WP-Safety

Todo by Aavoya Security & Risk Analysis

wordpress.org/plugins/todo-by-aavoya

A Simple plugin to manage small projects or can be used as todo list.

0 active installs v22.7 PHP 7.4.1+ WP 4.7+ Updated Jul 20, 2022
task-managementto-do-listto-dotodotodo-list
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Todo by Aavoya Safe to Use in 2026?

Generally Safe

Score 85/100

Todo by Aavoya has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The 'todo-by-aavoya' v22.7 plugin exhibits a generally strong security posture with several good practices in place. The absence of any known CVEs and a clean vulnerability history over time are positive indicators. The plugin also demonstrates a commitment to secure coding by using prepared statements for all SQL queries and implementing a significant number of nonce checks, contributing to the integrity of its AJAX operations.

However, the static analysis does reveal potential areas of concern. The presence of the `unserialize` function, especially when not coupled with robust input validation or sanitization, can be a significant security risk, potentially leading to Remote Code Execution if vulnerable data is processed. Furthermore, a relatively low percentage (44%) of properly escaped output suggests that cross-site scripting (XSS) vulnerabilities might exist, allowing attackers to inject malicious scripts into the user interface. While the attack surface appears protected by authentication and capability checks, the limited number of capability checks (only 1) on its 48 AJAX handlers is a weakness. A more granular approach to permission checking would enhance security.

In conclusion, while the plugin has a solid foundation with its SQL practices and nonce implementation, the use of `unserialize` and the moderate output escaping rate present tangible risks. The vulnerability history is reassuring, but these code-level concerns warrant attention to prevent potential exploitation. Strengthening capability checks and addressing the identified output escaping and `unserialize` risks would significantly improve its overall security.

Key Concerns

  • Dangerous function: unserialize used
  • Low percentage of properly escaped output
  • Low number of capability checks
Vulnerabilities
None known

Todo by Aavoya Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Todo by Aavoya Code Analysis

Dangerous Functions
6
Raw SQL Queries
0
0 prepared
Unescaped Output
75
60 escaped
Nonce Checks
30
Capability Checks
1
File Operations
2
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$aau = unserialize($aau);wptba\Backend\AauAjax.php:25
unserialize$meta = unserialize($meta);wptba\Frontend\Posts.php:180
unserialize$user_meta = unserialize($user_meta);wptba\Frontend\User.php:174
unserialize$user_meta = unserialize($user_meta);wptba\Frontend\User.php:224
unserialize$user_meta = unserialize($user_meta);wptba\Frontend\User.php:266
unserialize$aau = unserialize(get_option('wptba_aau'));wptba\Frontend\User.php:384

Output Escaping

44% escaped135 total outputs
Data Flows
All sanitized

Data Flow Analysis

17 flows
setAauWptba (wptba\Backend\AauAjax.php:32)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Todo by Aavoya Attack Surface

Entry Points48
Unprotected0

AJAX Handlers 48

authwp_ajax_setAauWptbawptba\Backend\AauAjax.php:14
authwp_ajax_getAauWptbawptba\Backend\AauAjax.php:15
authwp_ajax_setAutoLogOutWptbawptba\Backend\AloAjax.php:11
authwp_ajax_getAutoLogOutWptbawptba\Backend\AloAjax.php:12
authwp_ajax_setKeyWptbawptba\Backend\KeyAjax.php:17
authwp_ajax_getKetKeyWptbawptba\Backend\KeyAjax.php:18
authwp_ajax_wptbaUploadImagewptba\Backend\Posts.php:18
authwp_ajax_wptbaGetAttachmentwptba\Backend\Posts.php:19
authwp_ajax_wptbaGetAttachmentIdwptba\Backend\Posts.php:20
authwp_ajax_wptbaGetPendingUserswptba\Backend\User.php:12
authwp_ajax_wptbaPostToUserwptba\Backend\User.php:13
authwp_ajax_wptbaUserPostDeletewptba\Backend\User.php:14
noprivwp_ajax_wptbaGetPostswptba\Frontend\Posts.php:15
authwp_ajax_wptbaGetPostswptba\Frontend\Posts.php:16
noprivwp_ajax_wptbaAddPostwptba\Frontend\Posts.php:18
authwp_ajax_wptbaAddPostwptba\Frontend\Posts.php:19
noprivwp_ajax_wptbaGetPostMetawptba\Frontend\Posts.php:21
authwp_ajax_wptbaGetPostMetawptba\Frontend\Posts.php:22
noprivwp_ajax_wptbaSetPostMetawptba\Frontend\Posts.php:24
authwp_ajax_wptbaSetPostMetawptba\Frontend\Posts.php:25
noprivwp_ajax_wptbaDeletePostwptba\Frontend\Posts.php:27
authwp_ajax_wptbaDeletePostwptba\Frontend\Posts.php:28
noprivwp_ajax_wptbaGetTagswptba\Frontend\Posts.php:30
authwp_ajax_wptbaGetTagswptba\Frontend\Posts.php:31
noprivwp_ajax_wptbaRemoveTagwptba\Frontend\Posts.php:33
authwp_ajax_wptbaRemoveTagwptba\Frontend\Posts.php:34
noprivwp_ajax_wptbaAddTagwptba\Frontend\Posts.php:36
authwp_ajax_wptbaAddTagwptba\Frontend\Posts.php:37
noprivwp_ajax_wptbaGetLogowptba\Frontend\Posts.php:39
authwp_ajax_wptbaGetLogowptba\Frontend\Posts.php:40
noprivwp_ajax_wptbaLoginwptba\Frontend\User.php:18
authwp_ajax_wptbaLoginwptba\Frontend\User.php:19
noprivwp_ajax_wptbaGetUserDetailswptba\Frontend\User.php:21
authwp_ajax_wptbaGetUserDetailswptba\Frontend\User.php:22
noprivwp_ajax_wptbaUploadDarkModewptba\Frontend\User.php:24
authwp_ajax_wptbaUploadDarkModewptba\Frontend\User.php:25
noprivwp_ajax_wptbaDownloadDarkModewptba\Frontend\User.php:27
authwp_ajax_wptbaDownloadDarkModewptba\Frontend\User.php:28
noprivwp_ajax_wptbaCheckAvailableUsernamewptba\Frontend\User.php:30
authwp_ajax_wptbaCheckAvailableUsernamewptba\Frontend\User.php:31
noprivwp_ajax_wptbaRegisterwptba\Frontend\User.php:33
authwp_ajax_wptbaRegisterwptba\Frontend\User.php:34
noprivwp_ajax_wptbaChangePasswordwptba\Frontend\User.php:39
authwp_ajax_wptbaChangePasswordwptba\Frontend\User.php:40
noprivwp_ajax_wptbaResetPasswordwptba\Frontend\User.php:42
authwp_ajax_wptbaResetPasswordwptba\Frontend\User.php:43
noprivwp_ajax_wptbaGetAllUserswptba\Frontend\User.php:48
authwp_ajax_wptbaGetAllUserswptba\Frontend\User.php:49
WordPress Hooks 12
actionplugins_loadedtodo-by-aavoya.php:40
actionadmin_menuwptba\Backend\Ui.php:20
actionadmin_enqueue_scriptswptba\Backend\Ui.php:21
actionwp_enqueue_scriptswptba\Frontend\Enqueue.php:11
actionwp_enqueue_scriptswptba\Frontend\Enqueue.php:12
filtertemplate_includewptba\Frontend\Shortcode.php:16
filtershow_admin_barwptba\Frontend\Shortcode.php:29
actionadmin_post_nopriv_wptba_verify_emailwptba\Frontend\User.php:36
actionadmin_post_wptba_verify_emailwptba\Frontend\User.php:37
actionadmin_post_nopriv_wptbaUpdatePasswordwptba\Frontend\User.php:45
actionadmin_post_wptbaUpdatePasswordwptba\Frontend\User.php:46
actioninitwptba\Init\Cpt.php:13
Maintenance & Trust

Todo by Aavoya Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedJul 20, 2022
PHP min version7.4.1
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Todo by Aavoya Alternatives

Sortable Dashboard To-Do List

Sortable Dashboard To-Do List

sortable-dashboard-to-do-list

A
100

Adds a sortable to-do list widget to your WP dashboard. Useful for developers, content writers, and team tasks. Easily assign tasks to other users.

80 No CVEs
A Task Manager

A Task Manager

a-task-manager

A
85

Task manager for wordpress. Allows users to create todo lists in the wordpress back-end.

0 No CVEs
ZE To Do List

ZE To Do List

ze-to-do-list

A
92

ZE To Do List.

0 No CVEs
Dashboard To-Do List

Dashboard To-Do List

dashboard-to-do-list

A
99

A dashboard to-do list widget with the option to show the to-do list on the website. This is a great tool for web developers building a new website.

1K 2 CVEs
Todo for BuddyPress & BuddyBoss

Todo for BuddyPress & BuddyBoss

bp-user-to-do-list

A
100

Transform your BuddyPress or BuddyBoss community into a powerful task management platform. Members can create personal todos, collaborate on group tas …

100 1 CVE
Developer Profile

Todo by Aavoya Developer Profile

Pijush Gupta

3 plugins · 400 total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Todo by Aavoya

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/todo-by-aavoya/wptba/Backend/client/dist/main.js/wp-content/plugins/todo-by-aavoya/wptba/Backend/client/dist/main.css/wp-content/plugins/todo-by-aavoya/wptba/Backend/client/dist/fonts.css/wp-content/plugins/todo-by-aavoya/wptba/Frontend/client/dist/main.css/wp-content/plugins/todo-by-aavoya/wptba/Frontend/client/dist/fonts.css/wp-content/plugins/todo-by-aavoya/wptba/Frontend/client/dist/main.js
Script Paths
/wp-content/plugins/todo-by-aavoya/wptba/Backend/client/dist/main.js/wp-content/plugins/todo-by-aavoya/wptba/Frontend/client/dist/main.js
Version Parameters
todo-by-aavoya/wptba/Backend/client/dist/main.js?ver=todo-by-aavoya/wptba/Backend/client/dist/main.css?ver=todo-by-aavoya/wptba/Backend/client/dist/fonts.css?ver=todo-by-aavoya/wptba/Frontend/client/dist/main.css?ver=todo-by-aavoya/wptba/Frontend/client/dist/fonts.css?ver=todo-by-aavoya/wptba/Frontend/client/dist/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
wptba-admin-container
Data Attributes
data-wptba-dynamic-url
JS Globals
wptba_backend_noncewptba_backend_urlwptba_dist_pathwp_scriptswp_styles
FAQ

Frequently Asked Questions about Todo by Aavoya