WP-Safety

Surfer – WordPress Plugin Security & Risk Analysis

wordpress.org/plugins/surferseo

Connect Surfer's Content Editor to WordPress. Write and optimize your articles for SEO, find new keyword ideas and publish straight to WordPress.

6K active installs v1.6.8.626 PHP 7.4+ WP 6.0+ Updated Mar 9, 2026
contentcontent-writingkeyword-researchkeywordsseo
97
A · Safe
CVEs total3
Unpatched0
Last CVESep 3, 2025
Plugin page Download
Safety Verdict

Is Surfer – WordPress Plugin Safe to Use in 2026?

Generally Safe

Score 97/100

Surfer – WordPress Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Sep 3, 2025Updated 25d ago
Risk Assessment

The SurferSEO plugin v1.6.8.626 exhibits a mixed security posture. On the positive side, it demonstrates strong practices by utilizing prepared statements for all SQL queries and a high percentage of output escaping. Furthermore, there are no currently unpatched CVEs, and the historical vulnerability types do not point to persistent critical issues.

However, significant concerns arise from the attack surface. A substantial number of AJAX handlers (17 out of 26) lack authentication checks, creating a broad entry point for potential attackers. While taint analysis did not reveal critical or high-severity issues, the presence of two flows with unsanitized paths, even if classified as lower severity, warrants attention. The historical vulnerability types, including missing authorization and SQL injection, coupled with the unauthenticated AJAX handlers, suggest a recurring pattern of authorization-related weaknesses that could be exploited if new vulnerabilities are introduced.

In conclusion, while the plugin has made progress in areas like SQL security and output sanitization, the extensive attack surface with unauthenticated endpoints remains a primary weakness. The historical pattern of authorization flaws indicates a need for more rigorous and consistent security implementation across all entry points to prevent potential exploitation.

Key Concerns

  • Large attack surface without auth (AJAX)
  • Taint flow with unsanitized path (2 instances)
  • Missing nonce checks on 17 AJAX handlers
  • Historical SQL Injection vulnerabilities
  • Historical Missing Authorization vulnerabilities
Vulnerabilities
3

Surfer – WordPress Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-58603medium · 5.3Missing Authorization

Surfer <= 1.6.4.574 - Missing Authorization

Sep 3, 2025 Patched in 1.6.5.584 (7d)
CVE-2024-49299medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Surfer <= 1.5.0.502 - Authenticated (Administrator+) SQL Injection

Oct 15, 2024 Patched in 1.6.0.523 (32d)
CVE-2023-35037medium · 5.4Missing Authorization

Surfer <= 1.3.2.357 - Missing Authorization

Sep 1, 2023 Patched in 1.3.3.379 (144d)
Code Analysis
Analyzed Mar 16, 2026

Surfer – WordPress Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
39 prepared
Unescaped Output
52
309 escaped
Nonce Checks
17
Capability Checks
9
File Operations
19
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared39 total queries

Output Escaping

86% escaped361 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
save (includes\forms\class-surfer-form-config-ci.php:642)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

Surfer – WordPress Plugin Attack Surface

Entry Points33
Unprotected17

AJAX Handlers 26

authwp_ajax_surfer_create_content_editorincludes\surfer\class-content-exporter.php:41
authwp_ajax_surfer_update_content_editorincludes\surfer\class-content-exporter.php:42
authwp_ajax_surfer_remove_post_draft_connectionincludes\surfer\class-content-exporter.php:43
authwp_ajax_surfer_check_draft_statusincludes\surfer\class-content-exporter.php:44
authwp_ajax_surfer_get_locationsincludes\surfer\class-content-exporter.php:45
authwp_ajax_surfer_get_post_sync_statusincludes\surfer\class-content-exporter.php:46
authwp_ajax_surfer_gather_posts_to_reconnectincludes\surfer\class-content-exporter.php:48
authwp_ajax_surfer_reconnect_posts_with_draftsincludes\surfer\class-content-exporter.php:49
authwp_ajax_surfer_remove_old_backupsincludes\surfer\class-content-exporter.php:50
authwp_ajax_surfer_pull_and_override_contentincludes\surfer\class-content-importer.php:57
authwp_ajax_surfer_get_post_json_schemaincludes\surfer\class-json-schema.php:31
authwp_ajax_surfer_save_post_json_schemaincludes\surfer\class-json-schema.php:32
authwp_ajax_surfer_get_user_draftsincludes\surfer\class-surfer-general-endpoints.php:47
authwp_ajax_surfer_get_user_creditsincludes\surfer\class-surfer-general-endpoints.php:48
authwp_ajax_surfer_get_user_workspacesincludes\surfer\class-surfer-general-endpoints.php:49
authwp_ajax_surfer_track_keyword_research_usageincludes\surfer\class-surfer-tracking.php:40
authwp_ajax_surfer_track_eventincludes\surfer\class-surfer-tracking.php:41
noprivwp_ajax_surfer_track_eventincludes\surfer\class-surfer-tracking.php:42
authwp_ajax_generate_connection_urlincludes\surfer\class-surfer.php:119
authwp_ajax_disconnect_surferincludes\surfer\class-surfer.php:120
authwp_ajax_check_connection_statusincludes\surfer\class-surfer.php:122
authwp_ajax_surfer_transfer_gsc_data_to_new_formatincludes\surfer\gsc\class-surfer-gsc-data-migration.php:32
authwp_ajax_surfer_test_gsc_traffic_gathererincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:51
authwp_ajax_surfer_get_posts_for_performance_reportincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:53
authwp_ajax_surfer_get_domain_performance_reportincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:54
authwp_ajax_surfer_test_email_performance_reportincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:56

REST API Routes 7

POST/wp-json/surferseo/v1/get_post_types/includes\surfer\class-surfer-general-endpoints.php:57
POST/wp-json/surferseo/v1/connect/includes\surfer\class-surfer.php:190
DELETE/wp-json/surferseo/v1/disconnect/includes\surfer\class-surfer.php:203
POST/wp-json/surferseo/v1/import_post/includes\surfer\class-surfer.php:216
GET/wp-json/surferseo/v1/get_posts/includes\surfer\class-surfer.php:228
GET/wp-json/surferseo/v1/list_post_details_options/includes\surfer\class-surfer.php:241
POST/wp-json/surferseo/v1/disconnect_draft/includes\surfer\class-surfer.php:254
WordPress Hooks 51
actionadmin_menuincludes\admin\class-surfer-admin.php:29
actionadmin_enqueue_scriptsincludes\admin\class-surfer-admin.php:31
actionadmin_initincludes\admin\class-surfer-admin.php:33
actionadmin_initincludes\admin\class-surfer-admin.php:34
actionadmin_noticesincludes\admin\class-surfer-admin.php:36
actionadmin_noticesincludes\admin\class-surfer-admin.php:37
filterviews_usersincludes\admin\class-surfer-admin.php:46
actionwp_headincludes\class-seo-manager.php:24
filterplugin_action_links_surferseo/surferseo.phpincludes\class-surferseo.php:138
filtersafe_style_cssincludes\class-surferseo.php:140
filtercron_schedulesincludes\class-surferseo.php:141
actionupgrader_process_completeincludes\class-surferseo.php:236
actionadmin_enqueue_scriptsincludes\class-surferseo.php:293
actioninitincludes\surfer\class-content-exporter.php:31
filterpost_row_actionsincludes\surfer\class-content-exporter.php:38
filterpage_row_actionsincludes\surfer\class-content-exporter.php:39
filterinitincludes\surfer\class-content-importer.php:49
actionenqueue_block_editor_assetsincludes\surfer\class-json-schema.php:26
actionadmin_enqueue_scriptsincludes\surfer\class-json-schema.php:27
actionadd_meta_boxesincludes\surfer\class-json-schema.php:29
actionwp_headincludes\surfer\class-json-schema.php:34
actionenqueue_block_editor_assetsincludes\surfer\class-keyword-surfer.php:33
actionadmin_enqueue_scriptsincludes\surfer\class-keyword-surfer.php:34
actionadd_meta_boxesincludes\surfer\class-keyword-surfer.php:36
actioninitincludes\surfer\class-surfer-general-endpoints.php:39
actioninitincludes\surfer\class-surfer-gsc.php:64
actionsurfer_process_image_queueincludes\surfer\class-surfer-image-processor.php:24
actionadmin_enqueue_scriptsincludes\surfer\class-surfer-sidebar.php:27
actionadd_meta_boxesincludes\surfer\class-surfer-sidebar.php:29
actioninitincludes\surfer\class-surfer-tracking.php:27
actionadmin_noticesincludes\surfer\class-surfer-tracking.php:36
actionadmin_initincludes\surfer\class-surfer-tracking.php:37
actionadmin_initincludes\surfer\class-surfer-tracking.php:38
actioninitincludes\surfer\class-surfer.php:116
actionrest_api_initincludes\surfer\class-surfer.php:117
actionsurfer_gather_available_locationsincludes\surfer\class-surfer.php:124
filterposts_whereincludes\surfer\class-surfer.php:662
actioninitincludes\surfer\gsc\class-surfer-gsc-data-migration.php:25
actioninitincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:36
actionsurfer_gather_drop_monitor_dataincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:44
actionsurfer_gather_position_monitor_data_bunchincludes\surfer\gsc\class-surfer-gsc-drop-monitor.php:45
actioninitincludes\surfer\gsc\class-surfer-gsc-notifications.php:25
actionadmin_noticesincludes\surfer\gsc\class-surfer-gsc-notifications.php:33
actionadmin_noticesincludes\surfer\gsc\class-surfer-gsc-notifications.php:34
actionadmin_initincludes\surfer\gsc\class-surfer-gsc-notifications.php:35
actioninitincludes\surfer\gsc\class-surfer-gsc-posts-list.php:25
filtermanage_posts_columnsincludes\surfer\gsc\class-surfer-gsc-posts-list.php:32
actionmanage_posts_custom_columnincludes\surfer\gsc\class-surfer-gsc-posts-list.php:33
actioninitincludes\surfer\integrations\class-elementor.php:35
actionelementor/editor/after_enqueue_stylesincludes\surfer\integrations\class-elementor.php:43
actionelementor/documents/register_controlsincludes\surfer\integrations\class-elementor.php:44

Scheduled Events 5

surfer_process_image_queue
surfer_gather_available_locations
surfer_process_image_queue
surfer_gather_drop_monitor_data
surfer_gather_position_monitor_data_bunch
Maintenance & Trust

Surfer – WordPress Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads140K

Community Trust

Rating94/100
Number of ratings10
Active installs6K
Alternatives

Surfer – WordPress Plugin Alternatives

Keyword Research Tool

Keyword Research Tool

keyword-research-tool

A
100

Keyword Research made simple for Wordpress. Enter your keyword and quickly discover keyword opportunities related to your topic.

800 No CVEs
Quickcreator – AI Blog Writer

Quickcreator – AI Blog Writer

quickcreator

A
97

Integrate QuickCreator's Content Editor with WordPress for AI-driven SEO content creation and seamless publishing.

600 1 CVE
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

getgenie

A
95

GPT-4o powered AI content writer with 37+ templates, chatbot, AI image, NLP keyword research, SEO analysis for WordPress, Gutenberg & Elementor.

70K 4 CVEs
WP Keyword Suggest

WP Keyword Suggest

wp-keyword-suggest

A
85

This SEO plugin offers keyword suggestions, taken from autocomplete google, yahoo, bing... up to 250 keywords ideas

600 No CVEs
Content Writer

Content Writer

content-writer

A
99

Allows users to order, post and socially share uniquely written content to their blog.

200 1 CVE
Developer Profile

Surfer – WordPress Plugin Developer Profile

Surfer

1 plugin · 6K total installs

86
trust score
Avg Security Score
97/100
Avg Patch Time
61 days
View full developer profile
Detection Fingerprints

How We Detect Surfer – WordPress Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/surferseo/assets/images/admin_menu_logo.svg/wp-content/plugins/surferseo/assets/js/surfer-connector.js/wp-content/plugins/surferseo/assets/js/surfer-gsc-checker.js/wp-content/plugins/surferseo/assets/js/surfer-analytics.js
Version Parameters
surferseo/assets/js/surfer-connector.js?ver=surferseo/assets/js/surfer-gsc-checker.js?ver=surferseo/assets/js/surfer-analytics.js?ver=

HTML / DOM Fingerprints

JS Globals
window.surfer_connection_langwindow.surfer_langwindow.surfer_analytics_lang
FAQ

Frequently Asked Questions about Surfer – WordPress Plugin