Does teachPress have any unpatched vulnerabilities?

Yes — teachPress currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is teachPress compatible with WordPress 6.7.5?

According to WordPress.org data, teachPress 9.0.12 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is teachPress compatible with PHP 7.0+?

teachPress requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is teachPress updated?

teachPress was last updated on Apr 7, 2025. Frequent updates are generally a positive security signal.

What is teachPress's security score?

teachPress has a WP-Safety security score of 47/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

teachPress Security Review — Score 47/100 (high risk)

Safety Verdict

Is teachPress Safe to Use in 2026?

High Risk

Score 47/100

teachPress carries significant security risk with 9 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

9 known CVEs 2 unpatched Last CVE: Jan 6, 2026Updated 12mo ago

Risk Assessment

The TeachPress plugin v9.0.12 exhibits a mixed security posture, with some positive indicators but significant areas of concern. While it utilizes prepared statements for a good portion of its SQL queries and has a decent number of nonce and capability checks, the presence of unprotected AJAX handlers and a notable percentage of improperly escaped output are red flags. The taint analysis results are promising, showing no critical or high severity unsanitized flows, but this is juxtaposed by the plugin's historical vulnerability record. The nine known CVEs, including a high-severity SQL injection and several medium-severity issues like CSRF and XSS, suggest a recurring pattern of insecure coding practices. The fact that two CVEs remain unpatched is a critical issue, compounding the risks associated with the existing vulnerabilities. The plugin's last vulnerability was recorded very recently, indicating ongoing security challenges.

Key Concerns

Unpatched CVEs
AJAX handlers without auth checks
SQL queries without prepared statements
Output escaping not fully proper
High number of known CVEs historically
Uses dangerous function 'passthru'

Vulnerabilities

9

teachPress Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

4 CVEs in 2025 · unpatched

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

1

Medium

8

9 total CVEs

CVE-2026-22483medium · 4.3Cross-Site Request Forgery (CSRF)

teachPress <= 9.0.12 - Cross-Site Request Forgery

Jan 6, 2026Unpatched

CVE-2026-22353medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

teachPress <= 9.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 30, 2025Unpatched

CVE-2025-32149medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

teachPress <= 9.0.11 - Authenticated (Contributor+) SQL Injection

Apr 4, 2025 Patched in 9.0.12 (329d)

CVE-2025-1320medium · 4.3Cross-Site Request Forgery (CSRF)

teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete

Mar 24, 2025 Patched in 9.0.10 (122d)

CVE-2025-1321medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

teachPress <= 9.0.7 - Authenticated (Contributor+) SQL Injection

Mar 3, 2025 Patched in 9.0.8 (1d)

CVE-2023-49163medium · 4.3Cross-Site Request Forgery (CSRF)

teachPress <= 9.0.5 - Cross-Site Request Forgery via delete_database()

Nov 28, 2023 Patched in 9.0.6 (56d)

CVE-2023-48755medium · 5.3Cross-Site Request Forgery (CSRF)

teachPress <= 9.0.4 - Cross-Site Request Forgery

Nov 27, 2023 Patched in 9.0.5 (57d)

CVE-2023-36501medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

teachPress <= 9.0.2 - Reflected Cross-Site Scripting via meta_field_id and cite_id

Jun 22, 2023 Patched in 9.0.3 (215d)

CVE-2023-22704high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

teachPress <= 8.1.8 - Unauthenticated Stored Cross-Site Scripting

Jan 17, 2023 Patched in 8.1.9 (371d)

Code Analysis

Analyzed Mar 16, 2026

teachPress Code Analysis

Dangerous Functions

1

Raw SQL Queries

113

281 prepared

Unescaped Output

190

210 escaped

Nonce Checks

11

Capability Checks

11

File Operations

4

External Requests

5

Bundled Libraries

1

Dangerous Functions Found

passthrupassthru('echo ' . escapeshellarg($trimmed) . ' | bibtool -f "%-2n(author)_%-3T(title)_%2d(year)" -qcore\feeds.php:114

Bundled Libraries

TinyMCE

SQL Query Safety

71% prepared394 total queries

Output Escaping

53% escaped400 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

19 flows8 with unsanitized paths

tp_add_publication_page (admin\add-publication.php:30)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

teachPress Attack Surface

Entry Points13

Unprotected3

AJAX Handlers 3

authwp_ajax_teachpressteachpress.php:533

authwp_ajax_teachpressdocmanteachpress.php:534

authwp_ajax_tp_document_uploadteachpress.php:539

REST API Routes 1

GET/wp-json/teachpress/v1/autopublish/update_allteachpress.php:519

Shortcodes 9

[tpcloud] teachpress.php:558

[tplist] teachpress.php:559

[tpsingle] teachpress.php:560

[tpbibtex] teachpress.php:561

[tpabstract] teachpress.php:562

[tplinks] teachpress.php:563

[tpsearch] teachpress.php:564

[tpcite] teachpress.php:565

[tpref] teachpress.php:566

WordPress Hooks 17

filterset-screen-optioncore\admin.php:897

filtermce_buttonsteachpress.php:353

filtermce_external_pluginsteachpress.php:354

actioninitteachpress.php:529

actioninitteachpress.php:530

actioninitteachpress.php:531

actioninitteachpress.php:532

actionadmin_menuteachpress.php:535

actionwp_headteachpress.php:536

actionadmin_initteachpress.php:537

filterplugin_action_linksteachpress.php:538

filterscreen_settingsteachpress.php:540

actionrest_api_initteachpress.php:541

actionadmin_headteachpress.php:546

actionadmin_headteachpress.php:547

actionadmin_menuteachpress.php:556

actionwidgets_initteachpress.php:557

Maintenance & Trust

teachPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedApr 7, 2025

PHP min version7.0

Downloads116K

Community Trust

Rating96/100

Number of ratings24

Active installs2K

Alternatives

teachPress Alternatives

Zotpress

zotpress

A

87

Zotpress displays your Zotero citations on WordPress.

2K 8 CVEs

Academic Blogger's Toolkit

academic-bloggers-toolkit

A

85

A plugin extending the functionality of Wordpress for academic blogging.

300 No CVEs

Pure Feed Widget

pure-feed-widget

A

85

A widget for listing academic publications from Elsevier Pure in WordPress.

10 No CVEs

WebKew WP References and Citations

webkew-wp-references-and-citations

A

100

A WordPress plugin that automatically generates a bibliography from citations added to a WP post/page/custom post type.

10 No CVEs

Footnotes Made Easy

footnotes-made-easy

A

97

Allows post authors to easily add and manage footnotes in posts.

2K 1 CVE

Developer Profile

teachPress Developer Profile

winkm89

1 plugin · 2K total installs

42

trust score

Avg Security Score

47/100

Avg Patch Time

164 days

View full developer profile

Detection Fingerprints

How We Detect teachPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/teachpress/css/tp-admin.css/wp-content/plugins/teachpress/css/tp-admin-icons.css/wp-content/plugins/teachpress/css/tp-publications.css/wp-content/plugins/teachpress/css/tp-publications-icons.css/wp-content/plugins/teachpress/css/tp-widget.css/wp-content/plugins/teachpress/js/tp-admin.js/wp-content/plugins/teachpress/js/tp-publications.js/wp-content/plugins/teachpress/js/tp-widget.js

Script Paths

/wp-content/plugins/teachpress/js/tp-admin.js/wp-content/plugins/teachpress/js/tp-publications.js/wp-content/plugins/teachpress/js/tp-widget.js

Version Parameters

teachpress/css/tp-admin.css?ver=teachpress/css/tp-publications.css?ver=teachpress/css/tp-widget.css?ver=teachpress/js/tp-admin.js?ver=teachpress/js/tp-publications.js?ver=teachpress/js/tp-widget.js?ver=

HTML / DOM Fingerprints

CSS Classes

tp-publicationtp-publication-titletp-publication-authorstp-publication-yeartp-publication-typetp-widget-publications

Data Attributes

data-tp-publication-id

JS Globals

teachpresstp_publications_paramstp_widget_params

Shortcode Output

[teachpress_publications[teachpress_single_publication

FAQ

teachPress Security & Risk Analysis

Is teachPress Safe to Use in 2026?

High Risk

Key Concerns

teachPress Security Vulnerabilities

CVEs by Year

Severity Breakdown

teachPress Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

teachPress Attack Surface

AJAX Handlers 3

REST API Routes 1

Shortcodes 9

teachPress Maintenance & Trust

Maintenance Signals

Community Trust

teachPress Alternatives

Zotpress

Academic Blogger's Toolkit

Pure Feed Widget

WebKew WP References and Citations

Footnotes Made Easy

teachPress Developer Profile

How We Detect teachPress

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about teachPress