Does Routed Actions have any unpatched vulnerabilities?

No. All known vulnerabilities in Routed Actions have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Routed Actions compatible with WordPress 4.0.38?

According to WordPress.org data, Routed Actions 1.0.0 has been tested up to WordPress 4.0.38. Check the plugin's changelog for the latest compatibility information.

How often is Routed Actions updated?

Routed Actions was last updated on Sep 17, 2014. Frequent updates are generally a positive security signal.

What is Routed Actions's security score?

Routed Actions has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Routed Actions Security & Risk Analysis

wordpress.org/plugins/routed-actions

Creates a URL to route a request to an action.

10 active installs v1.0.0 PHP + WP 3.9+ Updated Sep 17, 2014

actionendpointrewriterouted-actionsurl

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Routed Actions Safe to Use in 2026?

Generally Safe

Score 85/100

Routed Actions has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The "routed-actions" plugin version 1.0.0 presents a significant security risk due to its large, unprotected attack surface. All seven identified AJAX handlers lack authentication checks, meaning any user, including unauthenticated ones, can trigger these actions. This is a major concern, as it opens the door for unauthorized operations. While the code signals show no dangerous functions, raw SQL, or external HTTP requests, and taint analysis revealed no critical or high-severity issues, the lack of basic security measures on the AJAX endpoints is alarming.

The plugin's vulnerability history is clean, with no recorded CVEs. This is a positive indicator, suggesting the developers may have had good intentions or that the plugin hasn't been targeted or thoroughly audited for past vulnerabilities. However, this clean history does not mitigate the immediate risks identified in the current code. The absence of capability checks and nonce verification on the AJAX handlers further exacerbates the problem, making it trivial for attackers to exploit these entry points. The 35% proper output escaping is also a weakness, potentially leading to cross-site scripting (XSS) vulnerabilities if the unescaped outputs are controlled by user input.

In conclusion, while the plugin boasts a clean vulnerability history and avoids some common pitfalls like raw SQL or dangerous functions, the critical deficiency of unprotected AJAX handlers makes its overall security posture weak and highly concerning. The lack of fundamental security checks on its primary entry points necessitates immediate attention and remediation.

Key Concerns

AJAX handlers without auth checks
AJAX handlers without capability checks
AJAX handlers without nonce checks
Low percentage of properly escaped output

Vulnerabilities

None known

Routed Actions Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Routed Actions Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

35% escaped17 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

routedactions_create_route (includes\functions-admin.php:114)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Routed Actions Attack Surface

Entry Points7

Unprotected7

AJAX Handlers 7

authwp_ajax_route_load_projectsincludes\functions-admin.php:10

authwp_ajax_route_delete_routeincludes\functions-admin.php:93

authwp_ajax_route_create_routeincludes\functions-admin.php:113

authwp_ajax_route_activate_routeincludes\functions-admin.php:154

authwp_ajax_route_route_handlerincludes\functions-admin.php:184

authwp_ajax_route_close_editorincludes\functions-editor.php:4

authwp_ajax_route_load_routeincludes\functions-editor.php:34

WordPress Hooks 9

actionroutedactions_editor_templatesincludes\functions-editor.php:130

actionroutedactions_editor_templatesincludes\functions-editor.php:155

actionroutedactions_editor_templatesincludes\functions-editor.php:185

filterroutedactions_get_route_panelsincludes\functions-panels.php:7

filterroutedactions_get_route_typesincludes\functions-types.php:6

actionadmin_menuincludes\routedactions.php:5

actionadmin_enqueue_scriptsincludes\routedactions.php:8

actioninitrouted-actions.php:39

actiontemplate_redirectrouted-actions.php:42

Maintenance & Trust

Routed Actions Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38

Last updatedSep 17, 2014

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Routed Actions Alternatives

Shortcode Redirect

shortcode-redirect

A super easy way to automatically redirect a user to another page when viewing a post/page on your site.

10K 2 CVEs

WP Permastructure

wp-permastructure

Adds the ability to configure permalinks for custom post types using rewrite tags like %post_id% and %author%.

400 No CVEs

Permalinks with ID for bbPress

bbpress-permalinks-with-id

100

Transforms default bbPress permalinks (URLs) that use slugs into permalinks that use numeric IDs.

100 No CVEs

Taxonomic SEO Permalink

taxonomic-seo-permalinks

This plugin helps you to set your permalinks by using custom taxonomies just like you use %category% or %postname% in your permalink structure.

20 No CVEs

Auto URL

auto-url

100

Auto URL generates customized permalinks according to post types, categories and tags

10 No CVEs

Developer Profile

Routed Actions Developer Profile

David Cramer

6 plugins · 1K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Routed Actions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/routed-actions/assets/css/modals.css/wp-content/plugins/routed-actions/assets/js/handlebars.js/wp-content/plugins/routed-actions/assets/js/handlebars.baldrick.js/wp-content/plugins/routed-actions/assets/js/modals.baldrick.js/wp-content/plugins/routed-actions/assets/js/jquery.baldrick.js/wp-content/plugins/routed-actions/assets/js/admin-app.js/wp-content/plugins/routed-actions/assets/css/admin.css/wp-content/plugins/routed-actions/assets/css/editor.css+1 more

Script Paths

/wp-content/plugins/routed-actions/assets/js/handlebars.js/wp-content/plugins/routed-actions/assets/js/handlebars.baldrick.js/wp-content/plugins/routed-actions/assets/js/modals.baldrick.js/wp-content/plugins/routed-actions/assets/js/jquery.baldrick.js/wp-content/plugins/routed-actions/assets/js/admin-app.js/wp-content/plugins/routed-actions/assets/js/editor-app.js

Version Parameters

routed-actions/assets/css/modals.css?ver=routed-actions/assets/js/handlebars.js?ver=routed-actions/assets/js/handlebars.baldrick.js?ver=routed-actions/assets/js/modals.baldrick.js?ver=routed-actions/assets/js/jquery.baldrick.js?ver=routed-actions/assets/js/admin-app.js?ver=routed-actions/assets/css/admin.css?ver=routed-actions/assets/css/editor.css?ver=routed-actions/assets/js/editor-app.js?ver=

HTML / DOM Fingerprints

CSS Classes

routedactions-modal-stylesroutedactions-admin-stylesroutedactions-editor-stylesroutedactions-panel-routedactions-fieldtype-

Data Attributes

data-routedactions-id

JS Globals

RACTIONS_PATHRACTIONS_URLRACTIONS_ICONRACTIONS_VERroutedactions_pagesfield_types

FAQ