Does Sessions have any unpatched vulnerabilities?

No. All known vulnerabilities in Sessions have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sessions compatible with WordPress 6.9.4?

According to WordPress.org data, Sessions 3.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Sessions compatible with PHP 8.1+?

Sessions requires PHP 8.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Sessions updated?

Sessions was last updated on Nov 22, 2025. Frequent updates are generally a positive security signal.

What is Sessions's security score?

Sessions has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sessions Security & Risk Analysis

wordpress.org/plugins/sessions

Powerful sessions manager for WordPress with sessions limiter and full analytics reporting capabilities.

900 active installs v3.3.0 PHP 8.1+ WP 6.2+ Updated Nov 22, 2025

authenticationloginprotectionrolesession

A · Safe

CVEs total1

Unpatched0

Last CVEAug 22, 2025

Plugin page Download

Safety Verdict

Is Sessions Safe to Use in 2026?

Generally Safe

Score 99/100

Sessions has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 22, 2025Updated 4mo ago

Risk Assessment

The 'sessions' v3.3.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices such as a low number of dangerous functions, a high percentage of SQL queries using prepared statements, and a significant number of nonce and capability checks. However, there are notable areas of concern. The presence of two AJAX handlers without authentication checks exposes a significant attack surface, making these endpoints vulnerable to unauthorized access and potential exploitation.

The plugin's vulnerability history, while currently showing no unpatched CVEs, does reveal a past medium-severity Cross-Site Scripting (XSS) vulnerability. The fact that this vulnerability was recorded relatively recently (2025-08-22) suggests that while patches may be applied, the codebase might be susceptible to similar input sanitization issues in the future. The lack of taint analysis results is a neutral observation, indicating no identified unsanitized flows during the analysis, but it's important to note that this is based on the specific analysis performed and may not cover all potential scenarios.

In conclusion, while the 'sessions' v3.3.0 plugin has strengths in its use of secure coding practices like prepared statements and nonce checks, the unprotected AJAX endpoints represent a clear and present risk. The past XSS vulnerability also warrants ongoing vigilance. Overall, the plugin is moderately secure but requires attention to its exposed entry points.

Key Concerns

Unprotected AJAX handlers
Past medium severity vulnerability
Moderate output escaping effectiveness

Vulnerabilities

Sessions Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-57890medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sessions <= 3.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 22, 2025 Patched in 3.2.1 (5d)

Code Analysis

Analyzed Mar 16, 2026

Sessions Code Analysis

Dangerous Functions

Raw SQL Queries

23 prepared

Unescaped Output

70 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

82% prepared28 total queries

Output Escaping

64% escaped110 total outputs

Attack Surface

2 unprotected

Sessions Attack Surface

Entry Points7

Unprotected2

AJAX Handlers 3

authwp_ajax_hide_pose_nagincludes\plugin\class-core.php:107

authwp_ajax_pose_get_statsincludes\plugin\class-core.php:108

authwp_ajax_poo_switch_autoupdateperfopsone\functions.php:32

Shortcodes 4

[pose-wpcli] includes\features\class-wpcli.php:744

[pose-changelog] includes\plugin\class-core.php:83

[pose-libraries] includes\plugin\class-core.php:84

[pose-statistics] includes\plugin\class-core.php:85

WordPress Hooks 52

filterinit_perfopsone_admin_menusadmin\class-sessions-admin.php:165

actionsessions_after_idle_terminateincludes\features\class-capture.php:123

actionsessions_after_expired_terminateincludes\features\class-capture.php:124

actionauth_cookie_expiredincludes\features\class-capture.php:125

actionsessions_force_terminateincludes\features\class-capture.php:126

actionsessions_force_admin_terminateincludes\features\class-capture.php:127

actiondelete_userincludes\features\class-capture.php:128

actionuser_registerincludes\features\class-capture.php:129

actionpassword_resetincludes\features\class-capture.php:130

actionwp_logoutincludes\features\class-capture.php:131

actionwp_login_failedincludes\features\class-capture.php:132

actionwp_loginincludes\features\class-capture.php:133

actionjpp_kill_loginincludes\features\class-capture.php:134

actionwordfence_security_eventincludes\features\class-capture.php:143

actionshutdownincludes\features\class-schema.php:56

actionshow_user_profileincludes\features\class-useradministration.php:32

actionedit_user_profileincludes\features\class-useradministration.php:33

actionshutdownincludes\features\class-zookeeper.php:37

filterperfopsone_plugin_infoincludes\plugin\class-core.php:79

actioninitincludes\plugin\class-core.php:80

actioninitincludes\plugin\class-core.php:81

actionwp_headincludes\plugin\class-core.php:82

actionadmin_enqueue_scriptsincludes\plugin\class-core.php:98

actionadmin_enqueue_scriptsincludes\plugin\class-core.php:99

actionadmin_menuincludes\plugin\class-core.php:100

actionadmin_menuincludes\plugin\class-core.php:101

actionadmin_menuincludes\plugin\class-core.php:102

actionadmin_initincludes\plugin\class-core.php:103

filterplugin_row_metaincludes\plugin\class-core.php:105

actionadmin_noticesincludes\plugin\class-core.php:106

actionwp_enqueue_scriptsincludes\plugin\class-core.php:120

actionwp_enqueue_scriptsincludes\plugin\class-core.php:121

filtersessions_blocked_messageincludes\plugin\class-core.php:132

filtersessions_bad_ip_messageincludes\plugin\class-core.php:142

filterplugins_apiincludes\plugin\class-updater.php:65

filtersite_transient_update_pluginsincludes\plugin\class-updater.php:66

actionupgrader_process_completeincludes\plugin\class-updater.php:67

filterclean_urlincludes\plugin\class-updater.php:68

filterperfopsone_apcu_infoincludes\system\class-apcu.php:51

actionafter_password_resetincludes\system\class-session.php:1031

actioninitincludes\system\class-session.php:1033

actionset_current_userincludes\system\class-session.php:1034

filterauth_cookie_expirationincludes\system\class-session.php:1059

filterauthenticateincludes\system\class-session.php:1060

filterjetpack_sso_handle_loginincludes\system\class-session.php:1061

filtersite_status_testsincludes\system\class-sitehealth.php:77

filtersite_status_testsincludes\system\class-sitehealth.php:78

filtersite_status_testsincludes\system\class-sitehealth.php:79

filtersite_status_testsincludes\system\class-sitehealth.php:81

filterdebug_informationincludes\system\class-sitehealth.php:91

filterdebug_informationincludes\system\class-sitehealth.php:109

actionadmin_bar_menuperfopsone\class-adminbar.php:54

Maintenance & Trust

Sessions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 22, 2025

PHP min version8.1

Downloads24K

Community Trust

Rating96/100

Number of ratings8

Active installs900

Alternatives

Sessions Alternatives

Titan Anti-spam & Security

anti-spam

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication …

60K 3 CVEs