Does Understory have any unpatched vulnerabilities?

No. All known vulnerabilities in Understory have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Understory compatible with WordPress 6.8.5?

According to WordPress.org data, Understory 1.8.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Understory compatible with PHP 7.0+?

Understory requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Understory updated?

Understory was last updated on Feb 27, 2026. Frequent updates are generally a positive security signal.

What is Understory's security score?

Understory has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Understory Security & Risk Analysis

wordpress.org/plugins/understory

Connect your Understory account with WordPress, to easily add Booking and Experience Widgets to your pages!

90 active installs v1.8.3 PHP 7.0+ WP 5.0+ Updated Feb 27, 2026

activitiesbookingexperiencestours

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Understory Safe to Use in 2026?

Generally Safe

Score 100/100

Understory has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The understory plugin v1.8.3 exhibits a mixed security posture. On the positive side, it demonstrates excellent practices regarding SQL queries and output escaping, with 100% of both being handled securely. The absence of known CVEs and any recorded vulnerabilities in its history is a strong indicator of responsible development and maintenance. Furthermore, the plugin does not utilize bundled libraries, reducing the risk of outdated components.

However, there are notable areas of concern. The plugin has a total of 10 entry points, with a significant portion (4) of these being AJAX handlers that lack authentication checks. This creates a substantial attack surface that is potentially exposed to unauthenticated users. While the plugin has nonce checks for its AJAX handlers, the lack of capability checks on these vulnerable AJAX endpoints means that any authenticated user, regardless of their role or permissions, could trigger these functions. The two external HTTP requests, while not inherently problematic without further context, represent a potential vector for further exploitation if not handled with extreme care.

In conclusion, while the plugin's handling of core security aspects like SQL and output escaping is commendable, the presence of unprotected AJAX endpoints is a critical weakness. This significantly elevates the risk profile. The lack of historical vulnerabilities is a positive sign but does not negate the current identified security flaws. Addressing the unprotected AJAX handlers should be the highest priority to improve the overall security of the plugin.

Key Concerns

AJAX handlers without authentication checks
AJAX handlers without capability checks
External HTTP requests

Vulnerabilities

None known

Understory Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Understory Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

203 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped204 total outputs

Attack Surface

4 unprotected

Understory Attack Surface

Entry Points10

Unprotected4

AJAX Handlers 6

authwp_ajax_understory_availability_elementor_get_experiences_by_storefrontincludes\elementor\class-availability-elementor.php:21

authwp_ajax_understory_get_experiences_by_storefrontincludes\elementor\class-booking-elementor.php:19

authwp_ajax_understory_availability_block_get_experiences_by_storefrontincludes\gutenberg\class-availability-block.php:19

authwp_ajax_understory_gutenberg_get_experiences_by_storefrontincludes\gutenberg\class-booking-block.php:17

authwp_ajax_render_experiences_previewincludes\gutenberg\class-experiences-block.php:17

noprivwp_ajax_render_experiences_previewincludes\gutenberg\class-experiences-block.php:18

Shortcodes 4

[understory_availability] includes\shortcodes\class-availability-shortcode.php:13

[understory_booking] includes\shortcodes\class-booking-shortcode.php:11

[understory_experiences] includes\shortcodes\class-experiences-shortcode.php:14

[understory_gift_card] includes\shortcodes\class-gift-card-shortcode.php:11

WordPress Hooks 32

actionadmin_menuincludes\class-understory-settings.php:15

actionadmin_initincludes\class-understory-settings.php:16

actionadmin_enqueue_scriptsincludes\class-understory-settings.php:18

actionadmin_enqueue_scriptsincludes\class-understory-settings.php:19

actionadmin_initincludes\class-understory-settings.php:22

actionadmin_noticesincludes\class-understory-settings.php:25

actionplugins_loadedincludes\elementor\class-availability-elementor.php:18

actionelementor/widgets/widgets_registeredincludes\elementor\class-availability-elementor.php:31

actionelementor/editor/after_enqueue_scriptsincludes\elementor\class-availability-elementor.php:33

actionelementor/preview/enqueue_stylesincludes\elementor\class-availability-elementor.php:36

actionplugins_loadedincludes\elementor\class-booking-elementor.php:15

actionelementor/widgets/widgets_registeredincludes\elementor\class-booking-elementor.php:28

actionelementor/editor/after_enqueue_scriptsincludes\elementor\class-booking-elementor.php:31

actionelementor/preview/enqueue_stylesincludes\elementor\class-booking-elementor.php:38

actionwp_enqueue_scriptsincludes\elementor\class-booking-elementor.php:42

actionplugins_loadedincludes\elementor\class-experiences-elementor.php:15

actionelementor/widgets/widgets_registeredincludes\elementor\class-experiences-elementor.php:24

actionelementor/preview/enqueue_stylesincludes\elementor\class-experiences-elementor.php:31

actionelementor/frontend/after_enqueue_stylesincludes\elementor\class-experiences-elementor.php:41

actionplugins_loadedincludes\elementor\class-gift-card-elementor.php:15

actionelementor/widgets/widgets_registeredincludes\elementor\class-gift-card-elementor.php:24

actionelementor/editor/after_enqueue_scriptsincludes\elementor\class-gift-card-elementor.php:27

actionelementor/preview/enqueue_stylesincludes\elementor\class-gift-card-elementor.php:34

actionwp_enqueue_scriptsincludes\elementor\class-gift-card-elementor.php:38

actioninitincludes\gutenberg\class-availability-block.php:14

actionenqueue_block_editor_assetsincludes\gutenberg\class-availability-block.php:16

actioninitincludes\gutenberg\class-booking-block.php:12

actionenqueue_block_editor_assetsincludes\gutenberg\class-booking-block.php:14

actioninitincludes\gutenberg\class-experiences-block.php:14

actionenqueue_block_editor_assetsincludes\gutenberg\class-experiences-block.php:16

actioninitincludes\gutenberg\class-gift-card-block.php:12

actionenqueue_block_editor_assetsincludes\gutenberg\class-gift-card-block.php:14

Maintenance & Trust

Understory Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedFeb 27, 2026

PHP min version7.0

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs90

Alternatives

Understory Alternatives

Rezgo Online Booking

rezgo

Sell your tours, activities, and events on your WordPress website using Rezgo.

200 4 CVEs

BA Book Everything

ba-book-everything

The really fast and powerful Booking engine for theme/site developers to create any booking or rental sites (tours, cars, events, apartments, yachts)

10K 9 CVEs

indexic aReservation

indexic-areservation

Easily integrate Indexic's aReservation Tour Booking and Rental Reservation Software into your WordPress website. You can add booking buttons wi …

60 No CVEs

ZOOZA

zooza

100

This plugin enables integration of Zooza widgets to your website. An existing Zooza account is required for this plugin to work.

50 No CVEs

WP Travel MapQuest

wp-travel-mapquest

100

A simple map addon to WP Travel plugin which can be used in place of Google Map.

20 No CVEs

Developer Profile

Understory Developer Profile

Understory

1 plugin · 90 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Understory

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/understory/assets/css/admin.css/wp-content/plugins/understory/assets/js/admin.js

Version Parameters

understory/style.css?ver=understory/admin.css?ver=understory/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

understory-settings-page

Data Attributes

data-understory-company-iddata-understory-storefront-id

JS Globals

Understory

Shortcode Output

[understory_booking][understory_gift_card]

FAQ