Does UB Ultimate Post List have any unpatched vulnerabilities?

No. All known vulnerabilities in UB Ultimate Post List have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is UB Ultimate Post List compatible with WordPress 5.4.19?

According to WordPress.org data, UB Ultimate Post List 1.0.0 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

How often is UB Ultimate Post List updated?

UB Ultimate Post List was last updated on Jun 8, 2020. Frequent updates are generally a positive security signal.

What is UB Ultimate Post List's security score?

UB Ultimate Post List has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

UB Ultimate Post List Security & Risk Analysis

wordpress.org/plugins/ub-ultimate-post-list

This plugin registers a block named "Ultimate Post List" which can be used for dynamic listing of selected posts of all custom post types and default post type "Post".

10 active installs v1.0.0 PHP + WP 5.0.1+ Updated Jun 8, 2020

custom-post-listcustom-post-typedynamic-post-listgutenberglist

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is UB Ultimate Post List Safe to Use in 2026?

Generally Safe

Score 85/100

UB Ultimate Post List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago

Risk Assessment

The plugin 'ub-ultimate-post-list' v1.0.0 presents a mixed security posture. On the positive side, the absence of dangerous functions, file operations, external HTTP requests, and the use of prepared statements for all SQL queries indicate good security practices in those areas. The plugin also boasts a clean vulnerability history with no recorded CVEs.

However, significant concerns arise from the attack surface analysis. The plugin exposes two REST API routes without any permission callbacks, meaning these endpoints are accessible and executable by unauthenticated users. This represents a substantial risk, as attackers could potentially interact with these routes to trigger unintended actions or expose sensitive information.

Furthermore, the output escaping is only partially implemented, with 36% of outputs properly escaped. This leaves a significant portion of the plugin's output vulnerable to cross-site scripting (XSS) attacks, especially when combined with the unprotected REST API endpoints. The lack of nonce checks and capability checks on the identified entry points exacerbates these risks.

Key Concerns

REST API routes without permission callbacks
Low percentage of properly escaped output
No nonce checks on entry points
No capability checks on entry points

Vulnerabilities

None known

UB Ultimate Post List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

UB Ultimate Post List Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

36% escaped11 total outputs

Attack Surface

2 unprotected

UB Ultimate Post List Attack Surface

Entry Points2

Unprotected2

REST API Routes 2

GET/wp-json/post_type/v1/post_data/admin\class-ub-ultimate-post-list-admin.php:105

GET/wp-json/post_type/v1/post_list/admin\class-ub-ultimate-post-list-admin.php:109

WordPress Hooks 7

actionplugins_loadedincludes\class-ub-ultimate-post-list.php:142

actionadmin_enqueue_scriptsincludes\class-ub-ultimate-post-list.php:157

actionadmin_enqueue_scriptsincludes\class-ub-ultimate-post-list.php:158

actionrest_api_initincludes\class-ub-ultimate-post-list.php:159

actioninitincludes\class-ub-ultimate-post-list.php:160

actionwp_enqueue_scriptsincludes\class-ub-ultimate-post-list.php:174

actionwp_enqueue_scriptsincludes\class-ub-ultimate-post-list.php:175

Maintenance & Trust

UB Ultimate Post List Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedJun 8, 2020

PHP min version

Downloads942

Community Trust

Rating100/100

Number of ratings2

Active installs10

Alternatives

UB Ultimate Post List Alternatives

Latest Posts Block – Dynamic Posts Grid, Posts List, Posts Tile with Stunning Layouts for WordPress Blogs & Pages

latest-posts-block-lite

100

Dynamic Posts Grid, Posts List, Posts Tile with Stunning Layouts for WordPress Blogs & Pages

8K No CVEs

JS Archive List

jquery-archive-list-widget

A JS widget (can be used in posts) for displaying an archive list with some effects.

3K 4 CVEs

W4 Post List

w4-post-list

W4 Post List lets you create a list of posts, terms, users or a combined one. Decorate output using shortcodes. It's just easy and fun.

3K 5 CVEs

Vimeotheque – Vimeo WordPress Plugin & Video Gallery

codeflavors-vimeo-video-post-lite

Import & embed Vimeo in WordPress. Create video galleries & playlists, auto-sync showcases. Gutenberg blocks & Elementor support.

2K 3 CVEs

Events Block For The Events Calendar

events-block-for-the-events-calendar

100

The Events Block for The Events Calendar lets you showcase your events from The Events Calendar right within the Gutenberg pages.

2K No CVEs

Developer Profile

UB Ultimate Post List Developer Profile

Umang Bhanvadia

3 plugins · 120 total installs

trust score

Avg Security Score

95/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect UB Ultimate Post List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ub-ultimate-post-list/css/style.css/wp-content/plugins/ub-ultimate-post-list/css/ultimate-post-list-admin.css/wp-content/plugins/ub-ultimate-post-list/js/block.js/wp-content/plugins/ub-ultimate-post-list/js/editor.js/wp-content/plugins/ub-ultimate-post-list/js/script.js/wp-content/plugins/ub-ultimate-post-list/build/index.js

Script Paths

/wp-content/plugins/ub-ultimate-post-list/js/block.js/wp-content/plugins/ub-ultimate-post-list/js/editor.js/wp-content/plugins/ub-ultimate-post-list/js/script.js/wp-content/plugins/ub-ultimate-post-list/build/index.js

Version Parameters

ub-ultimate-post-list/css/style.css?ver=ub-ultimate-post-list/css/ultimate-post-list-admin.css?ver=ub-ultimate-post-list/js/block.js?ver=ub-ultimate-post-list/js/editor.js?ver=ub-ultimate-post-list/js/script.js?ver=ub-ultimate-post-list/build/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

post-<?php echo $postLayout; ?>col-thumbnailpost-itempost-featured-imgpost-detailsdate-detailsdate-time-arearead-more+1 more

Data Attributes

data-post-typedata-post-iddata-post-layoutdata-post-per-pagedata-display-post-thumbnaildata-display-post-excerpt+6 more

REST Endpoints

/wp-json/ub-ultimate-post-list/v1/post-types/wp-json/ub-ultimate-post-list/v1/posts

Shortcode Output

<div class="post-<?php echo $postLayout; ?> col-thumbnail <?php echo $attributes['className'];?>">

FAQ