Does User Access Manager have any unpatched vulnerabilities?

No. All known vulnerabilities in User Access Manager have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is User Access Manager compatible with WordPress 6.9.4?

According to WordPress.org data, User Access Manager 2.3.11 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is User Access Manager compatible with PHP 8.0+?

User Access Manager requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is User Access Manager updated?

User Access Manager was last updated on Jan 26, 2026. Frequent updates are generally a positive security signal.

What is User Access Manager's security score?

User Access Manager has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Access Manager Security & Risk Analysis

wordpress.org/plugins/user-access-manager

With the "User Access Manager"-plugin you can manage the access to your posts, pages and files.

10K active installs v2.3.11 PHP 8.0+ WP 4.7+ Updated Jan 26, 2026

accessmember-accessuser-access-manageruser-management

A · Safe

CVEs total4

Unpatched0

Last CVEAug 4, 2023

Plugin page Download

Safety Verdict

Is User Access Manager Safe to Use in 2026?

Generally Safe

Score 98/100

User Access Manager has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Aug 4, 2023Updated 2mo ago

Risk Assessment

The 'user-access-manager' plugin version 2.3.11 exhibits a mixed security posture. On the positive side, the static analysis reveals a very limited attack surface with no unprotected AJAX handlers, REST API routes, shortcodes, or cron events. This suggests that direct entry points for potential attackers are well-guarded. Furthermore, the plugin makes extensive use of prepared statements for SQL queries, which is a strong security practice. However, several significant concerns emerge. The presence of a dangerous `unserialize` function without immediate context about its usage is a red flag, as deserialization vulnerabilities can be severe if not handled with extreme care. The most concerning aspect is the extremely low percentage of properly escaped output (1%), indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities across various output mechanisms. The vulnerability history further reinforces these concerns, with four previously disclosed CVEs, including one high-severity XSS and three medium-severity issues related to improper neutralization, use of less trusted sources, and CSRF. This pattern suggests a recurring struggle with input validation and output sanitization, despite efforts to secure SQL queries.

Key Concerns

Low percentage of properly escaped output (1%)
Presence of dangerous unserialize function
High severity CVE in vulnerability history
Multiple medium severity CVEs in history
Vulnerability history indicates recurring issues

Vulnerabilities

User Access Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2011

2011

2 CVEs in 2017

2017

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2022-1601medium · 5.3Use of Less Trusted Source

User Access Manager <= 2.2.16 - IP Spoofing

Aug 4, 2023 Patched in 2.2.18 (172d)

WF-5b3268c2-7cdd-4839-9859-42218d4d632b-user-access-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Access Manager <= 1.2.14 - Reflected Cross-Site Scripting

Sep 5, 2017 Patched in 2.0.0 (2331d)

WF-7c6e233f-c612-4625-8097-0637e976190d-user-access-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Access Manager <= 2.0.8 - Reflected Cross-Site Scripting

Sep 5, 2017 Patched in 2.0.9 (2331d)

CVE-2011-5328high · 8.8Cross-Site Request Forgery (CSRF)

User Access Manager < 1.2 - Cross-Site Request Forgery

Oct 11, 2011 Patched in 1.2 (4487d)

Code Analysis

Analyzed Mar 16, 2026

User Access Manager Code Analysis

Dangerous Functions

Raw SQL Queries

36 prepared

Unescaped Output

170

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn unserialize(base64_decode(file_get_contents($cacheFile)));src\Cache\FileSystemCacheProvider.php:173

SQL Query Safety

92% prepared39 total queries

Output Escaping

1% escaped171 total outputs

Attack Surface

User Access Manager Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionadmin_noticesuser-access-manager.php:45

actionadmin_noticesuser-access-manager.php:61

actioninituser-access-manager.php:80

Maintenance & Trust

User Access Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 26, 2026

PHP min version8.0

Downloads1.3M

Community Trust

Rating86/100

Number of ratings114

Active installs10K

Alternatives

User Access Manager Alternatives

MembershipWorks – Membership, Events & Directory

memberfindme

All-in-one membership, directory, events and donations for organizations. Secure member profiles, renewals, upgrades and limit member only access to c …

2K 1 CVE

New Post Notification

new-post-notification

Simply notifies users if a new post has been published. This can also be used as an addon for User-Access-Manager. Users will only be notified if they …

100 No CVEs

DP Admin Access Menu

dp-admin-access-menu

100

Control which WordPress backend menu items are visible to specific users. Perfect for managing user access and customizing admin experience.

40 No CVEs

Network Restricted Members

network-restricted-members

Restrict user access to selected sites on open multisite networks.

10 No CVEs

Access Guard

access-guard

100

Access Guard enhances security by managing user permissions and banning IPs to protect sensitive content.

0 No CVEs

Developer Profile

User Access Manager Developer Profile

gm_alex

2 plugins · 10K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

2330 days

View full developer profile

Detection Fingerprints

How We Detect User Access Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-access-manager/assets/css/backend/user-access-manager.css/wp-content/plugins/user-access-manager/assets/css/frontend/user-access-manager.css/wp-content/plugins/user-access-manager/assets/js/backend/user-access-manager.js/wp-content/plugins/user-access-manager/assets/js/frontend/user-access-manager.js/wp-content/plugins/user-access-manager/assets/js/vendor/jquery/jquery.js

Script Paths

/wp-content/plugins/user-access-manager/assets/js/backend/user-access-manager.js/wp-content/plugins/user-access-manager/assets/js/frontend/user-access-manager.js

Version Parameters

user-access-manager/assets/css/backend/user-access-manager.css?ver=user-access-manager/assets/css/frontend/user-access-manager.css?ver=user-access-manager/assets/js/backend/user-access-manager.js?ver=user-access-manager/assets/js/frontend/user-access-manager.js?ver=

HTML / DOM Fingerprints

CSS Classes

uam_user_group

HTML Comments

Data Attributes

uam-access

JS Globals

uam_ajax_object

REST Endpoints

/wp-json/user-access-manager/v1/user

Shortcode Output

[uam_restrict_content]

FAQ