Does User Session Synchronizer have any unpatched vulnerabilities?

Yes — User Session Synchronizer currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is User Session Synchronizer compatible with WordPress 6.2.9?

According to WordPress.org data, User Session Synchronizer 1.4.0 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

How often is User Session Synchronizer updated?

User Session Synchronizer was last updated on Jun 29, 2023. Frequent updates are generally a positive security signal.

What is User Session Synchronizer's security score?

User Session Synchronizer has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Session Synchronizer Security Review — Score 63/100 (use caution)

Safety Verdict

Is User Session Synchronizer Safe to Use in 2026?

Use With Caution

Score 63/100

User Session Synchronizer has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 9, 2025Updated 2yr ago

Risk Assessment

The 'user-session-synchronizer' plugin v1.4.0 exhibits a mixed security posture. On the positive side, the static analysis reveals a low attack surface with no identified AJAX handlers or REST API routes without authentication checks. The code also demonstrates good practices by utilizing nonces and capability checks for all identified entry points, and a high percentage of output is properly escaped, with no dangerous functions or file operations detected. However, significant concerns arise from the vulnerability history and taint analysis. The presence of a currently unpatched medium severity CVE is a critical issue that requires immediate attention. Furthermore, the taint analysis indicates two flows with unsanitized paths, which, while not classified as critical or high severity in this report, represent potential pathways for exploitation if input is not properly validated. The SQL query usage is also a minor concern, with 50% of queries not using prepared statements, which could lead to SQL injection vulnerabilities in those specific instances.

Key Concerns

Currently unpatched medium severity CVE
Flows with unsanitized paths
SQL queries not using prepared statements

Vulnerabilities

1

User Session Synchronizer Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1

1 total CVE

CVE-2025-32612medium · 6.1Cross-Site Request Forgery (CSRF)

User Session Synchronizer <= 1.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Apr 9, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

User Session Synchronizer Code Analysis

Dangerous Functions

0

Raw SQL Queries

1

1 prepared

Unescaped Output

14

74 escaped

Nonce Checks

3

Capability Checks

3

File Operations

0

External Requests

1

Bundled Libraries

0

SQL Query Safety

50% prepared2 total queries

Output Escaping

84% escaped88 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths

settings_page (includes\class-user-session-synchronizer-settings.php:305)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

User Session Synchronizer Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[ussyncemailverificationcode] includes\class-user-session-synchronizer-email-verification.php:45

WordPress Hooks 22

filtermanage_users_columnsincludes\class-user-session-synchronizer-email-verification.php:47

filtermanage_users_custom_columnincludes\class-user-session-synchronizer-email-verification.php:48

actionuser_registerincludes\class-user-session-synchronizer-email-verification.php:50

actionadmin_headincludes\class-user-session-synchronizer-email-verification.php:51

actioninitincludes\class-user-session-synchronizer-email-verification.php:53

actioninitincludes\class-user-session-synchronizer-settings.php:45

actionadmin_initincludes\class-user-session-synchronizer-settings.php:48

actionadmin_menuincludes\class-user-session-synchronizer-settings.php:51

actionwp_enqueue_scriptsincludes\class-user-session-synchronizer.php:142

actionwp_enqueue_scriptsincludes\class-user-session-synchronizer.php:143

actionadmin_enqueue_scriptsincludes\class-user-session-synchronizer.php:146

actionadmin_enqueue_scriptsincludes\class-user-session-synchronizer.php:147

actioninitincludes\class-user-session-synchronizer.php:156

actioninitincludes\class-user-session-synchronizer.php:160

actionuser_profile_update_errorsincludes\class-user-session-synchronizer.php:163

actionadmin_initincludes\class-user-session-synchronizer.php:164

actionadmin_footerincludes\class-user-session-synchronizer.php:214

actionsend_headersincludes\class-user-session-synchronizer.php:258

actionsend_headersincludes\class-user-session-synchronizer.php:259

actionadmin_footer_textincludes\class-user-session-synchronizer.php:468

actionwp_footerincludes\class-user-session-synchronizer.php:472

filterplugin_row_metauser-session-synchronizer.php:39

Maintenance & Trust

User Session Synchronizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedJun 29, 2023

PHP min version

Downloads8K

Community Trust

Rating98/100

Number of ratings13

Active installs100

Alternatives

User Session Synchronizer Alternatives

Easy Timeout Session

easy-timeout-session

A

85

The Easy Timeout Session WordPress plugin allows you to change the session duration for the WordPress user.

200 No CVEs

Loggedin – Limit Concurrent Sessions

loggedin

A

99

Lightweight plugin that limits an account to a specific number of concurrent logins.

8K 1 CVE

Remember Me Controls

remember-me-controls

A

91

Have "Remember Me" checked by default on the login page and configure how long a login is remembered. Or disable the feature altogether.

4K 1 CVE

Cookie Warning

cookie-warning

D

42

Asks users' consent for using cookies or redirects them out of your site.

800 2 unpatched

User Session Control

user-session-control

A

85

View and manage all active user sessions in a custom admin screen.

700 No CVEs

Developer Profile

User Session Synchronizer Developer Profile

rafasashi

3 plugins · 1K total installs

87

trust score

Avg Security Score

82/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect User Session Synchronizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-session-synchronizer/includes/js/settings.js/wp-content/plugins/user-session-synchronizer/assets/js/settings.js

Script Paths