WP-Safety

User List for Ultimate Member Security & Risk Analysis

wordpress.org/plugins/um-user-list

A plugin for Ultimate member that allows users to display user suggestions in a simple widget.

20 active installs v1.0.1.4 PHP 5.6+ WP 3.0.1+ Updated May 18, 2023
ultimate-memberultimate-member-membersultimatemember
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is User List for Ultimate Member Safe to Use in 2026?

Generally Safe

Score 85/100

User List for Ultimate Member has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The "um-user-list" plugin version 1.0.1.4 exhibits a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, file operations, and external HTTP requests, and shows a commitment to prepared statements for most SQL queries, significant concerns are raised by the lack of security checks on its entry points. Specifically, the plugin has two AJAX handlers that lack authentication checks, creating a direct path for unauthenticated users to interact with potentially sensitive functionality. Furthermore, the complete absence of nonce and capability checks across the board is a critical oversight, as it means any user, regardless of their role or logged-in status, could trigger actions within these AJAX handlers. The plugin's vulnerability history is clean, with no recorded CVEs. This absence of past vulnerabilities is a positive indicator, suggesting a diligent development approach or simply a lack of exposure. However, this historical strength is overshadowed by the evident weaknesses in the current static analysis. In conclusion, while the plugin avoids common pitfalls like outdated bundled libraries or raw SQL queries, the unprotected AJAX endpoints represent a substantial risk that needs immediate attention.

Key Concerns

  • AJAX handlers without auth checks
  • AJAX handlers without capability checks
  • No nonce checks on AJAX handlers
  • 2 unprotected entry points
  • Output escaping 78% (some unescaped)
Vulnerabilities
None known

User List for Ultimate Member Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

User List for Ultimate Member Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
10
36 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

67% prepared3 total queries

Output Escaping

78% escaped46 total outputs
Attack Surface
2 unprotected

User List for Ultimate Member Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 2

authwp_ajax_umul_refresh_user_connectionincludes\class-core.php:45
noprivwp_ajax_umul_refresh_user_connectionincludes\class-core.php:46

Shortcodes 2

[um_user_suggestions] includes\class-core.php:42
[um_user_list] includes\class-core.php:43
WordPress Hooks 8
actionwp_enqueue_scriptsincludes\class-core.php:47
filterpre_user_queryincludes\class-core.php:95
filterpre_user_queryincludes\class-core.php:203
actioninitum-user-list.php:169
actionall_admin_noticesum-user-list.php:232
actionadmin_initum-user-list.php:235
actionplugins_loadedum-user-list.php:376
actionwidgets_initwidgets\um-user-list-widgets.php:80
Maintenance & Trust

User List for Ultimate Member Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedMay 18, 2023
PHP min version5.6
Downloads4K

Community Trust

Rating20/100
Number of ratings1
Active installs20
Alternatives

User List for Ultimate Member Alternatives

Login Widget for Ultimate Member

Login Widget for Ultimate Member

login-widget-for-ultimate-member

A
90

Easily add a login widget that works with Ultimate Member

700 1 CVE
Ultimate Member Custom Tab Builder Lite

Ultimate Member Custom Tab Builder Lite

um-custom-tab-builder-lite

A
92

An easy way to add custom profile tabs to Ultimate Member Profile. Ultimate Member 2.0 compatible

500 No CVEs
Video & Photo Gallery for Ultimate Member

Video & Photo Gallery for Ultimate Member

gallery-for-ultimate-member

C
63

Enhance Ultimate Member with a Photo/Video Gallery Addon: Easy media sharing & vibrant community engagement."

100 1 unpatched
UM Events

UM Events

um-events-lite-for-ultimate-member

A
85

Easy to use Events Uploader for Ultimate Member. Give your users the option to create events

10 No CVEs
UM Navigation Menu

UM Navigation Menu

um-navigation-menu

A
100

An easy way to add Ultimate Member navigation to admin bar. Ultimate Member 2.0 compatible

10 No CVEs
Developer Profile

User List for Ultimate Member Developer Profile

SuitePlugins

17 plugins · 2K total installs

90
trust score
Avg Security Score
86/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect User List for Ultimate Member

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/um-user-list/admin/css/um-user-list-admin-style.css/wp-content/plugins/um-user-list/assets/css/um-user-list.css/wp-content/plugins/um-user-list/assets/js/um-user-list.js
Script Paths
/wp-content/plugins/um-user-list/assets/js/um-user-list.js
Version Parameters
um-user-list/assets/css/um-user-list.css?ver=um-user-list/assets/js/um-user-list.js?ver=um-user-list/admin/css/um-user-list-admin-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
um-user-listum-user-list-tableum-user-list-item
HTML Comments
<!-- UM User List Widget --><!-- UM User List Shortcode --><!-- UM User List --- END OF PLUGIN CLASSES FUNCTION -->
Data Attributes
data-um-user-list-id
JS Globals
um_user_list_ajax_object
Shortcode Output
[um_user_list][um_user_list_widget]
FAQ

Frequently Asked Questions about User List for Ultimate Member