
User Supersearch Security & Risk Analysis
wordpress.org/plugins/user-supersearchImproves the search for users in the backend significantly: Search for first name, last, email and much more of users instead of only nicename.
Is User Supersearch Safe to Use in 2026?
Generally Safe
Score 100/100User Supersearch has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The user-supersearch plugin v1.0.1 exhibits a generally strong security posture based on the provided static analysis. The absence of any identified dangerous functions, properly escaped output, and the exclusive use of prepared statements for all SQL queries are commendable practices. Furthermore, the plugin demonstrates a minimal attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. The lack of file operations and external HTTP requests also reduces potential vectors for attack.
However, the static analysis reveals a critical deficiency: the complete absence of nonce checks and capability checks. This means that any entry points, even if not immediately apparent in this analysis (e.g., hidden AJAX actions or AJAX called from admin areas), are entirely unprotected against CSRF attacks or unauthorized access by users who should not be performing these actions. The taint analysis showing zero flows is positive but might be limited by the scope of the analysis or the plugin's minimal functionality. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive indicator of past development practices or simply a lack of discovered vulnerabilities.
In conclusion, while the plugin employs good secure coding practices for data handling and query execution, the lack of authorization and nonce checks presents a significant security risk. This oversight makes the plugin vulnerable to potentially severe attacks if any functionality can be triggered by unauthenticated or lower-privileged users. The clean vulnerability history is a strength, but it does not negate the fundamental security flaw identified in the code signals. Users should be made aware of the potential for CSRF and unauthorized access.
Key Concerns
- Missing nonce checks
- Missing capability checks
User Supersearch Security Vulnerabilities
User Supersearch Release Timeline
User Supersearch Code Analysis
SQL Query Safety
Output Escaping
User Supersearch Attack Surface
WordPress Hooks 7
Maintenance & Trust
User Supersearch Maintenance & Trust
Maintenance Signals
Community Trust
User Supersearch Alternatives
WP Mechanic
wp-mechanic
WP Mechanic is a combination of WordPress and Android Playstore Applications. Experience a set of hybrid software applications.
Dashify: WooCommerce admin dashboard theme
dashify
A modern design and UI for the WooCommerce admin. Manage, search, and navigate orders faster. Make the WordPress admin dashboard ecommerce-focused.
Better User Search
better-user-search
Better User Search is a must have plugin if you're running WooCommerce. Without it, you're stuck trying to remember every
Better Admin Users Search
better-admin-users-search
Improve users admin search
Enhanced Admin User Search
enhanced-admin-user-search
This plugin extends the default WordPress admin user search functionality in the search query.
User Supersearch Developer Profile
1 plugin · 10 total installs
How We Detect User Supersearch
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/user-supersearch/assets/js/admin-settings.js/wp-content/plugins/user-supersearch/assets/js/admin-settings.jsuser-supersearch/assets/js/admin-settings.js?ver=HTML / DOM Fingerprints
data-user-supersearch-search-buttondata-user-supersearch-inputwindow.userSupersearchAdmin