WP-Safety

User Last Visit Security & Risk Analysis

wordpress.org/plugins/user-last-visit

The plugin keeps record on each user last visit time using logged-in status, user ID and user meta data. Multisite compatible.

30 active installs v1.0 PHP + WP 3.8+ Updated Dec 11, 2016
logged-inmultisiterecorduservisit
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is User Last Visit Safe to Use in 2026?

Generally Safe

Score 85/100

User Last Visit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The "user-last-visit" v1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, not executing raw SQL queries, and not making external HTTP requests. The presence of nonce checks and a lack of reported historical vulnerabilities suggest a developer who is at least somewhat security-aware. However, significant concerns arise from the attack surface analysis. A single AJAX handler is present and lacks any authentication checks, presenting a direct pathway for unauthorized actions. Furthermore, the taint analysis indicates flows with unsanitized paths, although no critical or high severity issues were identified in this specific analysis, the presence of such flows coupled with unprotected entry points is worrying. The plugin's current state, with its unprotected AJAX endpoint and unsanitized path flows, requires immediate attention despite the absence of known CVEs.

Key Concerns

  • AJAX handler without auth checks
  • Taint flows with unsanitized paths
  • Low output escaping percentage
  • Capability checks are missing
Vulnerabilities
None known

User Last Visit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

User Last Visit Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
12
8 escaped
Nonce Checks
2
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

40% escaped20 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
refresh_page (includes\ulv-admin.class.php:193)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

User Last Visit Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_ulv_user_previewincludes\ulv-ajax-cb.php:10
WordPress Hooks 10
actionadmin_menuincludes\ulv-admin.class.php:18
actioninitincludes\ulv-admin.class.php:19
actionadmin_enqueue_scriptsincludes\ulv-admin.class.php:20
actionadmin_print_scriptsincludes\ulv-admin.class.php:21
filtermanage_users_columnsincludes\ulv-admin.class.php:22
filtermanage_users_custom_columnincludes\ulv-admin.class.php:23
filterulv-can-recordincludes\ulv-public.class.php:34
actionplugins_loadedincludes\ulv-public.class.php:35
actionwp_loadedincludes\user-last-visit.class.php:13
actionplugins_loadedmain.php:26
Maintenance & Trust

User Last Visit Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedDec 11, 2016
PHP min version
Downloads2K

Community Trust

Rating90/100
Number of ratings2
Active installs30
Alternatives

User Last Visit Alternatives

User Switching

User Switching

user-switching

A
100

Instant switching between user accounts in WordPress and WooCommerce.

200K No CVEs
When Last Login

When Last Login

when-last-login

A
100

Show a users last login date by creating a sortable column in your WordPress users list.

50K 1 CVE
Delete Me

Delete Me

delete-me

A
92

Allow users with specific WordPress roles to delete themselves from the Your Profile page or anywhere Shortcodes can be used.

8K 1 CVE
Require Login for WooCommerce

Require Login for WooCommerce

woo-for-logged-users

A
100

Set the WooCommerce Shop only for logged-in users. Just activate the plugin.

2K No CVEs
User Access Shortcodes

User Access Shortcodes

user-access-shortcodes

A
100

The simplest way of controlling who sees what in your posts/pages. Restrict content to logged in users only (or guests, or by roles) with simple short …

1K No CVEs
Developer Profile

User Last Visit Developer Profile

CNHK SYSTEMS

3 plugins · 80 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect User Last Visit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-last-visit/assets/js/admin-page.js/wp-content/plugins/user-last-visit/assets/css/admin-page.css
Script Paths
/wp-content/plugins/user-last-visit/assets/js/admin-page.js
Version Parameters
user-last-visit/assets/js/admin-page.js?ver=user-last-visit/assets/css/admin-page.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-ulv-id
JS Globals
ulvAllLoginsulvSettingsText
FAQ

Frequently Asked Questions about User Last Visit