Does User Spam Remover have any unpatched vulnerabilities?

Yes — User Spam Remover currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is User Spam Remover compatible with WordPress 6.4.8?

According to WordPress.org data, User Spam Remover 1.1 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

How often is User Spam Remover updated?

User Spam Remover was last updated on Mar 3, 2024. Frequent updates are generally a positive security signal.

What is User Spam Remover's security score?

User Spam Remover has a WP-Safety security score of 61/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Spam Remover Security & Risk Analysis

wordpress.org/plugins/user-spam-remover

Automatically removes spam user registrations and other old, unused user accounts. Blocks annoying e-mail to administrator after new registrations.

1K active installs v1.1 PHP + WP 3.9+ Updated Mar 3, 2024

adminregistrationspamuserusers

C · Use Caution

CVEs total2

Unpatched1

Last CVEDec 4, 2025

Plugin page Download

Safety Verdict

Is User Spam Remover Safe to Use in 2026?

Use With Caution

Score 61/100

User Spam Remover has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Dec 4, 2025Updated 2yr ago

Risk Assessment

The User Spam Remover plugin v1.1 exhibits a mixed security posture. While the static analysis reveals a commendable absence of direct attack surface entry points like AJAX handlers, REST API routes, and shortcodes without proper authorization checks, and all SQL queries are prepared, there are significant concerns regarding output escaping. Only 24% of outputs are properly escaped, which presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. The plugin also performs several file operations, which, combined with the poor output escaping, could lead to more complex attack chains if malicious input is not handled carefully.

The vulnerability history is particularly worrying. The plugin has a history of two medium-severity vulnerabilities, both related to Exposure of Sensitive Information to an Unauthorized Actor. Crucially, one of these vulnerabilities remains unpatched, indicating a lack of ongoing maintenance and a direct, known security risk. The last vulnerability being dated in late 2025 suggests either a very recent discovery of past issues or potentially a forward-looking data entry error; however, the existence of an unpatched CVE is a critical flag.

In conclusion, while the plugin demonstrates good practices in limiting its attack surface and using prepared statements for SQL, the severe lack of output escaping and the presence of an unpatched CVE significantly outweigh these positives. The plugin is at a considerable risk of security compromise due to known, unaddressed vulnerabilities and potential for XSS attacks.

Key Concerns

Unpatched CVE (medium severity)
Poor output escaping (24% properly escaped)
History of sensitive information exposure vulnerabilities

Vulnerabilities

User Spam Remover Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-62735medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

User Spam Remover <= 1.1 - Unauthenticated Information Exposure

Dec 4, 2025Unpatched

CVE-2024-31298medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

User Spam Remover <= 1.0 - Unauthenticated Sensitive Information Exposure

Apr 5, 2024 Patched in 1.1 (7d)

Code Analysis

Analyzed Mar 16, 2026

User Spam Remover Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

24% escaped45 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

optionsPage (user-spam-remover.php:224)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

User Spam Remover Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 2

actionadmin_inituser-spam-remover.php:179

actionadmin_menuuser-spam-remover.php:970

Maintenance & Trust

User Spam Remover Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedMar 3, 2024

PHP min version

Downloads56K

Community Trust

Rating82/100

Number of ratings18

Active installs1K

Alternatives

User Spam Remover Alternatives

Fake User Detector

fake-user-detector

100

Detect and flag suspicious existing user accounts using simple checks to help clean up fake or low-quality registrations.

30 No CVEs

WordPass

wordpass

Creates word-based passwords for WordPress.

30 No CVEs

Logical Captcha

logical-captcha

Integrates a logic captcha to verify that the registrant is a human and not a spam bot instead of using distorted images or audio.

10 No CVEs

New User Approve

new-user-approve

WordPress user approval plugin to moderate registrations. Approve or deny real users and prevent fake signups to control who registers on site.

20K 8 CVEs

View Admin As

view-admin-as

View the WordPress admin as a different role or visitor, switch between users, temporarily change your capabilities, set screen settings for roles.

9K No CVEs

Developer Profile

User Spam Remover Developer Profile

Joel

2 plugins · 2K total installs

trust score

Avg Security Score

73/100

Avg Patch Time

7 days

View full developer profile

Detection Fingerprints

How We Detect User Spam Remover

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Version Parameters

user-spam-remover/style.css?ver=user-spam-remover/script.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-usr-id

JS Globals

user_spam_remover_ajax_object

FAQ