WP-Safety

Timesheet by BestWebSoft Security & Risk Analysis

wordpress.org/plugins/timesheet

Best timesheet plugin for WordPress. Track employee time, streamline attendance and generate reports.

90 active installs v1.1.6 PHP + WP 5.6+ Updated Jun 9, 2025
my-scheduleorganise-schedulescheduletimesheettimesheet-plugin
100
A · Safe
CVEs total1
Unpatched0
Last CVEApr 17, 2017
Plugin page Download
Safety Verdict

Is Timesheet by BestWebSoft Safe to Use in 2026?

Generally Safe

Score 100/100

Timesheet by BestWebSoft has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 17, 2017Updated 9mo ago
Risk Assessment

The "timesheet" plugin version 1.1.6 exhibits a generally strong security posture based on the static analysis. The plugin has a moderate attack surface consisting of 6 AJAX handlers, all of which are reported to have authentication checks. The code demonstrates good practices with a high percentage of SQL queries utilizing prepared statements (65%) and an excellent rate of output escaping (96%). Furthermore, the absence of critical or high-severity taint analysis findings and dangerous functions is a positive indicator. The plugin also correctly implements nonce checks in 26 instances and capability checks in 3. However, a single medium-severity Cross-Site Scripting (XSS) vulnerability recorded in its history, although now patched, suggests a past weakness in input sanitization or output escaping that warrants attention. The 2 cron events and 2 file operations, while not flagged as problematic in this analysis, are entry points that should always be closely monitored for future releases. The plugin's strength lies in its implementation of fundamental security checks like nonce and capability checks, alongside robust SQL and output handling. The weakness is the historical presence of an XSS vulnerability, indicating a potential for less stringent input validation in the past.

Key Concerns

  • Historical medium severity XSS vulnerability
  • SQL queries using prepared statements < 100%
Vulnerabilities
1

Timesheet by BestWebSoft Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2017-18590medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Help Center by BestWebSoft < 0.1.5 - Reflected Cross-Site Scripting

Apr 17, 2017 Patched in 0.1.5 (2472d)
Code Analysis
Analyzed Mar 16, 2026

Timesheet by BestWebSoft Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
34 prepared
Unescaped Output
44
999 escaped
Nonce Checks
26
Capability Checks
3
File Operations
2
External Requests
6
Bundled Libraries
0

SQL Query Safety

65% prepared52 total queries

Output Escaping

96% escaped1043 total outputs
Data Flows
All sanitized

Data Flow Analysis

11 flows
bws_add_menu_render (bws_menu\bws_menu.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Timesheet by BestWebSoft Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 6

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466
authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433
authwp_ajax_tmsht_ts_update_tabletimesheet.php:3434
authwp_ajax_tmsht_ts_update_advanced_containertimesheet.php:3436
authwp_ajax_tmsht_ts_update_report_tabletimesheet.php:3438
authwp_ajax_tmsht_ts_update_report_userstimesheet.php:3440
WordPress Hooks 21
filterload_textdomain_mofilebws_menu\bws_functions.php:43
filtermce_external_pluginsbws_menu\bws_functions.php:1146
filtermce_buttonsbws_menu\bws_functions.php:1147
actionadmin_initbws_menu\bws_functions.php:1433
actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434
actionadmin_headbws_menu\bws_functions.php:1435
actionadmin_footerbws_menu\bws_functions.php:1436
actionadmin_noticesbws_menu\bws_functions.php:1438
actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440
actionadmin_menutimesheet.php:3415
actionplugins_loadedtimesheet.php:3417
actioninittimesheet.php:3418
actionadmin_inittimesheet.php:3419
actionadmin_enqueue_scriptstimesheet.php:3421
actiontmsht_clear_period_timesheettimesheet.php:3423
actiondelete_usertimesheet.php:3425
filterplugin_action_linkstimesheet.php:3427
filterplugin_row_metatimesheet.php:3428
actionadmin_noticestimesheet.php:3429
actiontmsht_reminder_to_emailtimesheet.php:3431
filtercron_schedulestimesheet.php:3432

Scheduled Events 2

tmsht_clear_period_timesheet
tmsht_reminder_to_email
Maintenance & Trust

Timesheet by BestWebSoft Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 9, 2025
PHP min version
Downloads13K

Community Trust

Rating54/100
Number of ratings6
Active installs90
Alternatives

Timesheet by BestWebSoft Alternatives

The Events Calendar

The Events Calendar

the-events-calendar

B
82

The Events Calendar: #1 calendar plugin for WordPress. Create/manage events (virtual too!) on your site with the free plugin.

700K 25 CVEs
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

post-expirator

A
95

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K 5 CVEs
OttoKit: All-in-One Automation Platform

OttoKit: All-in-One Automation Platform

suretriggers

A
91

Experience the power of automation within WordPress: Connect 1,300+ apps, automate manual tasks, and unlock your full potential. Get started now!

100K 4 CVEs
Missed Scheduled Posts Publisher by WPBeginner

Missed Scheduled Posts Publisher by WPBeginner

missed-scheduled-posts-publisher

A
92

Are your scheduled posts missing their publication times? Missed Scheduled Posts Publisher effectively resolves the 'missed scheduled post' &hellip;

60K No CVEs
Scheduled Post Trigger

Scheduled Post Trigger

scheduled-post-trigger

A
100

Checks to see if any scheduled posts have been missed. If so, it publishes them. NOTE: This plugin is meant as a stop-gap until you and your web host &hellip;

60K No CVEs
Developer Profile

Timesheet by BestWebSoft Developer Profile

bestweblayout

32 plugins · 17K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
1944 days
View full developer profile
Detection Fingerprints

How We Detect Timesheet by BestWebSoft

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/timesheet/assets/css/style.css/wp-content/plugins/timesheet/assets/css/admin-style.css/wp-content/plugins/timesheet/assets/js/moment.min.js/wp-content/plugins/timesheet/assets/js/script.js/wp-content/plugins/timesheet/assets/js/admin-script.js
Script Paths
/wp-content/plugins/timesheet/assets/js/moment.min.js/wp-content/plugins/timesheet/assets/js/script.js/wp-content/plugins/timesheet/assets/js/admin-script.js
Version Parameters
timesheet/assets/css/style.css?ver=timesheet/assets/css/admin-style.css?ver=timesheet/assets/js/moment.min.js?ver=timesheet/assets/js/script.js?ver=timesheet/assets/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
tmsht-containertmsht-wraptmsht-main-contenttmsht-page-titletmsht-add-entry-formtmsht-entry-listtmsht-report-filterstmsht-team-table
HTML Comments
<!-- Admin Bar Menu --><!-- START: Timesheet Settings Form --><!-- END: Timesheet Settings Form -->
Data Attributes
data-tmsht-actiondata-tmsht-iddata-tmsht-entry-datedata-tmsht-legend-id
JS Globals
tmsht_ajax_objecttmsht_settings
REST Endpoints
/wp-json/timesheet/v1/entries/wp-json/timesheet/v1/legends/wp-json/timesheet/v1/users
Shortcode Output
<div class="tmsht-shortcode-timesheet"><div class="tmsht-daily-view">
FAQ

Frequently Asked Questions about Timesheet by BestWebSoft