WP-Safety

Ultimate FAQ Accordion Plugin Security & Risk Analysis

wordpress.org/plugins/ultimate-faqs

Full-featured FAQ and accordion plugin with advanced search, simple UI and easy-to-use FAQ blocks and shortcodes.

30K active installs v2.4.7 PHP 7.4+ WP 6.0+ Updated Mar 2, 2026
faqfaq-blockfaq-shortcodefaqswoocommerce-faq
89
A · Safe
CVEs total6
Unpatched0
Last CVENov 8, 2025
Plugin page Download
Safety Verdict

Is Ultimate FAQ Accordion Plugin Safe to Use in 2026?

Generally Safe

Score 89/100

Ultimate FAQ Accordion Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Nov 8, 2025Updated 1mo ago
Risk Assessment

The 'ultimate-faqs' plugin v2.4.7 demonstrates several positive security practices, including 100% of SQL queries using prepared statements and a high percentage (86%) of properly escaped output. The static analysis shows no critical or high severity taint flows, indicating that the developers have likely addressed common input sanitization issues. The plugin also implements a good number of nonce and capability checks across its AJAX handlers and other entry points, with no unprotected entry points identified in the static analysis.

However, a significant concern arises from the plugin's vulnerability history. With a total of 6 known CVEs, including one critical and five medium severity vulnerabilities, this suggests a pattern of past security weaknesses. The nature of these past vulnerabilities (CSRF, Missing Authorization, XSS) points to recurring issues in how the plugin handles user input and authorization. The fact that a vulnerability was reported as recently as 2025-11-08, even if currently unpatched by the version analyzed, indicates a need for ongoing vigilance and prompt patching of new discoveries. While the current version shows improvement in static analysis, the historical context warrants a cautious approach.

In conclusion, while v2.4.7 of 'ultimate-faqs' appears to have improved its static security posture with robust SQL handling and output escaping, the past record of significant vulnerabilities, particularly a critical one and multiple medium ones, cannot be overlooked. This historical pattern, coupled with the presence of file operations and external HTTP requests (though not flagged as risky in static analysis alone), suggests that users should remain aware of potential risks and ensure they are always running the latest patched version of the plugin to mitigate the historical trend of vulnerabilities.

Key Concerns

  • Significant historical vulnerability count
  • Presence of 1 critical historical CVE
  • Presence of 5 medium historical CVEs
  • File operations detected
  • External HTTP requests detected
Vulnerabilities
6

Ultimate FAQ Accordion Plugin Security Vulnerabilities

CVEs by Year

3 CVEs in 2019
2019
1 CVE in 2020
2020
1 CVE in 2021
2021
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
5

6 total CVEs

CVE-2025-67590medium · 4.3Cross-Site Request Forgery (CSRF)

Ultimate FAQ <= 2.4.3 - Cross-Site Request Forgery

Nov 8, 2025 Patched in 2.4.4 (34d)
CVE-2021-24968medium · 5.7Missing Authorization

Ultimate FAQ <= 2.1.1 - Missing Authorization to Arbitrary FAQ Creation

Dec 27, 2021 Patched in 2.1.2 (757d)
CVE-2020-7107medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate FAQ <= 1.8.29 - Reflected Cross-Site Scripting

Jan 6, 2020 Patched in 1.8.30 (1478d)
CVE-2019-17233medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate FAQ <= 1.8.24 - Cross-Site Scripting

Sep 20, 2019 Patched in 1.8.25 (1586d)
CVE-2019-17232critical · 9.1Missing Authorization

Ultimate FAQ <= 1.8.24 - Unauthenticated Options Import/Export

Sep 20, 2019 Patched in 1.8.25 (1586d)
CVE-2019-15643medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Faqs <= 1.8.21 - Cross-Site Scripting

May 8, 2019 Patched in 1.8.22 (1721d)
Code Analysis
Analyzed Mar 16, 2026

Ultimate FAQ Accordion Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
7 prepared
Unescaped Output
92
554 escaped
Nonce Checks
23
Capability Checks
18
File Operations
1
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared7 total queries

Output Escaping

86% escaped646 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
<faqs-shortcode-args> (ewd-ufaq-templates\faqs-shortcode-args.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ultimate FAQ Accordion Plugin Attack Surface

Entry Points32
Unprotected0

AJAX Handlers 25

authwp_ajax_ewd_ufaq_send_feature_suggestionincludes\AboutUs.class.php:14
authwp_ajax_ewd_ufaq_ai_retrieve_faqsincludes\AIAssist.class.php:19
authwp_ajax_ewd_ufaq_ai_publish_faqsincludes\AIAssist.class.php:20
authwp_ajax_ewd_ufaq_searchincludes\Ajax.class.php:14
noprivwp_ajax_ewd_ufaq_searchincludes\Ajax.class.php:15
authwp_ajax_ewd_ufaq_record_search_termincludes\Ajax.class.php:17
noprivwp_ajax_ewd_ufaq_record_search_termincludes\Ajax.class.php:18
authwp_ajax_ewd_ufaq_reset_saved_search_termsincludes\Ajax.class.php:20
authwp_ajax_ewd_ufaq_record_viewincludes\Ajax.class.php:22
noprivwp_ajax_ewd_ufaq_record_viewincludes\Ajax.class.php:23
authwp_ajax_ewd_ufaq_update_ratingincludes\Ajax.class.php:25
noprivwp_ajax_ewd_ufaq_update_ratingincludes\Ajax.class.php:26
authwp_ajax_ewd_ufaq_update_faq_orderincludes\Ajax.class.php:28
authwp_ajax_ewd_ufaq_update_category_orderincludes\Ajax.class.php:30
authwp_ajax_ewd_ufaq_welcome_add_categoryincludes\InstallationWalkthrough.class.php:19
authwp_ajax_ewd_ufaq_welcome_add_faqincludes\InstallationWalkthrough.class.php:20
authwp_ajax_ewd_ufaq_welcome_add_faq_pageincludes\InstallationWalkthrough.class.php:21
authwp_ajax_ewd_ufaq_welcome_set_optionsincludes\InstallationWalkthrough.class.php:22
authwp_ajax_ewd_ufaq_hide_review_askincludes\ReviewAsk.class.php:16
authwp_ajax_ewd_ufaq_send_feedbackincludes\ReviewAsk.class.php:17
authwp_ajax_ewd_ufaq_add_wc_faqsincludes\WooCommerce.class.php:19
authwp_ajax_ewd_ufaq_delete_wc_faqsincludes\WooCommerce.class.php:20
authwp_ajax_ewd_ufaq_wc_faq_categoryincludes\WooCommerce.class.php:21
authwp_ajax_ewd_ufaq_hide_helper_noticeultimate-faqs.php:186
authwp_ajax_ewd_ufaq_hide_new_plugin_noticeultimate-faqs.php:187

Shortcodes 7

[ultimate-faqs] includes\template-functions.php:70
[ultimate-faq-search] includes\template-functions.php:128
[submit-question] includes\template-functions.php:189
[select-faq] includes\template-functions.php:243
[popular-faqs] includes\template-functions.php:265
[recent-faqs] includes\template-functions.php:286
[top-rated-faqs] includes\template-functions.php:307
WordPress Hooks 82
actionadmin_menuincludes\AboutUs.class.php:16
actionadmin_enqueue_scriptsincludes\AIAssist.class.php:14
actionadmin_footer-edit.phpincludes\AIAssist.class.php:17
actioninitincludes\Blocks.class.php:14
filterblock_categories_allincludes\Blocks.class.php:16
actioncurrent_screenincludes\Blocks.class.php:112
actionadmin_initincludes\CustomPostTypes.class.php:17
actioninitincludes\CustomPostTypes.class.php:18
actionadd_meta_boxesincludes\CustomPostTypes.class.php:21
actionsave_postincludes\CustomPostTypes.class.php:22
actionpost_edit_form_tagincludes\CustomPostTypes.class.php:23
filtermanage_ufaq_posts_columnsincludes\CustomPostTypes.class.php:26
actionmanage_ufaq_posts_custom_columnincludes\CustomPostTypes.class.php:27
filtermanage_edit-ufaq_sortable_columnsincludes\CustomPostTypes.class.php:28
filterrequestincludes\CustomPostTypes.class.php:29
filterparse_queryincludes\CustomPostTypes.class.php:30
filterrestrict_manage_postsincludes\CustomPostTypes.class.php:31
filterposts_clausesincludes\CustomPostTypes.class.php:32
filterbulk_actions-edit-ufaqincludes\CustomPostTypes.class.php:35
filterhandle_bulk_actions-edit-ufaqincludes\CustomPostTypes.class.php:36
actionpre_post_updateincludes\CustomPostTypes.class.php:39
actionadmin_menuincludes\Dashboard.class.php:16
actioncurrent_screenincludes\DeactivationSurvey.class.php:13
actionadmin_enqueue_scriptsincludes\DeactivationSurvey.class.php:18
actionadmin_footerincludes\DeactivationSurvey.class.php:19
actionadmin_menuincludes\InstallationWalkthrough.class.php:13
actionadmin_headincludes\InstallationWalkthrough.class.php:14
actionadmin_initincludes\InstallationWalkthrough.class.php:15
actionadmin_headincludes\InstallationWalkthrough.class.php:17
actionewd_ufaq_insert_faqincludes\Notifications.class.php:15
actionewd_ufaq_insert_faqincludes\Notifications.class.php:16
actionadmin_menuincludes\OrderingTable.class.php:14
actioninitincludes\Patterns.class.php:18
actioninitincludes\Patterns.class.php:19
actionadmin_noticesincludes\ReviewAsk.class.php:14
actionadmin_enqueue_scriptsincludes\ReviewAsk.class.php:19
actioninitincludes\Settings.class.php:25
actioninitincludes\Settings.class.php:27
filteruwpm_register_custom_element_sectionincludes\UltimateWPMail.class.php:14
actionuwpm_register_custom_elementincludes\UltimateWPMail.class.php:15
actionwidgets_initincludes\Widgets.class.php:7
actionwidgets_initincludes\Widgets.class.php:8
actionwidgets_initincludes\Widgets.class.php:9
actionwidgets_initincludes\Widgets.class.php:10
actionwidgets_initincludes\Widgets.class.php:11
actionadmin_enqueue_scriptsincludes\WooCommerce.class.php:14
filterwoocommerce_product_data_tabsincludes\WooCommerce.class.php:16
actionwoocommerce_product_data_panelsincludes\WooCommerce.class.php:17
actionplugins_loadedincludes\WooCommerce.class.php:23
filterwoocommerce_product_tabsincludes\WooCommerce.class.php:33
actionwoocommerce_before_add_to_cart_buttonincludes\WooCommerce.class.php:34
actionwoocommerce_after_add_to_cart_buttonincludes\WooCommerce.class.php:35
actionwoocommerce_after_single_product_summaryincludes\WooCommerce.class.php:36
actionwoocommerce_after_single_productincludes\WooCommerce.class.php:37
filterwpforms_builder_settings_sectionsincludes\WPForms.class.php:14
actionwpforms_form_settings_panel_contentincludes\WPForms.class.php:15
actionwpforms_frontend_output_beforeincludes\WPForms.class.php:17
actionwpforms_display_field_beforeincludes\WPForms.class.php:19
actionwpforms_display_field_afterincludes\WPForms.class.php:20
actionwp_enqueue_scriptsincludes\WPForms.class.php:22
filterewd_ufaq_admin_menuultimate-faqs.php:158
filterinitultimate-faqs.php:160
filterquery_varsultimate-faqs.php:161
filterredirect_canonicalultimate-faqs.php:162
filterthe_contentultimate-faqs.php:164
filterthe_contentultimate-faqs.php:165
actionwp_footerultimate-faqs.php:166
actioninitultimate-faqs.php:168
actionplugins_loadedultimate-faqs.php:170
actionadmin_noticesultimate-faqs.php:172
actionadmin_noticesultimate-faqs.php:173
actionadmin_noticesultimate-faqs.php:174
actionadmin_noticesultimate-faqs.php:175
actionadmin_initultimate-faqs.php:177
actionadmin_enqueue_scriptsultimate-faqs.php:179
actionwp_enqueue_scriptsultimate-faqs.php:180
actionwp_headultimate-faqs.php:181
actionwp_footerultimate-faqs.php:182
filterplugin_action_linksultimate-faqs.php:184
actionbefore_woocommerce_initultimate-faqs.php:189
filterwp_kses_allowed_htmlviews\View.FAQ.class.php:208
filtersiteorigin_panels_filter_content_enabledviews\View.FAQ.class.php:742
Maintenance & Trust

Ultimate FAQ Accordion Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.4
Downloads2.2M

Community Trust

Rating92/100
Number of ratings433
Active installs30K
Alternatives

Ultimate FAQ Accordion Plugin Alternatives

FAQly – Ultimate FAQ

FAQly – Ultimate FAQ

faqly-ultimate-faq

A
100

FAQly – Ultimate FAQ Plugin: A plugin to manage FAQs and display them as an accordion using a shortcode.

1K No CVEs
Easy Accordion Block

Easy Accordion Block

easy-accordion-block

A
99

Easy Accordion Block allows you to create an accordion or a FAQs section in Gutenberg editor easily.

7K 1 CVE
Happy WooCommerce FAQs – Ultimate Product FAQ Plugin

Happy WooCommerce FAQs – Ultimate Product FAQ Plugin

faq-for-woocommerce

A
98

WooCommerce Product FAQ Plugin and accordion plugin create FAQs with Google FAQ schema, AI Generator, Comment and customization support.

1K 3 CVEs
Joli FAQ SEO – WordPress FAQ Plugin

Joli FAQ SEO – WordPress FAQ Plugin

joli-faq-seo

A
99

The best WordPress FAQ plugin: easy & fast single page drag n drop editor, lightweight, no jQuery, block-enabled, schema.org, optimized for SEO.

700 1 CVE
FAQ Manager For Divi, Gutenberg Block & Shortcode

FAQ Manager For Divi, Gutenberg Block & Shortcode

faq-manager-with-structured-data

A
100

Easily create, manage bookmarkable FAQs on your website. Use divi module, FAQ block or shortcode to display FAQs. Boost SEO with FAQPage schema & &hellip;

200 No CVEs
Developer Profile

Ultimate FAQ Accordion Plugin Developer Profile

Rustaurius

21 plugins · 66K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
705 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate FAQ Accordion Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-faqs/assets/css/ewd-ufaq-styles.css/wp-content/plugins/ultimate-faqs/assets/css/ewd-ufaq-frontend.css/wp-content/plugins/ultimate-faqs/assets/js/ewd-ufaq-frontend.js/wp-content/plugins/ultimate-faqs/assets/js/ewd-ufaq-backend.js/wp-content/plugins/ultimate-faqs/assets/css/jquery.atwho.css/wp-content/plugins/ultimate-faqs/assets/js/jquery.atwho.js/wp-content/plugins/ultimate-faqs/assets/js/jquery.caret.min.js/wp-content/plugins/ultimate-faqs/assets/js/jquery.tag-it.js+1 more
Script Paths
/wp-content/plugins/ultimate-faqs/assets/js/ewd-ufaq-frontend.js/wp-content/plugins/ultimate-faqs/assets/js/ewd-ufaq-backend.js
Version Parameters
ultimate-faqs/assets/css/ewd-ufaq-styles.css?ver=ultimate-faqs/assets/css/ewd-ufaq-frontend.css?ver=ultimate-faqs/assets/js/ewd-ufaq-frontend.js?ver=ultimate-faqs/assets/js/ewd-ufaq-backend.js?ver=ultimate-faqs/assets/css/jquery.atwho.css?ver=ultimate-faqs/assets/js/jquery.atwho.js?ver=ultimate-faqs/assets/js/jquery.caret.min.js?ver=ultimate-faqs/assets/js/jquery.tag-it.js?ver=ultimate-faqs/assets/css/tag-it.css?ver=

HTML / DOM Fingerprints

CSS Classes
ewd-ufaq-containerewd-ufaq-headerewd-ufaq-searchewd-ufaq-search-inputewd-ufaq-accordionewd-ufaq-questionewd-ufaq-answerewd-ufaq-category-title+1 more
HTML Comments
<!-- EWD UVP --><!-- EWD UVP End -->
Data Attributes
data-ewd-ufaq-iddata-ewd-ufaq-category-iddata-ewd-ufaq-category-slug
JS Globals
ewd_ufaq_php_js_data
REST Endpoints
/wp-json/ewd-ufaq/v1/search
Shortcode Output
[ultimate-faqs[ufaq
FAQ

Frequently Asked Questions about Ultimate FAQ Accordion Plugin