Does User Post Collections have any unpatched vulnerabilities?

No. All known vulnerabilities in User Post Collections have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is User Post Collections compatible with WordPress 6.9.4?

According to WordPress.org data, User Post Collections 0.9.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is User Post Collections compatible with PHP 7.0+?

User Post Collections requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is User Post Collections updated?

User Post Collections was last updated on Dec 8, 2025. Frequent updates are generally a positive security signal.

What is User Post Collections's security score?

User Post Collections has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Post Collections Security & Risk Analysis

wordpress.org/plugins/user-post-collections

Create & share lists with post types like posts, pages, products, etc. Build classic lists (Favorites, Bookmarks) and polls and cart lists and more.

10 active installs v0.9.2 PHP 7.0+ WP 4.9.6+ Updated Dec 8, 2025

post-collectionsuser-listswoocommerce-wishlist

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is User Post Collections Safe to Use in 2026?

Generally Safe

Score 100/100

User Post Collections has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The 'user-post-collections' plugin v0.9.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of prepared statements for SQL queries and properly escaped output, indicating a solid foundation in preventing common web vulnerabilities. The absence of dangerous functions, file operations, and external HTTP requests further reduces the potential attack surface. The plugin also has no recorded vulnerability history, which is a strong indicator of a well-maintained and secure codebase over time.

However, there are significant concerns regarding the plugin's attack surface. The analysis reveals 3 out of 5 entry points lack proper authentication or permission checks. Specifically, 2 AJAX handlers and 1 REST API route are unprotected, meaning any unauthenticated user could potentially trigger these functionalities. This is a critical weakness that could be exploited to perform unintended actions or reveal sensitive information. The lack of nonce checks on these entry points exacerbates this risk, making it easier for attackers to initiate these unprotected actions.

In conclusion, while the plugin benefits from strong internal coding practices and a clean vulnerability history, the exposed and unprotected entry points present a substantial immediate risk. The absence of critical or high severity taint flows is reassuring, but the identified weaknesses in authentication and authorization for AJAX and REST API endpoints are serious enough to warrant careful consideration and prompt remediation.

Key Concerns

2 AJAX handlers without auth checks
1 REST API route without permission callbacks
0 Nonce checks

Vulnerabilities

None known

User Post Collections Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

User Post Collections Code Analysis

Dangerous Functions

Raw SQL Queries

56 prepared

Unescaped Output

268 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

92% prepared61 total queries

Output Escaping

95% escaped282 total outputs

Attack Surface

3 unprotected

User Post Collections Attack Surface

Entry Points5

Unprotected3

AJAX Handlers 2

noprivwp_ajax_mg_upc_userclasses\user-post-collections.php:42

authwp_ajax_mg_upc_userclasses\user-post-collections.php:43

REST API Routes 1

GET/wp-json/mg-upc/v1/cartcontrollers\mg-upc-woocommerce.php:46

Shortcodes 2

[user_post_collection] controllers\mg-list-page-alt.php:50

[user_posts_collections] includes\mg-upc-shortcode.php:12

WordPress Hooks 102

actionmg_upc_votealt-models\mg-list-model.php:36

actionmg_upc_remove_itemalt-models\mg-list-model.php:37

actionmg_upc_add_itemalt-models\mg-list-model.php:38

actionmg_upc_item_movealt-models\mg-list-model.php:39

actionmg_upc_update_item_descriptionalt-models\mg-list-model.php:40

actionmg_upc_votealt-models\mg-list-votes-model.php:23

filtermg_upc_settings_sectionsclasses\mg-list-page-alt-settings.php:18

filtermg_upc_settings_fieldsclasses\mg-list-page-alt-settings.php:19

actionsave_post_pageclasses\mg-list-page-alt-settings.php:20

filterdisplay_post_statesclasses\mg-list-page-alt-settings.php:23

actiondelete_userclasses\mg-upc-database.php:7

actionwpmu_delete_userclasses\mg-upc-database.php:8

actionrest_api_initclasses\mg-upc-rest-api.php:7

actionadmin_menuclasses\mg-upc-settings.php:35

actionadmin_initclasses\mg-upc-settings.php:36

actionwp_enqueue_scriptsclasses\user-post-collections.php:237

actionadmin_enqueue_scriptsclasses\user-post-collections.php:238

actionwpmu_new_blogclasses\user-post-collections.php:240

actioninitclasses\user-post-collections.php:241

actioninitclasses\user-post-collections.php:242

filtermg_upc_base_urlcontrollers\mg-list-page-alt.php:14

filterquery_varscontrollers\mg-list-page-alt.php:24

filterwpseo_titlecontrollers\mg-list-page-alt.php:30

filterwpseo_opengraph_titlecontrollers\mg-list-page-alt.php:31

filterpre_get_document_titlecontrollers\mg-list-page-alt.php:32

filterthe_titlecontrollers\mg-list-page-alt.php:33

filterwpseo_metadesccontrollers\mg-list-page-alt.php:36

filterwpseo_opengraph_desccontrollers\mg-list-page-alt.php:37

filterwpseo_canonicalcontrollers\mg-list-page-alt.php:40

filterwpseo_opengraph_urlcontrollers\mg-list-page-alt.php:41

filterprepare_list_data_for_responsecontrollers\mg-list-page-alt.php:42

filtermg_upc_get_the_permalinkcontrollers\mg-list-page-alt.php:43

filtermg_upc_list_urlcontrollers\mg-list-page-alt.php:44

filterwpseo_add_opengraph_imagescontrollers\mg-list-page-alt.php:47

filtertemplate_includecontrollers\mg-list-page-alt.php:54

actionparse_requestcontrollers\mg-list-page-alt.php:58

actiontemplate_redirectcontrollers\mg-list-page-alt.php:61

filterwpseo_json_ld_outputcontrollers\mg-list-page-alt.php:146

filterthe_titlecontrollers\mg-list-page-alt.php:449

filterthe_contentcontrollers\mg-upc-buttons.php:10

actionmg_upc_cron_maintenancecontrollers\mg-upc-cron.php:45

actioninitcontrollers\mg-upc-cron.php:47

actionmg_upc_loadedcontrollers\mg-upc-list-controller.php:17

filterprotected_title_formatcontrollers\mg-upc-list-controller.php:429

actioninitcontrollers\mg-upc-woocommerce.php:8

actionrest_api_initcontrollers\mg-upc-woocommerce.php:10

filterwoocommerce_account_menu_itemscontrollers\mg-upc-woocommerce.php:12

filterwoocommerce_get_query_varscontrollers\mg-upc-woocommerce.php:13

actionwoocommerce_account_my-lists_endpointcontrollers\mg-upc-woocommerce.php:14

filterwoocommerce_endpoint_my-lists_titlecontrollers\mg-upc-woocommerce.php:15

filtermg_upc_api_schema_itemcontrollers\mg-upc-woocommerce.php:139

filtermg_upc_before_list_type_options_saved_setcontrollers\mg-upc-woocommerce.php:142

filterregister_list_type_argscontrollers\mg-upc-woocommerce.php:155

actionwoocommerce_after_add_to_cart_formcontrollers\mg-upc-woocommerce.php:171

actionwoocommerce_before_add_to_cart_formcontrollers\mg-upc-woocommerce.php:173

actionwoocommerce_single_product_summarycontrollers\mg-upc-woocommerce.php:175

actionwoocommerce_product_meta_endcontrollers\mg-upc-woocommerce.php:177

actionwoocommerce_after_shop_loop_itemcontrollers\mg-upc-woocommerce.php:182

actionwoocommerce_after_shop_loop_itemcontrollers\mg-upc-woocommerce.php:184

actionwoocommerce_before_shop_loop_itemcontrollers\mg-upc-woocommerce.php:186

actionwoocommerce_shop_loop_item_titlecontrollers\mg-upc-woocommerce.php:188

filtermg_upc_settings_sectionscontrollers\mg-upc-woocommerce.php:191

filtermg_upc_settings_fieldscontrollers\mg-upc-woocommerce.php:192

filtermg_post_item_product_variation_for_responsecontrollers\mg-upc-woocommerce.php:197

filtermg_post_item_product_for_responsecontrollers\mg-upc-woocommerce.php:198

filtermg_upc_pre_add_itemcontrollers\mg-upc-woocommerce.php:1012

actioninitincludes\admin-notice-helper\admin-notice-helper.php:47

actionadmin_noticesincludes\admin-notice-helper\admin-notice-helper.php:55

actionshutdownincludes\admin-notice-helper\admin-notice-helper.php:56

filtermap_meta_capincludes\mg-upc-list-type.php:281

actionadmin_enqueue_scriptsincludes\mg-upc-settings-api.php:66

filterquery_varsincludes\mg-upc-shortcode.php:13

actionmg_upc_items_pagination_argsincludes\mg-upc-shortcode.php:124

actionmg_upc_single_list_contentincludes\template-hooks.php:12

actionmg_upc_single_list_contentincludes\template-hooks.php:13

actionmg_upc_single_list_contentincludes\template-hooks.php:14

actionmg_upc_single_list_contentincludes\template-hooks.php:15

actionmg_upc_single_list_contentincludes\template-hooks.php:16

actionmg_upc_single_list_contentincludes\template-hooks.php:17

actionmg_upc_after_single_list_contentincludes\template-hooks.php:18

actionmg_upc_single_list_item_before_first_childincludes\template-hooks.php:30

actionmg_upc_single_list_item_after_descriptionincludes\template-hooks.php:31

actionmg_upc_single_list_item_after_titleincludes\template-hooks.php:32

actionmg_upc_single_list_item_after_titleincludes\template-hooks.php:33

actionmg_upc_single_list_item_after_dataincludes\template-hooks.php:34

actionmg_upc_single_list_item_actionincludes\template-hooks.php:35

actionmg_upc_single_list_item_actionincludes\template-hooks.php:36

actionmg_upc_single_product_buttonsincludes\template-hooks.php:37

actionmg_upc_loop_product_buttonsincludes\template-hooks.php:40

actionmg_upc_no_items_foundincludes\template-hooks.php:47

actionmg_upc_before_main_contentincludes\template-hooks.php:55

actionmg_upc_after_main_contentincludes\template-hooks.php:56

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:70

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:71

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:72

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:73

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:74

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:75

actionmg_upc_loop_single_list_contentincludes\template-hooks.php:76

actionmg_upc_after_archive_contentincludes\template-hooks.php:77

actionmg_upc_loop_emptyincludes\template-hooks.php:84

actionadmin_noticesuser-post-collections.php:117

Scheduled Events 1

mg_upc_cron_maintenance

Maintenance & Trust

User Post Collections Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 8, 2025

PHP min version7.0

Downloads2K

Community Trust

Rating100/100

Number of ratings2

Active installs10

Alternatives

User Post Collections Alternatives

YITH WooCommerce Wishlist

yith-woocommerce-wishlist

YITH WooCommerce Wishlist add all Wishlist features to your website. Needs WooCommerce to work. WooCommerce 10.6.x compatible.

500K 6 CVEs

TI WooCommerce Wishlist

ti-woocommerce-wishlist

Boost your sales with a free WooCommerce Wishlist feature. Let your customers save and share their favorite products!

100K 9 CVEs

WCBoost – Wishlist

wcboost-wishlist

100

WCBoost - Wishlist lets shoppers create wishlists for later purchases, reminding them of desired items, driving repeat visits and boost sales.

30K No CVEs

QODE Wishlist for WooCommerce

qode-wishlist-for-woocommerce

Qode Wishlist for WooCommerce plugin is the ideal toolkit for letting your visitors save & share comprehensive lists with their products of interest.

10K 1 CVE

MoreConvert Wishlist for WooCommerce

smart-wishlist-for-more-convert

Free: WooCommerce Wishlist, Email automation, Elementor and Premium: Back-in-Stock Notifier, Save For Later, Multi-lists, reports, Email Marketing

9K 6 CVEs

Developer Profile

User Post Collections Developer Profile

Mauricio Galetto

2 plugins · 10 total installs

trust score

Avg Security Score

93/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect User Post Collections

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-post-collections/css/admin.css/wp-content/plugins/user-post-collections/javascript/mg-upc-client/dist/css/styles.css/wp-content/plugins/user-post-collections/javascript/mg-upc-client/dist/admin.js/wp-content/plugins/user-post-collections/javascript/mg-upc-client/dist/main.js/wp-content/plugins/user-post-collections/javascript/Sortable.min.js

Script Paths

/wp-content/plugins/user-post-collections/javascript/mg-upc-client/dist/main.js/wp-content/plugins/user-post-collections/javascript/mg-upc-client/dist/admin.js/wp-content/plugins/user-post-collections/javascript/Sortable.min.js

Version Parameters

user-post-collections/javascript/mg-upc-client/dist/css/styles.css?ver=user-post-collections/javascript/mg-upc-client/dist/admin.js?ver=user-post-collections/javascript/mg-upc-client/dist/main.js?ver=user-post-collections/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

mg-upc-list-admin-page

Data Attributes

data-upc-list-iddata-upc-list-type-id

JS Globals

mg_upc_paramsUserPostCollectionsMG_UPC_HelperMG_UPC_List_Types_RegisterMG_UPC_List_ControllerMG_UPC_List_Page+6 more

REST Endpoints

/wp-json/mg-upc/v1/list/wp-json/mg-upc/v1/list-items/wp-json/mg-upc/v1/users

Shortcode Output

[user_post_collections_list][user_post_collections]

FAQ