WP-Safety

UpStream: a Project Management Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/upstream

UpStream is a free but very powerful project management plugin for WordPress.

700 active installs v2.1.1 PHP 5.6.20+ WP 5.2+ Updated Sep 17, 2025
managemanagementprojectproject-managementproject-manager
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJun 19, 2025
Download
Safety Verdict

Is UpStream: a Project Management Plugin for WordPress Safe to Use in 2026?

Mostly Safe

Score 78/100

UpStream: a Project Management Plugin for WordPress is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jun 19, 2025Updated 6mo ago
Risk Assessment

The 'upstream' plugin v2.1.1 exhibits a mixed security posture. While it demonstrates good practices like extensive use of prepared statements for SQL queries and proper output escaping, there are several areas of concern. The presence of 4 AJAX handlers without authentication checks significantly expands the attack surface and represents a direct vulnerability pathway.

Static analysis reveals a critical taint flow with unsanitized paths, indicating potential for malicious data to be processed without proper validation. The use of the dangerous `unserialize` function, especially in conjunction with unsanitized inputs, could lead to remote code execution vulnerabilities. The vulnerability history, with one medium severity CVE from 2025-06-19, specifically mentioning missing authorization, aligns with the identified unprotected AJAX handlers, suggesting a recurring pattern of authorization oversight.

Overall, the plugin has strengths in data handling (SQL, output escaping), but the unprotected entry points and critical taint flow, combined with past authorization issues, necessitate caution. The risk is elevated due to the potential for exploitation of these unprotected handlers and the critical taint flow.

Key Concerns

  • Unprotected AJAX handlers
  • Critical severity taint flow
  • Use of dangerous unserialize function
  • Unpatched medium severity CVE
  • Flows with unsanitized paths
Vulnerabilities
1

UpStream: a Project Management Plugin for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-49974medium · 4.3Missing Authorization

UpStream: a Project Management Plugin for WordPress <= 2.1.0 - Missing Authorization

Jun 19, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

UpStream: a Project Management Plugin for WordPress Code Analysis

Dangerous Functions
4
Raw SQL Queries
2
27 prepared
Unescaped Output
56
1423 escaped
Nonce Checks
49
Capability Checks
25
File Operations
7
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$arr = unserialize( $m['_upstream_new_client_users'][0] );includes\model\class-upstream-model-client.php:80
unserialize$arr = isset( $m['_upstream_project_client_users'][0] ) ? unserialize( $m['_upstream_project_client_includes\model\class-upstream-model-project.php:118
unserialize$arr = isset( $m['_upstream_project_members'][0] ) ? unserialize( $m['_upstream_project_members'][0]includes\model\class-upstream-model-project.php:124
unserialize$metavalue = unserialize( $users[0]->meta_value );includes\up-general-functions.php:492

Bundled Libraries

jQuery

SQL Query Safety

93% prepared29 total queries

Output Escaping

96% escaped1479 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
<class-comments> (includes\class-comments.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

UpStream: a Project Management Plugin for WordPress Attack Surface

Entry Points23
Unprotected4

AJAX Handlers 23

authwp_ajax_upstream:project.get_all_items_commentsincludes\admin\class-upstream-admin.php:50
authwp_ajax_upstream.milestone-edit.editmenuorderincludes\admin\class-upstream-admin.php:73
authwp_ajax_upstream.task-edit.gettaskpercentincludes\admin\class-upstream-admin.php:74
authwp_ajax_upstream.task-edit.gettaskstatusincludes\admin\class-upstream-admin.php:75
authwp_ajax_upstream_admin_ajax_get_clients_usersincludes\admin\metaboxes\metabox-functions.php:1352
authwp_ajax_upstream_admin_reset_capabilitiesincludes\admin\options\class-upstream-options-general.php:69
authwp_ajax_upstream_admin_refresh_projects_metaincludes\admin\options\class-upstream-options-general.php:70
authwp_ajax_upstream_admin_cleanup_update_cacheincludes\admin\options\class-upstream-options-general.php:71
authwp_ajax_upstream_admin_migrate_milestones_get_projectsincludes\admin\options\class-upstream-options-general.php:72
authwp_ajax_upstream_admin_migrate_milestones_for_projectincludes\admin\options\class-upstream-options-general.php:76
authwp_ajax_upstream_admin_import_file_prepareincludes\admin\options\class-upstream-options-general.php:81
authwp_ajax_upstream_admin_import_file_sectionincludes\admin\options\class-upstream-options-general.php:82
authwp_ajax_upstream_admin_signupincludes\admin\options\class-upstream-options-general.php:83
authwp_ajax_upstream:project.add_commentincludes\class-comments.php:60
authwp_ajax_upstream:project.add_comment_replyincludes\class-comments.php:61
authwp_ajax_upstream:project.trash_commentincludes\class-comments.php:62
authwp_ajax_upstream:project.unapprove_commentincludes\class-comments.php:63
authwp_ajax_upstream:project.approve_commentincludes\class-comments.php:64
authwp_ajax_upstream:project.fetch_commentsincludes\class-comments.php:65
authwp_ajax_upstream_ordering_updateincludes\frontend\class-upstream-ajax.php:35
authwp_ajax_upstream_collapse_updateincludes\frontend\class-upstream-ajax.php:36
authwp_ajax_upstream_panel_order_updateincludes\frontend\class-upstream-ajax.php:37
authwp_ajax_upstream_report_dataincludes\frontend\class-upstream-ajax.php:38
WordPress Hooks 160
actioninitclass-upstream.php:111
filterplugin_row_metaclass-upstream.php:112
filterplugin_action_links_upstream/upstream.phpclass-upstream.php:113
filterhttp_request_host_is_externalclass-upstream.php:114
filterquicktags_settingsclass-upstream.php:115
filtertiny_mce_before_initclass-upstream.php:116
filtertiny_mce_before_initclass-upstream.php:117
filterteeny_mce_before_initclass-upstream.php:118
filtercomments_clausesclass-upstream.php:119
filterviews_dashboardclass-upstream.php:120
actionplugins_loadedclass-upstream.php:121
actionadmin_initclass-upstream.php:124
filteradmin_initclass-upstream.php:398
filteradmin_headclass-upstream.php:399
actionadmin_bar_menuclass-upstream.php:400
filterset-screen-optionincludes\admin\class-upstream-admin-bugs-page.php:43
actionadmin_menuincludes\admin\class-upstream-admin-bugs-page.php:44
actionplugins_loadedincludes\admin\class-upstream-admin-bugs-page.php:1062
filtermanage_client_posts_columnsincludes\admin\class-upstream-admin-client-columns.php:56
actionmanage_client_posts_custom_columnincludes\admin\class-upstream-admin-client-columns.php:57
actioncmb2_admin_initincludes\admin\class-upstream-admin-metaboxes.php:30
filtercmb2_override_meta_valueincludes\admin\class-upstream-admin-metaboxes.php:31
filtercmb2_override_meta_saveincludes\admin\class-upstream-admin-metaboxes.php:32
filtercmb2_save_field__upstream_project_startincludes\admin\class-upstream-admin-metaboxes.php:33
filtercmb2_save_field__upstream_project_endincludes\admin\class-upstream-admin-metaboxes.php:34
actionadmin_initincludes\admin\class-upstream-admin-options.php:96
actionadmin_menuincludes\admin\class-upstream-admin-options.php:97
filtercmb2_set_optionsincludes\admin\class-upstream-admin-options.php:99
filterallex_upgrade_show_sidebar_adincludes\admin\class-upstream-admin-options.php:100
filteradmin_noticesincludes\admin\class-upstream-admin-pointers.php:21
filteradmin_noticesincludes\admin\class-upstream-admin-pointers.php:22
filterupstream_admin_pointers-projectincludes\admin\class-upstream-admin-pointers.php:23
filterupstream_admin_pointers-edit-projectincludes\admin\class-upstream-admin-pointers.php:24
actionadmin_enqueue_scriptsincludes\admin\class-upstream-admin-pointers.php:25
filtermanage_project_posts_columnsincludes\admin\class-upstream-admin-project-columns.php:64
actionmanage_project_posts_custom_columnincludes\admin\class-upstream-admin-project-columns.php:65
filtermanage_edit-project_sortable_columnsincludes\admin\class-upstream-admin-project-columns.php:68
filterrequestincludes\admin\class-upstream-admin-project-columns.php:69
filterrequestincludes\admin\class-upstream-admin-project-columns.php:70
filterrequestincludes\admin\class-upstream-admin-project-columns.php:71
actionrestrict_manage_postsincludes\admin\class-upstream-admin-project-columns.php:74
actionparse_queryincludes\admin\class-upstream-admin-project-columns.php:75
actionadmin_menuincludes\admin\class-upstream-admin-projects-menu.php:45
filtercustom_menu_orderincludes\admin\class-upstream-admin-projects-menu.php:46
actionadmin_headincludes\admin\class-upstream-admin-projects-menu.php:49
filterparent_fileincludes\admin\class-upstream-admin-projects-menu.php:52
filtersubmenu_fileincludes\admin\class-upstream-admin-projects-menu.php:53
actionadmin_menuincludes\admin\class-upstream-admin-tasks-page.php:43
actionplugins_loadedincludes\admin\class-upstream-admin-tasks-page.php:929
actioninitincludes\admin\class-upstream-admin.php:33
actioninitincludes\admin\class-upstream-admin.php:34
filteradmin_body_classincludes\admin\class-upstream-admin.php:35
filterajax_query_attachments_argsincludes\admin\class-upstream-admin.php:36
actionadmin_menuincludes\admin\class-upstream-admin.php:37
actionshow_user_profileincludes\admin\class-upstream-admin.php:39
actionedit_user_profileincludes\admin\class-upstream-admin.php:40
actionpersonal_options_updateincludes\admin\class-upstream-admin.php:41
actionedit_user_profile_updateincludes\admin\class-upstream-admin.php:42
filtercomment_status_linksincludes\admin\class-upstream-admin.php:46
actionpre_get_commentsincludes\admin\class-upstream-admin.php:47
actioncmb2_render_up_timestampincludes\admin\class-upstream-admin.php:55
actioncmb2_sanitize_up_timestampincludes\admin\class-upstream-admin.php:56
actioncmb2_render_up_buttonincludes\admin\class-upstream-admin.php:58
actioncmb2_sanitize_up_buttonincludes\admin\class-upstream-admin.php:59
actioncmb2_render_up_buttonsgroupincludes\admin\class-upstream-admin.php:61
actioncmb2_sanitize_up_buttonsgroupincludes\admin\class-upstream-admin.php:62
filtercmb2_override_option_get_upstream_generalincludes\admin\class-upstream-admin.php:64
actionadd_meta_boxesincludes\admin\metaboxes\class-upstream-metaboxes-clients.php:129
actionedit_form_before_permalinkincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:72
actionedit_form_after_titleincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:75
actioncmb2_render_commentsincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:77
actioncmb2_render_select2includes\admin\metaboxes\class-upstream-metaboxes-projects.php:83
actioncmb2_sanitize_select2includes\admin\metaboxes\class-upstream-metaboxes-projects.php:88
actionpost_edit_form_tagincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:92
actioncmb2_render_upfsincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:95
actioncmb2_sanitize_upfsincludes\admin\metaboxes\class-upstream-metaboxes-projects.php:99
actioncmb2_after_formincludes\admin\metaboxes\metabox-functions.php:146
filterallex_addonsincludes\admin\options\class-upstream-options-extensions.php:71
actioncmb2_render_upstream_extensions_wrapperincludes\admin\options\class-upstream-options-extensions.php:86
filterallex_upgrade_linkincludes\admin\options\class-upstream-options-extensions.php:93
actionallex_addon_update_licenseincludes\admin\options\class-upstream-options-extensions.php:94
filterallex_addons_get_license_keyincludes\admin\options\class-upstream-options-extensions.php:95
filterallex_addons_get_license_statusincludes\admin\options\class-upstream-options-extensions.php:96
filtercmb2_render_labelsincludes\admin\options\option-functions.php:114
actionadmin_enqueue_scriptsincludes\admin\up-enqueues.php:258
filtercmb2_script_dependenciesincludes\admin\up-enqueues.php:260
filtercomment_notification_subjectincludes\class-comments.php:67
filtercomment_notification_recipientsincludes\class-comments.php:68
filtercomment_notification_textincludes\class-comments.php:69
filterupstream_allowed_tags_in_commentsincludes\class-comments.php:71
filtercomment_notification_headersincludes\class-comments.php:72
filtercomment_notification_textincludes\class-comments.php:79
actionsave_postincludes\class-milestone.php:329
actionsave_postincludes\class-milestone.php:515
actionsave_postincludes\class-milestone.php:849
actionbefore_upstream_initincludes\class-milestones.php:52
actionadd_meta_boxesincludes\class-milestones.php:53
actionsave_postincludes\class-milestones.php:54
filterget_edit_post_linkincludes\class-milestones.php:60
actioncurrent_screenincludes\class-milestones.php:61
actionadmin_bar_menuincludes\class-upstream-debug.php:113
actionadmin_menuincludes\class-upstream-debug.php:116
actionwp_insert_post_dataincludes\class-upstream-project-activity.php:53
actionwp_insert_postincludes\class-upstream-project.php:290
actionadmin_menuincludes\class-upstream-roles.php:21
actionupstream_loadedincludes\frontend\class-upstream-style-output.php:19
actionupstream_footer_textincludes\frontend\class-upstream-style-output.php:58
actionupstream_before_single_messageincludes\frontend\class-upstream-style-output.php:70
actionupstream_after_single_messageincludes\frontend\class-upstream-style-output.php:71
filtertemplate_includeincludes\frontend\class-upstream-template-loader.php:24
actionwp_enqueue_scriptsincludes\frontend\up-enqueues.php:325
actionwp_enqueue_scriptsincludes\frontend\up-enqueues.php:348
actionsave_postincludes\up-client-functions.php:106
actionafter_setup_themeincludes\up-cron-license-checker.php:32
filterregister_post_type_argsincludes\up-cron-license-checker.php:60
actionadmin_noticesincludes\up-cron-license-checker.php:98
actionupstream_runincludes\up-cron-license-checker.php:114
actionupstream_update_dataincludes\up-install.php:135
actionupdate_option_active_pluginsincludes\up-install.php:235
actionupdate_option_active_pluginsincludes\up-install.php:240
actionupdate_option_active_pluginsincludes\up-install.php:245
actionupdate_option_active_pluginsincludes\up-install.php:250
actionupdate_option_active_pluginsincludes\up-install.php:255
actionupdate_option_active_pluginsincludes\up-install.php:260
actionupdate_option_active_pluginsincludes\up-install.php:265
actionupdate_option_active_pluginsincludes\up-install.php:270
actionupdate_option_active_pluginsincludes\up-install.php:275
actionupdate_option_active_pluginsincludes\up-install.php:281
actionupdate_option_active_pluginsincludes\up-install.php:287
actionupdate_option_active_pluginsincludes\up-install.php:293
actionupdate_option_active_pluginsincludes\up-install.php:299
actionupdate_option_active_pluginsincludes\up-install.php:305
actionupdate_option_active_pluginsincludes\up-install.php:311
actionupdate_option_active_pluginsincludes\up-install.php:317
actionwp_insert_siteincludes\up-install.php:669
actionwpmu_new_blogincludes\up-install.php:696
actionadmin_initincludes\up-install.php:732
actionadmin_noticesincludes\up-install.php:767
actionadmin_noticesincludes\up-install.php:1040
actionadmin_initincludes\up-install.php:1090
actioninitincludes\up-install.php:1109
filterenter_title_hereincludes\up-labels.php:356
filterpost_updated_messagesincludes\up-labels.php:489
filterbulk_post_updated_messagesincludes\up-labels.php:662
filteradmin_noticesincludes\up-labels.php:682
actionadmin_initincludes\up-permalinks.php:13
actionadmin_initincludes\up-permalinks.php:14
actioninitincludes\up-post-types.php:164
actioninitincludes\up-post-types.php:379
actionupst_milestone_category_add_form_fieldsincludes\up-post-types.php:427
actionupst_milestone_category_edit_form_fieldsincludes\up-post-types.php:428
actionedit_termsincludes\up-post-types.php:429
actioncreate_termincludes\up-post-types.php:430
actionedit_form_topincludes\up-register-nonce-fields.php:52
filterupstream_wcs_model_variableincludes\up-wcs-helper.php:57
actioninittemplates\archive-project.php:44
actionwp_enqueue_scriptstemplates\global\header.php:12
actioninittemplates\report-display.php:34
actioninittemplates\report-parameters.php:32
actioninittemplates\single-project.php:37
Maintenance & Trust

UpStream: a Project Management Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 17, 2025
PHP min version5.6.20
Downloads96K

Community Trust

Rating84/100
Number of ratings74
Active installs700
Alternatives

UpStream: a Project Management Plugin for WordPress Alternatives

Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker

Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker

wedevs-project-manager

C
60

Ease Project Management and Task Management using a powerful project manager with Kanban board, Gantt chart, milestone tracking & project reporting.

7K 1 unpatched
Awesome Project Manager

Awesome Project Manager

awesome-project-manager

A
85

A Single Page(SPA) WordPress project management plugin in WordPress plugin repository. Built with cutting edge technologies like VueJs.

10 No CVEs
QuickTasker

QuickTasker

quicktasker

A
100

Task management plugin designed to help you organize your projects, streamline workflows, and get tasks done efficiently.

0 No CVEs
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

fluent-boards

A
93

The Simplest Project & Task Management Plugin Specifically Crafted for Agencies, Freelancers & Founders.

6K 2 CVEs
Atarim – Visual Feedback, Review & AI Collaboration

Atarim – Visual Feedback, Review & AI Collaboration

atarim-visual-collaboration

B
76

Make collecting feedback on WordPress sites MUCH faster and easier, with the visual collaboration tool used on over 120,000 websites worldwide.

1K 18 CVEs
Developer Profile

UpStream: a Project Management Plugin for WordPress Developer Profile

upstreamplugin

1 plugin · 700 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect UpStream: a Project Management Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/upstream/js/upstream.js/wp-content/plugins/upstream/css/upstream.css/wp-content/plugins/upstream/js/admin.js
Script Paths
/wp-content/plugins/upstream/js/upstream.js/wp-content/plugins/upstream/js/admin.js
Version Parameters
upstream/style.css?ver=upstream/js/upstream.js?ver=upstream/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
upstream-pointer-signup-boxupstream-pointer-emailupstream-pointer-b1
HTML Comments
<!-- IMPORTANT: --><!-- As this is your first project, we have included a walkthrough guide. --><!-- (you won't see this message or the guide again) --><!-- Important! -->+3 more
Data Attributes
data-nonce="upstream_signup"id="upstream-pointer-signup-box"id="upstream-pointer-email"id="upstream-pointer-b1"
JS Globals
window.upstream_signup
FAQ

Frequently Asked Questions about UpStream: a Project Management Plugin for WordPress