Does Ultimate Post List have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Ultimate Post List compatible with WordPress 7.0?

According to WordPress.org data, Ultimate Post List 5.2.7.1 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Ultimate Post List compatible with PHP 5.2+?

Ultimate Post List requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Ultimate Post List updated?

Ultimate Post List was last updated on Apr 15, 2026. Frequent updates are generally a positive security signal.

What is Ultimate Post List's security score?

Ultimate Post List has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ultimate Post List Security & Risk Analysis

wordpress.org/plugins/ultimate-post-list

Make up custom-tailored preview lists of the contents easily and place them in widget areas and post contents.

2K active installs v5.2.7.1 PHP 5.2+ WP 4.0+ Updated Apr 15, 2026

featured-imageload-morepost-listshortcodewidget

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Ultimate Post List Safe to Use in 2026?

Generally Safe

Score 100/100

Ultimate Post List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The 'ultimate-post-list' plugin v5.2.7.1 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and a substantial 86% of outputs being properly escaped, there are significant concerns regarding its attack surface. The presence of two AJAX handlers without authentication checks is a critical vulnerability, as these entry points could be exploited by unauthenticated users. The use of the `unserialize` function is another potential risk, as it can lead to Remote Code Execution if the serialized data is controlled by an attacker and not properly validated. Fortunately, the plugin has no recorded CVEs, indicating a historically stable security record. However, the lack of known vulnerabilities doesn't negate the immediate risks posed by the unprotected AJAX endpoints and the `unserialize` function, which require immediate attention for robust security.

Key Concerns

AJAX handlers without authentication
Dangerous function 'unserialize' used

Vulnerabilities

None known

Ultimate Post List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Ultimate Post List Release Timeline

v5.2.7.1Current

v5.2.7

v5.2.6

v5.2.5

v5.2.4

v5.2.3

v5.2.2

v5.2.1

v5.2.0

v5.1.2

v5.1.1

v5.1.0

v5.0.0

Code Analysis

Analyzed Mar 16, 2026

Ultimate Post List Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

105 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeupdate_post_meta( $new_list_id, $meta_data, unserialize( $meta_text ) );includes\class-Ultimate_Post_List_Admin.php:893

SQL Query Safety

100% prepared2 total queries

Output Escaping

86% escaped122 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

1 flows

<class-Ultimate_Post_List_Public> (includes\class-Ultimate_Post_List_Public.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Ultimate Post List Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

noprivwp_ajax_upl_ajax_load_moreincludes\class-Ultimate_Post_List.php:200

authwp_ajax_upl_ajax_load_moreincludes\class-Ultimate_Post_List.php:201

WordPress Hooks 16

actionwidgets_initincludes\class-Ultimate_Post_List.php:95

actionplugins_loadedincludes\class-Ultimate_Post_List.php:116

actionadmin_enqueue_scriptsincludes\class-Ultimate_Post_List.php:137

actionadmin_enqueue_scriptsincludes\class-Ultimate_Post_List.php:138

actionadmin_menuincludes\class-Ultimate_Post_List.php:141

actioninitincludes\class-Ultimate_Post_List.php:147

actionsave_postincludes\class-Ultimate_Post_List.php:150

actionadmin_noticesincludes\class-Ultimate_Post_List.php:164

actionpost_row_actionsincludes\class-Ultimate_Post_List.php:170

actionadmin_noticesincludes\class-Ultimate_Post_List.php:174

actionwp_enqueue_scriptsincludes\class-Ultimate_Post_List.php:196

actionwp_enqueue_scriptsincludes\class-Ultimate_Post_List.php:197

actionadmin_initincludes\class-Ultimate_Post_List_Widget.php:20

actionsave_postincludes\class-Ultimate_Post_List_Widget.php:21

actiondeleted_postincludes\class-Ultimate_Post_List_Widget.php:22

actionswitch_themeincludes\class-Ultimate_Post_List_Widget.php:23

Maintenance & Trust

Ultimate Post List Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 15, 2026

PHP min version5.2

Downloads61K

Community Trust

Rating92/100

Number of ratings12

Active installs2K

Alternatives

Ultimate Post List Alternatives

Featured Image

featured-image

Add featured image to any part of the website, on each individual post/page. Very Easy to Implement. Shortcode and widget available.

1K 1 CVE

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

contact-form-plugin

The most powerful and user-friendly WordPress contact form plugin. Create beautiful contact forms, widgets and pages using shortcodes.

30K 10 CVEs

Apollo13 Framework Extensions

apollo13-framework-extensions

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs

Kaya QR Code Generator

kaya-qr-code-generator

Generate QR Code through Widgets and Shortcodes, without any dependencies.

20K 2 CVEs

Developer Profile

Ultimate Post List Developer Profile

Kybernetik Services

10 plugins · 167K total installs

100

trust score

Avg Security Score

100/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Ultimate Post List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ultimate-post-list/public/css/ultimate-post-list-public.css/wp-content/plugins/ultimate-post-list/public/js/ultimate-post-list-public.js/wp-content/plugins/ultimate-post-list/admin/css/ultimate-post-list-admin.css/wp-content/plugins/ultimate-post-list/admin/js/ultimate-post-list-admin.js

Script Paths

/wp-content/plugins/ultimate-post-list/public/js/ultimate-post-list-public.js/wp-content/plugins/ultimate-post-list/admin/js/ultimate-post-list-admin.js

Version Parameters

ultimate-post-list-public.css?ver=ultimate-post-list-public.js?ver=ultimate-post-list-admin.css?ver=ultimate-post-list-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

upl-display-wrapperupl-frontendupl-post-list-widgetupl-entry-title

HTML Comments

Data Attributes

data-upl-widget-iddata-upl-post-id

JS Globals

upl_admin_paramsultimate_post_list_frontend_params

REST Endpoints

/wp-json/ultimate-post-list/v1/settings

Shortcode Output

[ultimate_post_list

FAQ