WP-Safety

Ultimeter Security & Risk Analysis

wordpress.org/plugins/ultimeter

Ultimeter - the Ultimate Progress and Goals Meter

1K active installs v3.0.8 PHP 7.0+ WP 3.0.1+ Updated Dec 2, 2025
fundraisinggoalmeterprogressprogress-bar
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 25, 2019
Plugin page Download
Safety Verdict

Is Ultimeter Safe to Use in 2026?

Generally Safe

Score 99/100

Ultimeter has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 25, 2019Updated 4mo ago
Risk Assessment

The ultimeter plugin v3.0.8 presents a mixed security posture. On the positive side, the static analysis reveals a relatively small attack surface, with only one shortcode identified as an entry point. The plugin also demonstrates good practices in its use of capability checks and nonce checks. The absence of external HTTP requests is also a favorable indicator, reducing the risk of certain types of attacks.

However, there are areas of concern. The SQL query usage shows that only 33% of queries are properly prepared, leaving a significant portion vulnerable to SQL injection. While taint analysis shows no critical or high severity flows, the limited scope of the analysis (0 flows analyzed) means this is not a strong indicator of overall security. The plugin's history of a High severity CVE for "Missing Authorization" in 2019 is a notable concern, suggesting that developers need to be vigilant about access control.

In conclusion, while ultimeter v3.0.8 has made progress in some security areas, the unaddressed potential for SQL injection due to unprepared queries and the historical "Missing Authorization" vulnerability warrant attention. The plugin's strengths lie in its limited attack surface and proper use of nonces and capabilities, but the data processing and historical context highlight weaknesses that could be exploited.

Key Concerns

  • SQL queries not using prepared statements
  • Bundled Freemius v1.0 library potentially outdated
  • Historical High severity CVE (Missing Authorization)
Vulnerabilities
1

Ultimeter Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-ultimeterhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 1.9.3 (1793d)
Code Analysis
Analyzed Mar 16, 2026

Ultimeter Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
1 prepared
Unescaped Output
46
138 escaped
Nonce Checks
1
Capability Checks
13
File Operations
7
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

33% prepared3 total queries

Output Escaping

75% escaped184 total outputs
Attack Surface

Ultimeter Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[ultimeter] includes\class-ultimeter.php:88
WordPress Hooks 34
actionpost_submitbox_misc_actionsadmin\class-ultimeter-admin.php:42
actionpost_submitbox_misc_actionsadmin\class-ultimeter-admin.php:43
actionpost_submitbox_misc_actionsadmin\class-ultimeter-admin.php:44
actionadmin_head-post-new.phpadmin\class-ultimeter-admin.php:45
actionadmin_head-post.phpadmin\class-ultimeter-admin.php:46
filterpost_updated_messagesadmin\class-ultimeter-admin.php:47
actionadmin_enqueue_scriptsadmin\class-ultimeter-admin.php:48
actionadmin_enqueue_scriptsadmin\class-ultimeter-admin.php:49
actionadmin_enqueue_scriptsadmin\class-ultimeter-admin.php:50
actioninitadmin\class-ultimeter-admin.php:51
filteradmin_footer_textadmin\class-ultimeter-admin.php:52
filterenter_title_hereadmin\class-ultimeter-admin.php:53
actionadmin_action_duplicate_ultimeteradmin\class-ultimeter-admin.php:54
filterpost_row_actionsadmin\class-ultimeter-admin.php:55
actionwp_dashboard_setupadmin\class-ultimeter-admin.php:61
actionrest_endpointsadmin\class-ultimeter-admin.php:62
actionadmin_initadmin\class-ultimeter-admin.php:63
actionplugins_loadedadmin\class-ultimeter-admin.php:64
actionplugins_loadedadmin\class-ultimeter-admin.php:65
actionadmin_noticesadmin\class-ultimeter-admin.php:66
actionadmin_enqueue_scriptsgutenberg\class-ultimeter-gutenberg-block.php:33
actionwp_enqueue_scriptsgutenberg\class-ultimeter-gutenberg-block.php:34
actionmanage_posts_extra_tablenavincludes\class-ultimeter-blank-slate.php:56
actionadmin_headincludes\class-ultimeter-blank-slate.php:59
actionrest_api_initincludes\class-ultimeter-rest-controller.php:748
actionwidgets_initincludes\class-ultimeter-widget.php:71
actionplugins_loadedincludes\class-ultimeter.php:39
actionwp_enqueue_scriptsincludes\class-ultimeter.php:40
actionwp_enqueue_scriptsincludes\class-ultimeter.php:41
actioninitincludes\class-ultimeter.php:42
filterultimeter_admin_goal_formatsintegrations\woocommerce\includes\class-ultimeter-woocommerce.php:35
filterultimeter_admin_goal_optionsintegrations\woocommerce\includes\class-ultimeter-woocommerce.php:36
actioncurrent_screenultimeter.php:79
filterpost_row_actionsultimeter.php:95
Maintenance & Trust

Ultimeter Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 2, 2025
PHP min version7.0
Downloads41K

Community Trust

Rating100/100
Number of ratings24
Active installs1K
Alternatives

Ultimeter Alternatives

Author WIP Progress Bar

Author WIP Progress Bar

author-work-in-progress-bar

B
70

Tested up to 6.7.1 The WIP Progress Bar plugin allows writers and authors to display beautiful progress bars on their WordPress websites via a Widget &hellip;

400 1 unpatched
Goal Progress Tracker

Goal Progress Tracker

goal-progress-tracker

A
100

A beautiful and interactive goal progress tracker that displays progress as a horizontal thermometer with customizable gradient colors.

0 No CVEs
MP Smart Content Timekeeper

MP Smart Content Timekeeper

mp-smart-content-timekeeper

A
100

Enhance user engagement with smart reading time estimates and interactive progress tracking.

0 No CVEs
WC Weight Meter

WC Weight Meter

wc-weight-meter

A
100

A WooCommerce weight meter plugin that allows customers to view the total weight of their cart in real-time with a customizable progress bar.

0 No CVEs
Free Shipping Label and Progress Bar for WooCommerce

Free Shipping Label and Progress Bar for WooCommerce

free-shipping-label

A
100

Increase order revenue by showing your customers just how close they are to your free shipping threshold.

5K No CVEs
Developer Profile

Ultimeter Developer Profile

Ben Roberts

4 plugins · 2K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
1793 days
View full developer profile
Detection Fingerprints

How We Detect Ultimeter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimeter/assets/css/ultimeter.css/wp-content/plugins/ultimeter/assets/js/ultimeter.js
Script Paths
/wp-content/plugins/ultimeter/freemius/start.php/wp-content/plugins/ultimeter/includes/class-ultimeter.php/wp-content/plugins/ultimeter/vendor/autoload.php/wp-content/plugins/ultimeter/admin/class-ultimeter-admin.php/wp-content/plugins/ultimeter/admin/fields/connected_image_select.php/wp-content/plugins/ultimeter/admin/fields/image_select_style_packs.php+16 more
Version Parameters
ultimeter/style.css?ver=ultimeter/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ultimeter-blank-slateultimeter-mainultimeter-sidebarultimeter-contentultimeter-titleultimeter-descriptionultimeter-progress-barultimeter-goal-item+5 more
HTML Comments
<!-- The most advanced progress and goals meter for WordPress --><!-- DO NOT REMOVE THIS IF, IT IS ESSENTIAL FOR THE `function_exists` CALL ABOVE TO PROPERLY WORK. --><!-- Blank Slate --><!-- Add Duplicate Button -->+5 more
Data Attributes
data-ultimeter-iddata-ultimeter-progressdata-ultimeter-goal
JS Globals
ultimeter_params
REST Endpoints
/wp-json/ultimeter/v1/settings
Shortcode Output
[ultimeter][ultimeter_goals][ultimeter_progress]
FAQ

Frequently Asked Questions about Ultimeter