Does Ultimate Push Notifications have any unpatched vulnerabilities?

Yes — Ultimate Push Notifications currently has 3 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Ultimate Push Notifications compatible with WordPress 6.8.5?

According to WordPress.org data, Ultimate Push Notifications 1.2.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Ultimate Push Notifications compatible with PHP 7.0+?

Ultimate Push Notifications requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Ultimate Push Notifications updated?

Ultimate Push Notifications was last updated on Sep 28, 2025. Frequent updates are generally a positive security signal.

What is Ultimate Push Notifications's security score?

Ultimate Push Notifications has a WP-Safety security score of 45/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ultimate Push Notifications Security & Risk Analysis

wordpress.org/plugins/ultimate-push-notifications

Receive push notification on Mobile / Desktop from WooCommerce / Multi-vendor (Dokan, WCFM), BuddyPress, WordPress events and more.

60 active installs v1.2.0 PHP 7.0+ WP 4.0+ Updated Sep 28, 2025

buddypressdesktop-push-notificationdokanpush-notificationswoocommerce

D · High Risk

CVEs total3

Unpatched3

Last CVEJul 7, 2025

Plugin page Download

Safety Verdict

Is Ultimate Push Notifications Safe to Use in 2026?

High Risk

Score 45/100

Ultimate Push Notifications carries significant security risk with 3 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 3 unpatched Last CVE: Jul 7, 2025Updated 6mo ago

Risk Assessment

The ultimate-push-notifications plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with a total of 11 capability checks and 2 nonce checks, and a majority of SQL queries (79%) utilize prepared statements, reducing the risk of SQL injection. The attack surface is relatively small with only 2 AJAX handlers and no REST API routes or shortcodes, and crucially, no unprotected entry points were identified in the static analysis.

However, significant concerns arise from the code signals and vulnerability history. Only 20% of output escaping is properly implemented, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis revealed 8 flows with unsanitized paths, even though no critical or high severity issues were flagged, this still represents a substantial risk of unexpected behavior or data compromise. The plugin's vulnerability history is particularly alarming, with 3 unpatched medium severity CVEs, common types including Missing Authorization, XSS, and SQL Injection. The most recent vulnerability was dated July 7, 2025, suggesting a pattern of security flaws and a lack of timely patching.

In conclusion, while the plugin has some strengths in its controlled attack surface and use of prepared statements for SQL, the high percentage of unsanitized paths and poor output escaping, coupled with a history of unpatched medium-severity vulnerabilities, present a considerable risk. The presence of 3 unpatched CVEs, even at medium severity, is a critical indicator of ongoing security weaknesses that require immediate attention.

Key Concerns

3 unpatched medium CVEs
8 flows with unsanitized paths
Only 20% of outputs properly escaped
Vulnerabilities include SQL Injection
Vulnerabilities include XSS
Vulnerabilities include Missing Auth

Vulnerabilities

Ultimate Push Notifications Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-50028medium · 5.3Missing Authorization

Ultimate Push Notifications <= 1.1.9 - Missing Authorization

Jul 7, 2025Unpatched

CVE-2025-31548medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Push Notifications <= 1.1.8 - Reflected Cross-Site Scripting

Apr 1, 2025Unpatched

CVE-2025-31561medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ultimate Push Notifications <= 1.1.8 - Authenticated (Subscriber+) SQL Injection

Mar 31, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Ultimate Push Notifications Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

79% prepared14 total queries

Output Escaping

20% escaped30 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

10 flows8 with unsanitized paths

upn_bp_front_notifications_settings (core\admin\functions\notifications\Upn_BuddyPress.php:634)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Ultimate Push Notifications Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_upn_ajaxcore\actions\Upn_CustomAjax.php:20

noprivwp_ajax_upn_ajaxcore\actions\Upn_CustomAjax.php:21

WordPress Hooks 33

actionfriends_friendship_requestedcore\actions\Upn_Bp_Hooks.php:23

actionfriends_friendship_acceptedcore\actions\Upn_Bp_Hooks.php:24

actionfriends_friendship_rejectedcore\actions\Upn_Bp_Hooks.php:25

actionfriends_friendship_withdrawncore\actions\Upn_Bp_Hooks.php:26

actionbp_activity_post_type_publishedcore\actions\Upn_Bp_Hooks.php:29

actionbp_activity_post_type_updatedcore\actions\Upn_Bp_Hooks.php:30

actionbp_activity_post_type_unpublishedcore\actions\Upn_Bp_Hooks.php:31

actionbp_activity_posted_updatecore\actions\Upn_Bp_Hooks.php:32

actionbp_activity_sent_reply_to_update_notificationcore\actions\Upn_Bp_Hooks.php:33

actionmessages_message_sentcore\actions\Upn_Bp_Hooks.php:36

actionbp_send_email_delivery_classcore\actions\Upn_Bp_Hooks.php:39

actionbp_send_email_delivery_classcore\actions\Upn_Bp_Hooks.php:40

actionwpcore\actions\Upn_Bp_Hooks.php:43

actionupn_bp_front_notifications_settingscore\actions\Upn_Bp_Hooks.php:44

actionadmin_enqueue_scriptscore\actions\Upn_EnqueueScript.php:21

actionwp_enqueue_scriptscore\actions\Upn_EnqueueScript.php:22

actionwp_enqueue_scriptscore\actions\Upn_EnqueueScript.php:23

actionadmin_menucore\actions\Upn_RegisterMenu.php:50

actionadmin_enqueue_scriptscore\actions\Upn_RegisterMenu.php:255

actionadmin_footercore\actions\Upn_RegisterMenu.php:261

actionwoocommerce_payment_completecore\actions\Upn_Woo_Hooks.php:22

actionwoocommerce_add_to_cartcore\actions\Upn_Woo_Hooks.php:25

actionwoocommerce_order_status_changedcore\actions\Upn_Woo_Hooks.php:28

actionwpcf7_before_send_mailcore\actions\Upn_WpCF7_Hooks.php:21

actionuser_registercore\actions\Upn_WP_Hooks.php:21

filterplugin_row_metacore\actions\Upn_WP_Hooks.php:27

actionadmin_initcore\admin\builders\NoticeBuilder.php:28

actionadmin_noticescore\admin\builders\NoticeBuilder.php:29

actionbp_template_titlecore\front\bp\BpSettingsTpl.php:31

actionbp_template_contentcore\front\bp\BpSettingsTpl.php:32

actionplugins_loadedultimate-push-notifications.php:72

actionplugins_loadedultimate-push-notifications.php:75

actionplugins_loadedultimate-push-notifications.php:78

Maintenance & Trust

Ultimate Push Notifications Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 28, 2025

PHP min version7.0

Downloads7K

Community Trust

Rating60/100

Number of ratings4

Active installs60

Alternatives

Ultimate Push Notifications Alternatives

PushEngage – Web Push notification, WA Automation & Multi-Channel Chat Widget ( WA, Messenger, X, Telegram, TikTok & More)

pushengage

100

Send order updates, recover abandoned carts, and boost retention with push notifications, WhatsApp automation + multichannel Chat widget.

10K No CVEs

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

The best BuddyPress plugin for building online communities, user profile, social networks, and membership sites on WordPress with tons of features.

6K 1 unpatched

Bulk Edit and Create User Profiles – WP Sheet Editor

bulk-edit-user-profiles-in-spreadsheet

100

Modern Bulk Editor for Users and Profiles, create and edit hundreds of users in a spreadsheet inside wp-admin. Quick edits.

1K 1 CVE

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

wc4bp

Integrate WooCommerce my account into BuddyPress member profiles. Bring your WooCommerce member pages into BuddyPress and BuddyBoss.

1K 5 CVEs

BuddyCommerce: WooCommerce and BuddyPress Integration

buddycommerce

100

Highly Flexible WooCommerce to BuddyPress integration which puts site admins in the complete control.

900 No CVEs

Developer Profile

Ultimate Push Notifications Developer Profile

CodeSolz

2 plugins · 50K total installs

trust score

Avg Security Score

67/100

Avg Patch Time

217 days

View full developer profile

Detection Fingerprints

How We Detect Ultimate Push Notifications

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ultimate-push-notifications/assets/js/upn.admin.global.min.js/wp-content/plugins/ultimate-push-notifications/assets/js/upn.tabs.min.js/wp-content/plugins/ultimate-push-notifications/assets/plugins/firebase/js/firebase-app.js/wp-content/plugins/ultimate-push-notifications/assets/plugins/firebase/js/firebase-messaging.js/wp-content/plugins/ultimate-push-notifications/assets/plugins/firebase/js/firebaseInit.min.js/wp-content/plugins/ultimate-push-notifications/assets/js/app-upn.js/wp-content/plugins/ultimate-push-notifications/assets/css/upn-bp-style.min.css

Script Paths

assets/js/upn.admin.global.min.jsassets/js/upn.tabs.min.jsassets/plugins/firebase/js/firebase-app.jsassets/plugins/firebase/js/firebase-messaging.jsassets/plugins/firebase/js/firebaseInit.min.jsassets/js/app-upn.js+1 more

Version Parameters

ultimate-push-notifications/assets/js/upn.admin.global.min.js?ver=ultimate-push-notifications/assets/js/upn.tabs.min.js?ver=ultimate-push-notifications/assets/plugins/firebase/js/firebase-app.js?ver=ultimate-push-notifications/assets/plugins/firebase/js/firebase-messaging.js?ver=ultimate-push-notifications/assets/plugins/firebase/js/firebaseInit.min.js?ver=ultimate-push-notifications/assets/js/app-upn.js?ver=ultimate-push-notifications/assets/css/upn-bp-style.min.css?ver=

HTML / DOM Fingerprints

CSS Classes

upn-bp-style

Data Attributes

data-upn-plugin

JS Globals

UPN_Notifier

FAQ