Does Team Rosters have any unpatched vulnerabilities?

Yes — Team Rosters currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Team Rosters compatible with WordPress 6.8.5?

According to WordPress.org data, Team Rosters 4.8.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Team Rosters compatible with PHP 5.6+?

Team Rosters requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Team Rosters updated?

Team Rosters was last updated on Aug 28, 2025. Frequent updates are generally a positive security signal.

What is Team Rosters's security score?

Team Rosters has a WP-Safety security score of 72/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Team Rosters Security & Risk Analysis

wordpress.org/plugins/team-rosters

Manages multiple team rosters. Creates roster tables, player galleries, and player profile pages.

200 active installs v4.8.2 PHP 5.6+ WP 3.4.2+ Updated Aug 28, 2025

playersrosterssportsteam-rostersteams

B · Generally Safe

CVEs total3

Unpatched1

Last CVEApr 2, 2025

Plugin page Download

Safety Verdict

Is Team Rosters Safe to Use in 2026?

Mostly Safe

Score 72/100

Team Rosters is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Apr 2, 2025Updated 7mo ago

Risk Assessment

The "team-rosters" plugin v4.8.2 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped outputs, several concerning areas require attention. The presence of two dangerous `unserialize` functions in the code, coupled with 7 flows with unsanitized paths (one of critical severity), indicates a significant risk of deserialization vulnerabilities and potential for code execution or data manipulation if these functions are triggered with untrusted input. Furthermore, the plugin has a history of 3 known CVEs, with one critical and unpatched vulnerability, suggesting a recurring pattern of severe security weaknesses. The presence of 3 unprotected AJAX handlers also expands the attack surface to potentially unauthenticated users. While the plugin has strengths in its SQL handling and output escaping, the identified deserialization risks and past vulnerabilities, particularly the unpatched critical one, elevate the overall risk level. Users should exercise extreme caution and prioritize updating or removing this plugin until all critical vulnerabilities are addressed.

Key Concerns

Unpatched Critical CVE
Critical Taint Flow
Dangerous Function: unserialize
Unprotected AJAX Handlers
Unsanitized Paths in Taint Flows

Vulnerabilities

Team Rosters Security Vulnerabilities

CVEs by Year

1 CVE in 2024 · unpatched

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

3 total CVEs

CVE-2025-31905medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Team Rosters <= 4.7 - Reflected Cross-Site Scripting

Apr 2, 2025 Patched in 4.8 (149d)

CVE-2024-12320medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Team Rosters <= 4.7 - Reflected Cross-Site Scripting via 'tab'

Jan 30, 2025 Patched in 4.8 (211d)

CVE-2024-52439critical · 9.8Deserialization of Untrusted Data

Team Rosters <= 4.8.2 - Unauthenticated PHP Object Injection

Nov 18, 2024Unpatched

Code Analysis

Analyzed Mar 16, 2026

Team Rosters Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

578 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$args = unserialize( base64_decode( $argsStr ) );theme-templates\single-player-nonce.php:104

unserialize$args = unserialize( base64_decode( $argsStr ) );theme-templates\single-player.php:97

SQL Query Safety

100% prepared2 total queries

Output Escaping

98% escaped589 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

13 flows7 with unsanitized paths

mstw_tr_ajax_callback (includes\mstw-tr-admin.php:598)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Team Rosters Attack Surface

Entry Points9

Unprotected3

AJAX Handlers 3

authwp_ajax_team_rostersmstw-team-rosters.php:83

authwp_ajax_sort_rostermstw-team-rosters.php:725

noprivwp_ajax_sort_rostermstw-team-rosters.php:726

Shortcodes 6

[mstw_tr_roster_2] includes\mstw-tr-roster-tables-class.php:20

[mstw-tr-roster-2] includes\mstw-tr-roster-tables-class.php:23

[mstw-tr-gallery] mstw-team-rosters.php:94

[mstw_tr_gallery] mstw-team-rosters.php:97

[mstw-tr-roster] mstw-team-rosters.php:100

[mstw_tr_roster] mstw-team-rosters.php:103

WordPress Hooks 46

actioncreated_mstw_tr_teamincludes\mstw-tr-admin.php:81

actionedit_mstw_tr_teamincludes\mstw-tr-admin.php:84

filtermanage_edit-mstw_tr_team_columnsincludes\mstw-tr-admin.php:87

filtermanage_edit-mstw_tr_team_sortable_columnsincludes\mstw-tr-admin.php:89

filtermanage_mstw_tr_team_custom_columnincludes\mstw-tr-admin.php:91

filtermstw_tr_team_row_actionsincludes\mstw-tr-admin.php:93

actionadmin_enqueue_scriptsincludes\mstw-tr-admin.php:100

actionadmin_menuincludes\mstw-tr-admin.php:103

actionadmin_initincludes\mstw-tr-admin.php:106

actionadmin_noticesincludes\mstw-tr-admin.php:107

actionadmin_head-post.phpincludes\mstw-tr-admin.php:111

actionadmin_head-post-new.phpincludes\mstw-tr-admin.php:112

actionadmin_head-edit.phpincludes\mstw-tr-admin.php:116

filterpost_row_actionsincludes\mstw-tr-admin.php:120

filterbulk_actions-edit-mstw_tr_playerincludes\mstw-tr-admin.php:124

filterpost_updated_messagesincludes\mstw-tr-admin.php:128

filterbulk_post_updated_messagesincludes\mstw-tr-admin.php:132

filterterm_updated_messagesincludes\mstw-tr-admin.php:136

actionload-edit-tags.phpincludes\mstw-tr-admin.php:384

actionload-edit.phpincludes\mstw-tr-admin.php:407

actionload-post.phpincludes\mstw-tr-admin.php:408

actionload-post-new.phpincludes\mstw-tr-admin.php:409

actionoption_page_capability_mstw_tr_settingsincludes\mstw-tr-admin.php:463

actionedit_form_after_titleincludes\mstw-tr-player-cpt-admin.php:28

actiondo_meta_boxesincludes\mstw-tr-player-cpt-admin.php:46

actionadmin_head-post-new.phpincludes\mstw-tr-player-cpt-admin.php:60

actionadmin_head-post.phpincludes\mstw-tr-player-cpt-admin.php:61

filteradmin_post_thumbnail_htmlincludes\mstw-tr-player-cpt-admin.php:68

actionadd_meta_boxes_mstw_tr_playerincludes\mstw-tr-player-cpt-admin.php:91

actionsave_post_mstw_tr_playerincludes\mstw-tr-player-cpt-admin.php:321

filtermanage_edit-mstw_tr_player_columnsincludes\mstw-tr-player-cpt-admin.php:398

actionmanage_mstw_tr_player_posts_custom_columnincludes\mstw-tr-player-cpt-admin.php:428

filtermanage_edit-mstw_tr_player_sortable_columnsincludes\mstw-tr-player-cpt-admin.php:499

actionrestrict_manage_postsincludes\mstw-tr-player-cpt-admin.php:519

filterrequestincludes\mstw-tr-player-cpt-admin.php:572

actionsave_post_mstw_tr_playerincludes\mstw-tr-team-roster-admin-class.php:862

actionmstw_tr_team_add_form_fieldsincludes\mstw-tr-team-tax-admin-class.php:55

actionmstw_tr_team_edit_form_fieldsincludes\mstw-tr-team-tax-admin-class.php:58

actioninitmstw-team-rosters.php:23

filtersingle_templatemstw-team-rosters.php:63

filtertaxonomy_templatemstw-team-rosters.php:68

actioninitmstw-team-rosters.php:88

filterwp_headmstw-team-rosters.php:386

actioninitmstw-team-rosters.php:541

actionwp_enqueue_scriptsmstw-team-rosters.php:598

actionafter_setup_thememstw-team-rosters.php:690

Maintenance & Trust

Team Rosters Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 28, 2025

PHP min version5.6

Downloads35K

Community Trust

Rating96/100

Number of ratings20

Active installs200

Alternatives

Team Rosters Alternatives

SportsPress for Football (Soccer)

sportspress-for-soccer

SportsPress for Football is an extension for SportsPress, an all-in-one sports data plugin that helps sports clubs set up a football website.

6K No CVEs

SportsPress for Baseball

sportspress-for-baseball

SportsPress for Baseball is an extension for SportsPress, an all-in-one sports data plugin that helps sports teams set up a baseball website.

1K No CVEs

SportsPress for Basketball

sportspress-for-basketball

SportsPress for Basketball is an extension for SportsPress, an all-in-one sports data plugin that helps sports teams set up a basketball website.

1K No CVEs

WP Club Manager – WordPress Sports Club Plugin

wp-club-manager

WP Club Manager is easy to set-up and has everything you need to build and manage an amazing sports club website.

700 3 CVEs

SportsPress for Cricket

sportspress-for-cricket

SportsPress for Cricket is an extension for SportsPress, an all-in-one sports data plugin that helps sports clubs set up a cricket website.

600 No CVEs

Developer Profile

Team Rosters Developer Profile

Mark O'Donnell

7 plugins · 550 total installs

trust score

Avg Security Score

84/100

Avg Patch Time

158 days

View full developer profile

Detection Fingerprints

How We Detect Team Rosters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/team-rosters/includes/mstw-utility-functions.php/wp-content/plugins/team-rosters/includes/mstw-tr-utility-functions.php/wp-content/plugins/team-rosters/includes/mstw-tr-roster-table.php/wp-content/plugins/team-rosters/includes/mstw-tr-roster-tables-class.php/wp-content/plugins/team-rosters/includes/mstw-tr-roster-gallery.php/wp-content/plugins/team-rosters/includes/mstw-tr-cpts.php/wp-content/plugins/team-rosters/includes/mstw-tr-admin.php

HTML / DOM Fingerprints

Shortcode Output

[mstw-tr-gallery][mstw_tr_gallery][mstw-tr-roster][mstw_tr_roster]

FAQ