WP-Safety

SermonPress Security & Risk Analysis

wordpress.org/plugins/sermonpress

This is a fully customizable sermon library plugin. It comes complete with the ability to add audio and video sermons.

30 active installs v1.3.1 PHP + WP 4.9.0+ Updated May 13, 2020
churchgodpreachersermonstopics
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is SermonPress Safe to Use in 2026?

Generally Safe

Score 85/100

SermonPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The sermonpress plugin v1.3.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and avoiding external HTTP requests. The absence of known CVEs and recorded vulnerability history is a strong indicator of a well-maintained codebase or limited prior security scrutiny. However, there are significant concerns regarding the attack surface and data sanitization.

The static analysis reveals a total of 4 entry points, with 2 of them being AJAX handlers that lack authentication checks. This is a critical oversight that could allow unauthorized users to trigger actions within the plugin. Furthermore, the taint analysis shows 7 flows with unsanitized paths, although thankfully without critical or high severity indicators. The output escaping is also a concern, with only 54% of outputs being properly escaped, potentially leading to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully.

While the plugin has no historical vulnerabilities, the current code analysis presents clear risks. The primary concerns are the unprotected AJAX handlers and the significant number of unsanitized taint flows, coupled with insufficient output escaping. These elements, despite the absence of known CVEs, suggest a potential for exploitation. The plugin would benefit greatly from robust input validation and output encoding on all user-facing functionality, especially the identified AJAX endpoints.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Insufficient output escaping
Vulnerabilities
None known

SermonPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

SermonPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
103
120 escaped
Nonce Checks
2
Capability Checks
0
File Operations
4
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

54% escaped223 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

7 flows7 with unsanitized paths
<library-book> (sp_templates\archive\library-book.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

SermonPress Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 3

authwp_ajax_rwmb_delete_filedependencies\meta-box\inc\fields\file.php:32
authwp_ajax_rwmb_get_embeddependencies\meta-box\inc\fields\oembed.php:24
authwp_ajax_sort-taxonomyinc\ajax-handler.php:8

Shortcodes 1

[rwmb_meta] dependencies\meta-box\inc\functions.php:201
WordPress Hooks 112
filterrwmb_meta_box_class_namedependencies\mb-settings-page\inc\class-mb-settings-page-loader.php:27
filterrwmb_meta_typedependencies\mb-settings-page\inc\class-mb-settings-page-loader.php:29
actionmb_settings_page_initdependencies\mb-settings-page\inc\class-mb-settings-page-meta-box.php:44
actionmb_settings_page_loaddependencies\mb-settings-page\inc\class-mb-settings-page-meta-box.php:45
actioninitdependencies\mb-settings-page\inc\class-mb-settings-page-meta-box.php:48
filterrwmb_field_metadependencies\mb-settings-page\inc\class-mb-settings-page-meta-box.php:106
actionadmin_menudependencies\mb-settings-page\inc\class-mb-settings-page.php:37
actionrwmb_beforedependencies\mb-settings-page\inc\class-mb-settings-page.php:38
actioninitdependencies\mb-settings-page\inc\class-mb-settings-page.php:39
actionadmin_noticesdependencies\mb-settings-page\inc\class-mb-settings-page.php:214
actioninitdependencies\mb-settings-page\mb-settings-page.php:24
actionload-edit-tags.phpdependencies\mb-term-meta\inc\class-mb-term-meta-box.php:39
actionload-term.phpdependencies\mb-term-meta\inc\class-mb-term-meta-box.php:40
filterrwmb_field_metadependencies\mb-term-meta\inc\class-mb-term-meta-field.php:18
filterrwmb_meta_box_class_namedependencies\mb-term-meta\inc\class-mb-term-meta-loader.php:26
filterrwmb_meta_typedependencies\mb-term-meta\inc\class-mb-term-meta-loader.php:28
filterrwmb_meta_boxesdependencies\mb-term-meta\inc\class-mb-term-meta-loader.php:30
actioninitdependencies\mb-term-meta\mb-term-meta.php:24
filterplugin_action_links_meta-box/meta-box.phpdependencies\meta-box\inc\about\about.php:29
actionadmin_menudependencies\meta-box\inc\about\about.php:32
actionadmin_headdependencies\meta-box\inc\about\about.php:33
actionadmin_enqueue_scriptsdependencies\meta-box\inc\about\about.php:36
actionactivated_plugindependencies\meta-box\inc\about\about.php:39
filterplugin_action_links_meta-box/meta-box.phpdependencies\meta-box\inc\core.php:20
actioninitdependencies\meta-box\inc\core.php:23
actionedit_page_formdependencies\meta-box\inc\core.php:24
actionpost_edit_form_tagdependencies\meta-box\inc\fields\file.php:31
actionprint_media_templatesdependencies\meta-box\inc\fields\media.php:45
filterget_media_item_argsdependencies\meta-box\inc\fields\thickbox-image.php:18
actioninitdependencies\meta-box\inc\media-modal.php:25
filterattachment_fields_to_editdependencies\meta-box\inc\media-modal.php:27
filterattachment_fields_to_savedependencies\meta-box\inc\media-modal.php:28
filterrwmb_showdependencies\meta-box\inc\media-modal.php:30
actionadmin_enqueue_scriptsdependencies\meta-box\inc\meta-box.php:102
actionadd_meta_boxesdependencies\meta-box\inc\meta-box.php:116
filterdefault_hidden_meta_boxesdependencies\meta-box\inc\meta-box.php:119
actionedit_attachmentdependencies\meta-box\inc\meta-box.php:126
actionadd_attachmentdependencies\meta-box\inc\meta-box.php:127
actionrwmb_afterdependencies\meta-box\inc\validation.php:17
actionrwmb_enqueue_scriptsdependencies\meta-box\inc\validation.php:18
actioninitdependencies\meta-box\inc\wpml.php:28
filterwpml_duplicate_generic_stringdependencies\meta-box\inc\wpml.php:38
filterrwmb_normalize_fielddependencies\meta-box\inc\wpml.php:39
filterrwmb_meta_box_settingsdependencies\meta-box-columns\meta-box-columns.php:22
actionrwmb_enqueue_scriptsdependencies\meta-box-columns\meta-box-columns.php:37
actionadmin_enqueue_scriptsdependencies\meta-box-conditional-logic\inc\class-mb-conditional-logic.php:17
actionwp_enqueue_scriptsdependencies\meta-box-conditional-logic\inc\class-mb-conditional-logic.php:19
actionrwmb_beforedependencies\meta-box-conditional-logic\inc\class-mb-conditional-logic.php:21
filterrwmb_wrapper_htmldependencies\meta-box-conditional-logic\inc\class-mb-conditional-logic.php:23
actioninitdependencies\meta-box-conditional-logic\meta-box-conditional-logic.php:22
filterrwmb_field_metadependencies\meta-box-group\class-rwmb-group-field.php:76
actioninitdependencies\meta-box-group\meta-box-group.php:36
actionrwmb_beforedependencies\meta-box-group\meta-box-group.php:38
actionrwmb_afterdependencies\meta-box-group\meta-box-group.php:39
actionrwmb_enqueue_scriptsdependencies\meta-box-tabs\meta-box-tabs.php:48
actionrwmb_beforedependencies\meta-box-tabs\meta-box-tabs.php:50
actionrwmb_afterdependencies\meta-box-tabs\meta-box-tabs.php:51
actionrwmb_beforedependencies\meta-box-tabs\meta-box-tabs.php:53
actionrwmb_afterdependencies\meta-box-tabs\meta-box-tabs.php:54
filterrwmb_outer_htmldependencies\meta-box-tabs\meta-box-tabs.php:56
actionrwmb_enqueue_scriptsdependencies\meta-box-tooltip\meta-box-tooltip.php:29
filterrwmb_begin_htmldependencies\meta-box-tooltip\meta-box-tooltip.php:30
filterrwmb_outer_htmldependencies\meta-box-tooltip\meta-box-tooltip.php:31
actionadmin_head-nav-menus.phpinc\admin\menu-builder.php:5
filtermb_settings_pagesinc\admin\settings.php:3
filterrwmb_meta_boxesinc\admin\settings.php:27
actioninitinc\admin\settings.php:115
filtersermonpress_sermons_rewrite_sluginc\admin\settings.php:117
actionupdate_option_sermonpress_settingsinc\admin\settings.php:133
actionadd_option_sermonpress_settingsinc\admin\settings.php:134
actionadmin_noticesinc\admin\settings.php:151
actioninitinc\admin\settings.php:163
actionadmin_initinc\admin\settings.php:164
actionplugins_loadedinc\bpms\bpms.php:27
filterbpms_pluginsinc\bpms\_config.php:69
actioninitinc\cpt\sermon.php:44
filterrwmb_meta_boxesinc\cpt\sermon.php:208
actionsave_postinc\cpt\sermon.php:242
filterpre_get_postsinc\cpt\sermon.php:288
actionwp_enqueue_scriptsinc\enqueue-scripts.php:4
actionadmin_enqueue_scriptsinc\enqueue-scripts.php:5
actionadmin_enqueue_scriptsinc\enqueue-scripts.php:17
actionwp_enqueue_scriptsinc\enqueue-scripts.php:28
actioninitinc\taxonomies\book.php:5
actionadmin_initinc\taxonomies\book.php:40
filterpre_insert_terminc\taxonomies\book.php:59
actionpre_delete_terminc\taxonomies\book.php:71
actioninitinc\taxonomies\series.php:5
filterrwmb_meta_boxesinc\taxonomies\series.php:39
actioninitinc\taxonomies\service.php:5
actioninitinc\taxonomies\speaker.php:5
filterrwmb_meta_boxesinc\taxonomies\speaker.php:38
actioninitinc\taxonomies\topic.php:5
filtersingle_templateinc\templates-handler.php:30
actionsermonpress_single_sermon_headerinc\templates-handler.php:55
actionsermonpress_single_sermon_contentinc\templates-handler.php:61
actionsermonpress_single_sermon_contentinc\templates-handler.php:67
actionsermonpress_single_sermon_contentinc\templates-handler.php:73
actionsermonpress_single_sermon_contentinc\templates-handler.php:79
actionsermonpress_single_sermon_contentinc\templates-handler.php:85
actionsermonpress_single_sermon_footerinc\templates-handler.php:91
actionsermonpress_single_sermon_mediainc\templates-handler.php:99
actionsermonpress_single_sermon_mediainc\templates-handler.php:105
actionsermonpress_single_sermon_mediainc\templates-handler.php:111
actionsermonpress_single_sermon_mediainc\templates-handler.php:117
filterarchive_templateinc\templates-handler.php:123
actionsermonpress_sermon_archive_headerinc\templates-handler.php:148
actionsermonpress_sermon_archive_sidebarinc\templates-handler.php:154
actionsermonpress_sermon_archive_main_contentinc\templates-handler.php:189
actionsermonpress_sermon_archive_main_contentinc\templates-handler.php:197
actionsermonpress_sermon_archive_main_contentinc\templates-handler.php:205
actionsermonpress_sermon_archive_footerinc\templates-handler.php:211
Maintenance & Trust

SermonPress Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedMay 13, 2020
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Alternatives

SermonPress Alternatives

Church Content – Sermons, Events and More

Church Content – Sermons, Events and More

church-theme-content

A
99

Provides an interface for managing sermons, events, people and locations. A compatible theme is required for presenting content from these church-cent &hellip;

4K 1 CVE
Advanced Sermons

Advanced Sermons

advanced-sermons

A
96

Elevate your church's digital outreach with audio/video sermons, organized speakers, and series management.

1K 5 CVEs
Church Admin

Church Admin

church-admin

A
87

Organise and communicate church life, with associated Android and iOS app for your congregation.

1K 26 CVEs
Church Social

Church Social

church-social

A
85

This plugin allows churches to display content from their Church Social account on their WordPress website.

80 No CVEs
GodInterest Share Button

GodInterest Share Button

godinterest-share-button

A
100

Add a "Share to Godinterest" Button to your site and get your visitors to start sharing your awesome content!.

10 No CVEs
Developer Profile

SermonPress Developer Profile

Clayton Kreisel

1 plugin · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect SermonPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sermonpress/public/css/sermonpress-public.css/wp-content/plugins/sermonpress/public/js/sermonpress-public.js/wp-content/plugins/sermonpress/admin/css/sermonpress-admin.css/wp-content/plugins/sermonpress/admin/js/sermonpress-admin.js
Script Paths
/wp-content/plugins/sermonpress/public/js/sermonpress-public.js/wp-content/plugins/sermonpress/admin/js/sermonpress-admin.js
Version Parameters
sermonpress/public/css/sermonpress-public.css?ver=sermonpress/public/js/sermonpress-public.js?ver=sermonpress/admin/css/sermonpress-admin.css?ver=sermonpress/admin/js/sermonpress-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
sermonpress-single-sermonsermonpress-sermonssermonpress-audio-playersermonpress-video-playersermonpress-pdf-viewer
HTML Comments
SermonPress: Embed Audio Player StartSermonPress: Embed Audio Player EndSermonPress: Embed Video Player StartSermonPress: Embed Video Player End+2 more
Data Attributes
data-sermonpress-audiodata-sermonpress-videodata-sermonpress-pdf
JS Globals
sermonpress_public_ajax_object
Shortcode Output
[sermonpress_single_sermon][sermonpress_sermons][sermonpress_embed_audio][sermonpress_embed_video]
FAQ

Frequently Asked Questions about SermonPress