WP-Safety

Slash Admin Security & Risk Analysis

wordpress.org/plugins/slash-admin

Dozens of settings aiming at creating a friendlier administration environment for both Administrators and Editors.

500 active installs v3.8.3 PHP 7.0+ WP 5.0+ Updated Mar 1, 2024
adminadministrationdashboardloginwordpress
84
B · Generally Safe
CVEs total1
Unpatched0
Last CVEApr 23, 2024
Plugin page Download
Safety Verdict

Is Slash Admin Safe to Use in 2026?

Mostly Safe

Score 84/100

Slash Admin is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved. Keep it updated.

1 known CVELast CVE: Apr 23, 2024Updated 2yr ago
Risk Assessment

The 'slash-admin' plugin version 3.8.3 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by avoiding dangerous functions, utilizing prepared statements for all SQL queries, and performing capability checks for its functionalities. There are no identified unsanitized taint flows and no known unpatched vulnerabilities, which are significant strengths.

However, there are notable areas of concern. The static analysis reveals a significant number of output operations (56 total), with a concerningly low percentage (21%) being properly escaped. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where unescaped output can lead to malicious script execution within a user's browser. Furthermore, the plugin has a history of known vulnerabilities, specifically mentioning Cross-Site Request Forgery (CSRF), with the most recent one being in April 2024. While currently unpatched vulnerabilities are zero, this history suggests a recurring pattern of security weaknesses that require ongoing attention.

In conclusion, 'slash-admin' v3.8.3 has strengths in its database and authorization handling but suffers from a critical weakness in output escaping, presenting a substantial XSS risk. The plugin's vulnerability history, particularly with CSRF, further underscores the need for vigilance and code auditing. Addressing the unescaped output is paramount to improving its security.

Key Concerns

  • High percentage of unescaped output
  • History of known vulnerabilities (CSRF)
  • No nonce checks implemented
Vulnerabilities
1

Slash Admin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-32958medium · 6.1Cross-Site Request Forgery (CSRF)

Slash Admin <= 3.8.1 - Cross-Site Request Forgery

Apr 23, 2024 Patched in 3.8.2 (7d)
Code Analysis
Analyzed Mar 16, 2026

Slash Admin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
44
12 escaped
Nonce Checks
0
Capability Checks
12
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

21% escaped56 total outputs
Attack Surface

Slash Admin Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[slash_mail] inc\shortcodes.php:20
[slash_mailto] inc\shortcodes.php:32
[slash_home] inc\shortcodes.php:45
[slash_theme] inc\shortcodes.php:53
[slash_child] inc\shortcodes.php:61
[slash_phone] inc\shortcodes.php:81
WordPress Hooks 68
actioninitclasses\ACF.class.php:7
filteracf/settings/show_adminclasses\ACF.class.php:18
actionwp_headclasses\Consent.class.php:11
actionwp_footerclasses\Consent.class.php:12
filterrecovery_mode_emailclasses\Email.class.php:7
filterauto_plugin_theme_update_emailclasses\Email.class.php:8
filterthe_contentclasses\Email.class.php:10
actionwp_enqueue_scriptsclasses\Fonts.class.php:26
filterstyle_loader_tagclasses\Fonts.class.php:27
actionwp_footerclasses\InternetExplorer.class.php:12
actionwp_headclasses\Loader.class.php:11
actionwp_headclasses\Scripts.class.php:8
actionwp_body_openclasses\Scripts.class.php:9
actionwp_footerclasses\Scripts.class.php:10
actionwp_dashboard_setupclasses\SiteHealth.class.php:8
actionadmin_menuclasses\SiteHealth.class.php:9
actioninitclasses\TaxonomyOrder.class.php:27
filteracf/settings/show_admininc\acf-mods.php:10
actioninitinc\acf-mods.php:13
actionadmin_noticesinc\admin_notices.php:81
actioninitinc\custom-splash.php:25
actionadmin_initinc\editors-allow.php:20
actionadmin_enqueue_scriptsinc\editors-allow.php:86
actionwp_enqueue_scriptsinc\editors-allow.php:87
actionadmin_initinc\editors-allow.php:99
actionadmin_initinc\editors-allow.php:110
filtergform_display_add_form_buttoninc\editors-allow.php:139
filterget_the_archive_titleinc\frontend-misc.php:29
actioninitinc\frontend-misc.php:40
filterwidget_textinc\frontend-misc.php:47
filterjetpack_development_modeinc\jetpack.php:12
actionloop_startinc\jetpack.php:25
filterwp_revisions_to_keepinc\limit-revisions.php:30
actionlogin_enqueue_scriptsinc\login.php:6
filterlogin_headerurlinc\login.php:82
filterlogin_headertextinc\login.php:88
filterlogin_redirectinc\login.php:103
actionafter_setup_themeinc\login.php:110
actionadmin_headinc\maintenance.php:20
filterlogin_messageinc\maintenance.php:34
actionadmin_enqueue_scriptsinc\non-admins.php:17
actionlogin_enqueue_scriptsinc\non-admins.php:18
actionadmin_menuinc\non-admins.php:119
actionadmin_headinc\non-admins.php:123
actionadmin_menuinc\non-admins.php:144
filteruser_has_capinc\non-admins.php:181
actioninitinc\non-admins.php:197
actionpre_get_postsinc\non-admins.php:219
actionwp_before_admin_bar_renderinc\non-admins.php:239
filtertiny_mce_pluginsinc\performance.php:18
actioninitinc\performance.php:21
actionwp_footerinc\performance.php:49
actionwp_headinc\performance.php:71
actionwp_headinc\performance.php:100
filtergettextinc\white-label.php:24
actionadmin_initinc\white-label.php:43
filteradmin_footer_textinc\white-label.php:47
actionadmin_enqueue_scriptsinc\white-label.php:58
actionwp_enqueue_scriptsinc\white-label.php:59
actionadmin_initinc\white-label.php:90
actionwelcome_panelinc\white-label.php:91
actionwp_dashboard_setupinc\white-label.php:106
actionadmin_headinc\white-label.php:124
actioninitinc\whois-online.php:11
actionadmin_initinc\whois-online.php:12
actionadmin_noticesinc\whois-online.php:89
actionadmin_menuoptions.php:40
actionadmin_initoptions.php:41
Maintenance & Trust

Slash Admin Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedMar 1, 2024
PHP min version7.0
Downloads28K

Community Trust

Rating100/100
Number of ratings9
Active installs500
Alternatives

Slash Admin Alternatives

Ultimate Dashboard – Custom WordPress Dashboard

Ultimate Dashboard – Custom WordPress Dashboard

ultimate-dashboard

A
97

The #1 Plugin to Customize the WordPress Dashboard!

60K 8 CVEs
Remove Dashboard Access

Remove Dashboard Access

remove-dashboard-access-for-non-admins

A
92

Disable Dashboard access for users of a specific role or capability. Disallowed users are redirected to a chosen URL. Get set up in seconds.

30K No CVEs
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

adminify

A
95

Transform your WordPress admin into a fully white-labeled, organized client dashboard. Customize, Dark mode, Secure, Boost productivity, and more.

7K 7 CVEs
aapanel WP Toolkit

aapanel WP Toolkit

aapanel-wp-toolkit

A
98

A better way to manage dozens of WordPress websites.

1K 1 CVE
Simple Login Redirect

Simple Login Redirect

simple-login-redirect

A
85

Adds a field to the user's profile for redirection upon login.

50 No CVEs
Developer Profile

Slash Admin Developer Profile

Giorgos Sarigiannidis

7 plugins · 10K total installs

91
trust score
Avg Security Score
87/100
Avg Patch Time
5 days
View full developer profile
Detection Fingerprints

How We Detect Slash Admin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/slash-admin/js/editors-allow.js/wp-content/plugins/slash-admin/inc/performance.js/wp-content/plugins/slash-admin/inc/frontend-misc.js/wp-content/plugins/slash-admin/inc/admin_notices.js/wp-content/plugins/slash-admin/inc/jetpack.js
Script Paths
//fonts.googleapis.com/css?family=/vendor/wptt-webfont-loader.php
Version Parameters
slash-admin/style.css?ver=editors-allow-scripts?ver=slash-admin-fonts?ver=slash-admin-fonts_?ver=

HTML / DOM Fingerprints

CSS Classes
slashadmin-admin-barslashadmin-widget
HTML Comments
<!--Slash Admin- Frontend Misc--><!--Slash Admin- Admin Notices--><!--Slash Admin- Jetpack--><!--Slash Admin- Custom Splash Page-->+7 more
Data Attributes
data-slashadmin-widget-iddata-slashadmin-admin-bar-id
JS Globals
window.slashadmin_editors_allowwindow.slashadmin_maintenance_paramswindow.slashadmin_admin_bar_params
Shortcode Output
[slashadmin_maintenance_mode][slashadmin_current_time][slashadmin_visitor_info][slashadmin_user_login_status]
FAQ

Frequently Asked Questions about Slash Admin