WP-Safety

SCIM User Sync/Provisioning Security & Risk Analysis

wordpress.org/plugins/scim-user-provisioning

SCIM User Sync & User Provisioning. Create, delete, update users & automated user sync from Azure AD, Okta, Google Apps & many IDPs into WordPress.

200 active installs v1.1.4 PHP 5.4+ WP 3.7+ Updated Oct 17, 2025
azureadgoogleappsoktascimuser-sync
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is SCIM User Sync/Provisioning Safe to Use in 2026?

Generally Safe

Score 100/100

SCIM User Sync/Provisioning has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5mo ago
Risk Assessment

The "scim-user-provisioning" plugin version 1.1.4 demonstrates a generally strong security posture based on the provided static analysis. The absence of any known CVEs and the plugin's clean vulnerability history are positive indicators. The code analysis reveals a commendable approach to security, with all SQL queries utilizing prepared statements and a high percentage of output being properly escaped. The presence of nonce checks is also a good practice. However, a critical concern arises from the taint analysis, which identified one flow with unsanitized paths. While this flow did not result in a critical or high severity finding in the static analysis, it represents a potential avenue for injection vulnerabilities if the input is not handled with sufficient care at runtime. The plugin also performs file operations and external HTTP requests, which, while not inherently insecure, require careful implementation to prevent exploitation.

Key Concerns

  • Taint flow with unsanitized path
  • File operations detected
  • External HTTP requests detected
  • Capability checks are absent
Vulnerabilities
None known

SCIM User Sync/Provisioning Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

SCIM User Sync/Provisioning Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
6
89 escaped
Nonce Checks
3
Capability Checks
0
File Operations
1
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

94% escaped95 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
<mo-scim-user-provisioner-menu-settings> (mo-scim-user-provisioner-menu-settings.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

SCIM User Sync/Provisioning Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 9
actionnetwork_admin_menumo-scim-user-provisioner.php:26
actionadmin_menumo-scim-user-provisioner.php:28
actionadmin_initmo-scim-user-provisioner.php:30
actioninitmo-scim-user-provisioner.php:31
actionadmin_enqueue_scriptsmo-scim-user-provisioner.php:35
actionadmin_enqueue_scriptsmo-scim-user-provisioner.php:36
actionadmin_footermo-scim-user-provisioner.php:37
actionadmin_noticesmo-scim-user-provisioner.php:75
actionadmin_noticesmo-scim-user-provisioner.php:79
Maintenance & Trust

SCIM User Sync/Provisioning Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 17, 2025
PHP min version5.4
Downloads11K

Community Trust

Rating100/100
Number of ratings3
Active installs200
Alternatives

SCIM User Sync/Provisioning Alternatives

User Sync

User Sync

user-sync

A
99

User sync for WordPress plugin enables automated user sync from WP to Salesforce, Zoom, Tableau, and remote user sync from multiple WordPress sites

200 1 CVE
SAML Single Sign On – SSO Login

SAML Single Sign On – SSO Login

miniorange-saml-20-single-sign-on

A
98

SAML SSO (Single Sign On) for WordPress Login with Okta, Entra ID, Azure AD/B2C, G-Suite, Shibboleth, OneLogin, Keycloak, Salesforce [24/7 Support]

10K 6 CVEs
UddoktaPay

UddoktaPay

uddoktapay-gateway

A
100

UddoktaPay Plugin for WooCommerce.

1K No CVEs
User Sync for Azure AD / Azure B2C

User Sync for Azure AD / Azure B2C

user-sync-for-azure-office365

A
100

Create Business Directory and Bi-Directional User Synchronization with Azure AD, Azure B2C and Office 365. CPT,Taxonomies supported.

90 No CVEs
Multisite User Sync

Multisite User Sync

multisite-user-sync

A
85

Multisite User Sync will automatically synchronize users to all sites in multisite. Roles of users will be same on everysite.

40 No CVEs
Developer Profile

SCIM User Sync/Provisioning Developer Profile

miniOrange

38 plugins · 83K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
324 days
View full developer profile
Detection Fingerprints

How We Detect SCIM User Sync/Provisioning

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/scim-user-provisioning/includes/css/style_settings.min.css/wp-content/plugins/scim-user-provisioning/includes/css/style_settings.css/wp-content/plugins/scim-user-provisioning/includes/css/phone.min.css/wp-content/plugins/scim-user-provisioning/includes/js/settings.min.js/wp-content/plugins/scim-user-provisioning/includes/js/phone.min.js/wp-content/plugins/scim-user-provisioning/images/miniorange.png
Script Paths
/wp-content/plugins/scim-user-provisioning/includes/js/settings.min.js/wp-content/plugins/scim-user-provisioning/includes/js/phone.min.js
Version Parameters
scim-user-provisioning/includes/css/style_settings.min.css?ver=scim-user-provisioning/includes/css/style_settings.css?ver=scim-user-provisioning/includes/css/phone.min.css?ver=scim-user-provisioning/includes/js/settings.min.js?ver=scim-user-provisioning/includes/js/phone.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
msup_modalmsup_modal-contentmsup_closemsup_smi_ratesm
Data Attributes
id="msup_feedback_modal"class="msup_modal"id="msup_feedback"name="msup_feedback"id="msup_smi_rate"name="rate"
JS Globals
msup_scim_up_plugin_version
FAQ

Frequently Asked Questions about SCIM User Sync/Provisioning