:186
filterqm/dispatchersdispatchers\Html.php:1055
filterwp_redirectdispatchers\Redirect.php:19
filterqm/dispatchersdispatchers\Redirect.php:101
filterrest_post_dispatchdispatchers\REST.php:19
filterqm/dispatchersdispatchers\REST.php:118
filterrest_envelope_responsedispatchers\REST_Envelope.php:15
filterqm/dispatchersdispatchers\REST_Envelope.php:80
actionshutdowndispatchers\WP_Die.php:25
filterwp_die_handlerdispatchers\WP_Die.php:27
filterqm/dispatchersdispatchers\WP_Die.php:168
filterqm/outputter/headersoutput\headers\overview.php:73
filterqm/outputter/headersoutput\headers\php_errors.php:86
filterqm/outputter/headersoutput\headers\redirects.php:53
filterqm/output/menusoutput\html\admin.php:23
filterqm/outputter/htmloutput\html\admin.php:139
filterqm/output/menusoutput\html\assets.php:23
filterqm/output/menu_classoutput\html\assets.php:24
filterqm/outputter/htmloutput\html\assets_scripts.php:57
filterqm/outputter/htmloutput\html\assets_styles.php:57
filterqm/output/menusoutput\html\block_editor.php:23
filterqm/outputter/htmloutput\html\block_editor.php:360
filterqm/output/menusoutput\html\caps.php:23
filterqm/outputter/htmloutput\html\caps.php:243
filterqm/output/menusoutput\html\conditionals.php:23
filterqm/output/panel_menusoutput\html\conditionals.php:24
filterqm/outputter/htmloutput\html\conditionals.php:131
filterqm/output/panel_menusoutput\html\db_callers.php:23
filterqm/outputter/htmloutput\html\db_callers.php:154
filterqm/output/panel_menusoutput\html\db_components.php:23
filterqm/outputter/htmloutput\html\db_components.php:151
filterqm/output/menusoutput\html\db_dupes.php:23
filterqm/output/panel_menusoutput\html\db_dupes.php:24
filterqm/outputter/htmloutput\html\db_dupes.php:193
filterqm/output/menusoutput\html\db_queries.php:28
filterqm/output/panel_menusoutput\html\db_queries.php:29
filterqm/output/titleoutput\html\db_queries.php:30
filterqm/output/menu_classoutput\html\db_queries.php:31
filterqm/outputter/htmloutput\html\db_queries.php:620
filterqm/output/menusoutput\html\debug_bar.php:23
filterqm/outputter/htmloutput\html\debug_bar.php:114
filterqm/output/menusoutput\html\doing_it_wrong.php:23
filterqm/output/menu_classoutput\html\doing_it_wrong.php:24
filterqm/outputter/htmloutput\html\doing_it_wrong.php:194
filterqm/output/menusoutput\html\environment.php:23
filterqm/outputter/htmloutput\html\environment.php:320
filterqm/output/panel_menusoutput\html\headers.php:23
filterqm/outputter/htmloutput\html\headers.php:146
filterqm/output/menusoutput\html\hooks.php:23
filterqm/outputter/htmloutput\html\hooks.php:256
filterqm/output/menusoutput\html\http.php:23
filterqm/output/menu_classoutput\html\http.php:24
filterqm/outputter/htmloutput\html\http.php:443
filterqm/output/menusoutput\html\languages.php:23
filterqm/outputter/htmloutput\html\languages.php:212
filterqm/output/menusoutput\html\logger.php:23
filterqm/output/menu_classoutput\html\logger.php:24
filterqm/outputter/htmloutput\html\logger.php:250
filterqm/output/menusoutput\html\multisite.php:23
filterqm/outputter/htmloutput\html\multisite.php:167
filterqm/output/titleoutput\html\overview.php:23
filterqm/outputter/htmloutput\html\overview.php:414
filterqm/output/menusoutput\html\php_errors.php:23
filterqm/output/panel_menusoutput\html\php_errors.php:24
filterqm/output/menu_classoutput\html\php_errors.php:25
filterqm/outputter/htmloutput\html\php_errors.php:365
filterqm/output/menusoutput\html\request.php:23
filterqm/outputter/htmloutput\html\request.php:252
filterqm/output/menusoutput\html\theme.php:23
filterqm/output/panel_menusoutput\html\theme.php:24
filterqm/outputter/htmloutput\html\theme.php:299
filterqm/output/menusoutput\html\timing.php:23
filterqm/outputter/htmloutput\html\timing.php:244
filterqm/output/menusoutput\html\transients.php:23
filterqm/outputter/htmloutput\html\transients.php:175
filterqm/outputter/rawoutput\raw\cache.php:60
filterqm/outputter/rawoutput\raw\conditionals.php:47
filterqm/outputter/rawoutput\raw\db_queries.php:126
filterqm/outputter/rawoutput\raw\http.php:75
filterqm/outputter/rawoutput\raw\logger.php:64
filterqm/outputter/rawoutput\raw\transients.php:73
actionall_admin_noticesquery-monitor.php:46
actionall_admin_noticesquery-monitor.php:51
actionall_admin_noticeswp-content\db.php:74
Maintenance & Trust

Query Monitor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 11, 2026
PHP min version7.4
Downloads20.0M

Community Trust

Rating98/100
Number of ratings465
Active installs200K
Alternatives

Query Monitor Alternatives

Script Report

Script Report

script-report

A
100

Debug and audit JavaScript and CSS loading in WordPress. Analyze dependencies, detect issues, and improve performance on any page.

0 No CVEs
Black Bar

Black Bar

blackbar

A
100

Black Bar is an unobtrusive Debug Bar for WordPress developers that attaches itself to the bottom of the browser window.

600 No CVEs
Debug Bar List Script & Style Dependencies

Debug Bar List Script & Style Dependencies

debug-bar-list-dependencies

A
85

Debug Bar List Script & Style Dependencies is an add-on to WordPress Debug Bar

200 No CVEs
DebugPress: Debugger in Popup

DebugPress: Debugger in Popup

debugpress

A
100

Easy-to-use plugin for debugging and profiling website loading, SQL queries analysis, help with development, bug fixing, all in configurable popup.

100 No CVEs
HPOS Status Indicator for WooCommerce

HPOS Status Indicator for WooCommerce

hpos-status-indicator-for-woocommerce

A
100

Adds a High Performance Order Storage (HPOS) status indicator to the admin bar that shows the status of HPOS on the site, perfect for debugging.

20 No CVEs
Developer Profile

Query Monitor Developer Profile

John Blackbourn

3 plugins · 700K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
872 days
View full developer profile
Detection Fingerprints

How We Detect Query Monitor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/query-monitor/query-monitor.css/wp-content/plugins/query-monitor/query-monitor.js/wp-content/plugins/query-monitor/classes/php/PHP.css/wp-content/plugins/query-monitor/classes/php/PHP.js/wp-content/plugins/query-monitor/assets/dist/css/query-monitor.css/wp-content/plugins/query-monitor/assets/dist/js/query-monitor.js
Script Paths
/wp-content/plugins/query-monitor/query-monitor.js/wp-content/plugins/query-monitor/classes/php/PHP.js/wp-content/plugins/query-monitor/assets/dist/js/query-monitor.js
Version Parameters
query-monitor/query-monitor.css?ver=query-monitor/query-monitor.js?ver=query-monitor/classes/php/PHP.css?ver=query-monitor/classes/php/PHP.js?ver=query-monitor/assets/dist/css/query-monitor.css?ver=query-monitor/assets/dist/js/query-monitor.js?ver=

HTML / DOM Fingerprints

CSS Classes
qm-debug-barqm-debug-bar-itemqm-debug-bar-item-sourceqm-debug-bar-item-source-sqlqm-debug-bar-item-source-phpqm-debug-bar-item-source-templateqm-debug-bar-item-source-hooksqm-debug-bar-item-source-http+15 more
HTML Comments
<!-- Query Monitor --><!-- /Query Monitor --><!-- Query Monitor :: This is a drop-in replacement for the standard WordPress database class -->
Data Attributes
data-qm-iddata-qm-datadata-qm-target
JS Globals
QueryMonitor
REST Endpoints
/wp-json/query-monitor/v1/debug
FAQ

Frequently Asked Questions about Query Monitor