Does Ultimate Post List have any unpatched vulnerabilities?

No. All known vulnerabilities in Ultimate Post List have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Ultimate Post List compatible with WordPress 6.9.4?

According to WordPress.org data, Ultimate Post List 5.2.7.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Ultimate Post List compatible with PHP 5.2+?

Ultimate Post List requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Ultimate Post List updated?

Ultimate Post List was last updated on Dec 1, 2025. Frequent updates are generally a positive security signal.

What is Ultimate Post List's security score?

Ultimate Post List has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ultimate Post List Security & Risk Analysis

wordpress.org/plugins/ultimate-post-list

Make up custom-tailored preview lists of the contents easily and place them in widget areas and post contents.

2K active installs v5.2.7.1 PHP 5.2+ WP 4.0+ Updated Dec 1, 2025

authorsavatarscssfeatured-imagefirst-image

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Ultimate Post List Safe to Use in 2026?

Generally Safe

Score 100/100

Ultimate Post List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago

Risk Assessment

The 'ultimate-post-list' plugin v5.2.7.1 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and a substantial 86% of outputs being properly escaped, there are significant concerns regarding its attack surface. The presence of two AJAX handlers without authentication checks is a critical vulnerability, as these entry points could be exploited by unauthenticated users. The use of the `unserialize` function is another potential risk, as it can lead to Remote Code Execution if the serialized data is controlled by an attacker and not properly validated. Fortunately, the plugin has no recorded CVEs, indicating a historically stable security record. However, the lack of known vulnerabilities doesn't negate the immediate risks posed by the unprotected AJAX endpoints and the `unserialize` function, which require immediate attention for robust security.

Key Concerns

AJAX handlers without authentication
Dangerous function 'unserialize' used

Vulnerabilities

None known

Ultimate Post List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Ultimate Post List Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

105 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeupdate_post_meta( $new_list_id, $meta_data, unserialize( $meta_text ) );includes\class-Ultimate_Post_List_Admin.php:893

SQL Query Safety

100% prepared2 total queries

Output Escaping

86% escaped122 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<class-Ultimate_Post_List_Public> (includes\class-Ultimate_Post_List_Public.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Ultimate Post List Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

noprivwp_ajax_upl_ajax_load_moreincludes\class-Ultimate_Post_List.php:200

authwp_ajax_upl_ajax_load_moreincludes\class-Ultimate_Post_List.php:201

WordPress Hooks 16

actionwidgets_initincludes\class-Ultimate_Post_List.php:95

actionplugins_loadedincludes\class-Ultimate_Post_List.php:116

actionadmin_enqueue_scriptsincludes\class-Ultimate_Post_List.php:137

actionadmin_enqueue_scriptsincludes\class-Ultimate_Post_List.php:138

actionadmin_menuincludes\class-Ultimate_Post_List.php:141

actioninitincludes\class-Ultimate_Post_List.php:147

actionsave_postincludes\class-Ultimate_Post_List.php:150

actionadmin_noticesincludes\class-Ultimate_Post_List.php:164

actionpost_row_actionsincludes\class-Ultimate_Post_List.php:170

actionadmin_noticesincludes\class-Ultimate_Post_List.php:174

actionwp_enqueue_scriptsincludes\class-Ultimate_Post_List.php:196

actionwp_enqueue_scriptsincludes\class-Ultimate_Post_List.php:197

actionadmin_initincludes\class-Ultimate_Post_List_Widget.php:20

actionsave_postincludes\class-Ultimate_Post_List_Widget.php:21

actiondeleted_postincludes\class-Ultimate_Post_List_Widget.php:22

actionswitch_themeincludes\class-Ultimate_Post_List_Widget.php:23

Maintenance & Trust

Ultimate Post List Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 1, 2025

PHP min version5.2

Downloads61K

Community Trust

Rating92/100

Number of ratings12

Active installs2K

Alternatives

Ultimate Post List Alternatives

Smart Post Lists Light

smart-post-lists-light

Create custom post lists based on options you choose from a form in a widget. Different types of lists, blog, portfolio, services pages. No coding.

300 No CVEs

Advanced Post Widget

advanced-post-widget

100

Builds post widget based on options you choose from a form in a widget

10 No CVEs

Author Grid

authorgrid

Sidebar widget that displays the avatar of all of the authors on your blog in grid form.

10 No CVEs

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs

Code Snippets

code-snippets

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs

Developer Profile

Ultimate Post List Developer Profile

Kybernetik Services

10 plugins · 167K total installs

100

trust score

Avg Security Score

100/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Ultimate Post List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ultimate-post-list/public/css/ultimate-post-list-public.css/wp-content/plugins/ultimate-post-list/public/js/ultimate-post-list-public.js/wp-content/plugins/ultimate-post-list/admin/css/ultimate-post-list-admin.css/wp-content/plugins/ultimate-post-list/admin/js/ultimate-post-list-admin.js

Script Paths

/wp-content/plugins/ultimate-post-list/public/js/ultimate-post-list-public.js/wp-content/plugins/ultimate-post-list/admin/js/ultimate-post-list-admin.js

Version Parameters

ultimate-post-list-public.css?ver=ultimate-post-list-public.js?ver=ultimate-post-list-admin.css?ver=ultimate-post-list-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

upl-display-wrapperupl-frontendupl-post-list-widgetupl-entry-title

HTML Comments

Data Attributes

data-upl-widget-iddata-upl-post-id

JS Globals

upl_admin_paramsultimate_post_list_frontend_params

REST Endpoints

/wp-json/ultimate-post-list/v1/settings

Shortcode Output

[ultimate_post_list

FAQ