WP-Safety

Ultimate Reviews Security & Risk Analysis

wordpress.org/plugins/ultimate-reviews

Best review plugin. Let visitors submit reviews and display them via shortcode or widget. Replace WooCommerce reviews and ratings. Require login, etc.

500 active installs v3.2.17 PHP + WP 5.0+ Updated Feb 5, 2026
product-reviewratingreviewreviewswoocommerce-reviews
89
A · Safe
CVEs total5
Unpatched0
Last CVEJan 6, 2026
Plugin page Download
Safety Verdict

Is Ultimate Reviews Safe to Use in 2026?

Generally Safe

Score 89/100

Ultimate Reviews has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 6, 2026Updated 1mo ago
Risk Assessment

The 'ultimate-reviews' plugin v3.2.17 presents a mixed security profile. On the positive side, the static analysis indicates good coding practices with all AJAX handlers and REST API routes appearing to have authentication checks. SQL queries are exclusively using prepared statements, and a high percentage of output is properly escaped, which are strong indicators of security awareness. The presence of numerous nonce and capability checks further reinforces this positive aspect.

However, several concerns warrant attention. The taint analysis revealed two flows with unsanitized paths, which could potentially lead to issues if not handled carefully, though the critical and high severity counts are zero. More significantly, the plugin has a history of 5 known CVEs, including one critical and four medium. While no CVEs are currently unpatched, the nature of past vulnerabilities (Authorization Bypass, Cross-Site Scripting, Deserialization) suggests a pattern of complex security flaws that require vigilant patching. The last vulnerability being in 2026 is also unusual and could indicate outdated historical data or a future unpatched issue if it's not a typo.

Overall, the current version of the plugin demonstrates improved security practices in its code compared to its past, evident by the absence of immediately exploitable issues in the static analysis. Nevertheless, the historical vulnerability data, particularly the critical past vulnerability and the types of issues encountered, suggest that users should remain cautious and prioritize timely updates for any future releases to mitigate risks associated with previously exploited weaknesses.

Key Concerns

  • Historical critical CVE present
  • Historical medium CVEs present (4)
  • Taint flows with unsanitized paths (2)
  • Past vulnerability types are severe (Auth Bypass, XSS, Deserialization)
Vulnerabilities
5

Ultimate Reviews Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
4

5 total CVEs

CVE-2026-24634medium · 5.3Authorization Bypass Through User-Controlled Key

Ultimate Reviews <= 3.2.16 - Unauthenticated Insecure Direct Object Reference

Jan 6, 2026 Patched in 3.2.17 (32d)
CVE-2025-49266medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Reviews <= 3.2.14 - Reflected Cross-Site Scripting

Jun 11, 2025 Patched in 3.2.15 (7d)
CVE-2024-25597medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Reviews <= 3.2.8 - Unauthenticated stored Cross-Site Scripting via reviews

Feb 12, 2024 Patched in 3.2.9 (3d)
CVE-2022-23979medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Reviews <= 3.0.15 - Authenticated Stored Cross-Site Scripting

Jan 6, 2022 Patched in 3.0.16 (747d)
CVE-2020-36726critical · 9.8Deserialization of Untrusted Data

Ultimate Reviews < 2.1.33 - PHP Object Injection

Nov 10, 2020 Patched in 2.1.33 (1169d)
Code Analysis
Analyzed Mar 16, 2026

Ultimate Reviews Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
9 prepared
Unescaped Output
155
653 escaped
Nonce Checks
16
Capability Checks
13
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared9 total queries

Output Escaping

81% escaped808 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
validate_submission (includes\Review.class.php:183)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ultimate Reviews Attack Surface

Entry Points25
Unprotected0

AJAX Handlers 20

authwp_ajax_ewd_urp_send_feature_suggestionincludes\AboutUs.class.php:14
authwp_ajax_ewd_urp_searchincludes\Ajax.class.php:14
noprivwp_ajax_ewd_urp_searchincludes\Ajax.class.php:15
authwp_ajax_ewd_urp_record_viewincludes\Ajax.class.php:17
noprivwp_ajax_ewd_urp_record_viewincludes\Ajax.class.php:18
authwp_ajax_ewd_urp_update_karmaincludes\Ajax.class.php:20
noprivwp_ajax_ewd_urp_update_karmaincludes\Ajax.class.php:21
authwp_ajax_ewd_urp_get_review_bodyincludes\Ajax.class.php:23
noprivwp_ajax_ewd_urp_get_review_bodyincludes\Ajax.class.php:24
authwp_ajax_ewd_urp_flag_inappropriateincludes\Ajax.class.php:26
noprivwp_ajax_ewd_urp_flag_inappropriateincludes\Ajax.class.php:27
authwp_ajax_ewd_urp_send_test_emailincludes\Ajax.class.php:29
authwp_ajax_ewd_urp_hide_uwpm_bannerincludes\Ajax.class.php:31
authwp_ajax_ewd_urp_welcome_add_submit_review_pageincludes\InstallationWalkthrough.class.php:19
authwp_ajax_ewd_urp_welcome_add_display_review_pageincludes\InstallationWalkthrough.class.php:20
authwp_ajax_ewd_urp_welcome_set_optionsincludes\InstallationWalkthrough.class.php:21
authwp_ajax_ewd_urp_welcome_add_categoryincludes\InstallationWalkthrough.class.php:22
authwp_ajax_ewd_urp_hide_review_askincludes\ReviewAsk.class.php:16
authwp_ajax_ewd_urp_send_feedbackincludes\ReviewAsk.class.php:17
authwp_ajax_ewd_urp_hide_helper_noticeultimate-reviews.php:156

Shortcodes 5

[ultimate-reviews] includes\template-functions.php:70
[select-review] includes\template-functions.php:112
[ultimate-review-search] includes\template-functions.php:184
[reviews-summary] includes\template-functions.php:237
[submit-review] includes\template-functions.php:324
WordPress Hooks 73
actionadmin_menuincludes\AboutUs.class.php:16
actioninitincludes\Blocks.class.php:14
filterblock_categories_allincludes\Blocks.class.php:16
actioncurrent_screenincludes\Blocks.class.php:69
actionadmin_initincludes\CustomPostTypes.class.php:17
actioninitincludes\CustomPostTypes.class.php:18
actionadd_meta_boxesincludes\CustomPostTypes.class.php:21
actionsave_postincludes\CustomPostTypes.class.php:22
filterget_sample_permalink_htmlincludes\CustomPostTypes.class.php:24
filtermanage_urp_review_posts_columnsincludes\CustomPostTypes.class.php:27
actionmanage_urp_review_posts_custom_columnincludes\CustomPostTypes.class.php:28
filtermanage_edit-urp_review_sortable_columnsincludes\CustomPostTypes.class.php:29
filterrequestincludes\CustomPostTypes.class.php:30
filterparse_queryincludes\CustomPostTypes.class.php:31
filterrestrict_manage_postsincludes\CustomPostTypes.class.php:32
actionadmin_menuincludes\Dashboard.class.php:16
actioncurrent_screenincludes\DeactivationSurvey.class.php:13
actionadmin_enqueue_scriptsincludes\DeactivationSurvey.class.php:18
actionadmin_footerincludes\DeactivationSurvey.class.php:19
actionadmin_menuincludes\Export.class.php:17
actionadmin_menuincludes\Export.class.php:19
actionadmin_menuincludes\Import.class.php:18
actionadmin_initincludes\Import.class.php:20
actionadmin_initincludes\Import.class.php:22
actionadmin_noticesincludes\Import.class.php:78
actionadmin_noticesincludes\Import.class.php:206
actionadmin_menuincludes\InstallationWalkthrough.class.php:13
actionadmin_headincludes\InstallationWalkthrough.class.php:14
actionadmin_initincludes\InstallationWalkthrough.class.php:15
actionadmin_headincludes\InstallationWalkthrough.class.php:17
actionewd_urp_insert_reviewincludes\Notifications.class.php:15
actionewd_urp_insert_reviewincludes\Notifications.class.php:16
actionewd_urp_insert_reviewincludes\Notifications.class.php:17
actioninitincludes\Patterns.class.php:18
actioninitincludes\Patterns.class.php:19
actionadmin_noticesincludes\ReviewAsk.class.php:14
actionadmin_enqueue_scriptsincludes\ReviewAsk.class.php:19
actioninitincludes\Settings.class.php:25
actioninitincludes\Settings.class.php:27
filterewd-urp-settings-maximum-scoreincludes\Settings.class.php:29
actioninitincludes\template-functions.php:445
actionshutdownincludes\template-functions.php:456
actionwidgets_initincludes\Widgets.class.php:7
actionwidgets_initincludes\Widgets.class.php:8
actionwidgets_initincludes\Widgets.class.php:9
actionwidgets_initincludes\Widgets.class.php:10
actioninitincludes\WooCommerce.class.php:14
actionadmin_initincludes\WooCommerce.class.php:15
actionwoocommerce_order_status_changedincludes\WooCommerce.class.php:17
actionwoocommerce_checkout_order_processedincludes\WooCommerce.class.php:18
actionuwpm_register_custom_element_sectionincludes\WooCommerce.class.php:20
actionuwpm_register_custom_elementincludes\WooCommerce.class.php:21
actionedited_product_catincludes\WooCommerce.class.php:23
filterwoocommerce_product_tabsincludes\WooCommerce.class.php:25
filterwoocommerce_product_tabsincludes\WooCommerce.class.php:26
filterwoocommerce_product_get_rating_htmlincludes\WooCommerce.class.php:28
filterwoocommerce_template_single_ratingincludes\WooCommerce.class.php:29
filterwoocommerce_product_get_review_countincludes\WooCommerce.class.php:31
filterwoocommerce_locate_templateincludes\WooCommerce.class.php:32
actionewd_urp_insert_reviewincludes\WooCommerce.class.php:34
filterthe_contentultimate-reviews.php:138
filterthe_authorultimate-reviews.php:139
actionwp_footerultimate-reviews.php:140
actioninitultimate-reviews.php:142
actionplugins_loadedultimate-reviews.php:144
actionadmin_noticesultimate-reviews.php:146
actionadmin_noticesultimate-reviews.php:147
actionadmin_enqueue_scriptsultimate-reviews.php:149
actionwp_enqueue_scriptsultimate-reviews.php:150
actionwp_headultimate-reviews.php:151
actionwp_footerultimate-reviews.php:152
filterplugin_action_linksultimate-reviews.php:154
actionbefore_woocommerce_initultimate-reviews.php:158
Maintenance & Trust

Ultimate Reviews Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 5, 2026
PHP min version
Downloads222K

Community Trust

Rating80/100
Number of ratings59
Active installs500
Alternatives

Ultimate Reviews Alternatives

Builder for WooCommerce product reviews shortcodes – ReviewShort

Builder for WooCommerce product reviews shortcodes – ReviewShort

woo-product-reviews-shortcode

A
91

Show WooCommerce customer feedback anywhere with WooCommerce reviews shortcodes, beautifully and ...

100 2 CVEs
Site Reviews

Site Reviews

site-reviews

A
96

Site Reviews is a complete review management solution that integrates with WooCommerce and SureCart and works similarly to reviews on Amazon, Tripadvi &hellip;

70K 13 CVEs
Photo Reviews for WooCommerce

Photo Reviews for WooCommerce

woo-photo-reviews

A
100

Let customers attach photos to reviews, enhanced with filterable grids and overall ratings. Auto-send review reminders and coupon emails

10K No CVEs
ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema

ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema

reviewx

A
93

Drive woocommerce business growth with social proof: gather product reviews with multicriteria ratings, auto-reminder emails, discounts, and more.

9K 9 CVEs
Yotpo: Product & Photo Reviews for WooCommerce

Yotpo: Product & Photo Reviews for WooCommerce

yotpo-social-reviews-for-woocommerce

A
91

Collect product reviews, photo reviews, site reviews & ratings

2K 1 CVE
Developer Profile

Ultimate Reviews Developer Profile

Rustaurius

21 plugins · 66K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
716 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Reviews

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-reviews/assets/css/ewd-urp-admin.css/wp-content/plugins/ultimate-reviews/assets/css/ewd-urp-helper-install-notice.css/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-admin.js/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-helper-install-notice.js/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-front-end.js
Script Paths
/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-helper-install-notice.js/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-admin.js/wp-content/plugins/ultimate-reviews/assets/js/ewd-urp-front-end.js
Version Parameters
ewd-urp-helper-install-noticeewd-urp-helper-install-notice.css?ver=ewd-urp-admin.css?ver=ewd-urp-admin.js?ver=ewd-urp-front-end.js?ver=

HTML / DOM Fingerprints

CSS Classes
ewd-urp-review-form-wrapperewd-urp-review-display-wrapperewd-urp-review-containerewd-urp-no-reviews-messageewd-urp-review-headerewd-urp-review-titleewd-urp-review-author-dateewd-urp-review-rating+2 more
HTML Comments
<!-- Check if the user is logged in --><!-- Display the review form --><!-- Display the reviews --><!-- If reviews are empty -->+7 more
Data Attributes
data-product-iddata-review-iddata-ratingdata-form-nonce
JS Globals
ewd_urp_php_js_dataewd_urp_helper_notice
REST Endpoints
/wp-json/ewd-urp/v1/submit_review/wp-json/ewd-urp/v1/get_reviews
Shortcode Output
[ultimate-reviews][review-form][recent-reviews][product-reviews]
FAQ

Frequently Asked Questions about Ultimate Reviews