User Supersearch Security & Risk Analysis

wordpress.org/plugins/user-supersearch

Improves the search for users in the backend significantly: Search for first name, last, email and much more of users instead of only nicename.

10 active installs v1.0.1 PHP 7.4+ WP 6.0+ Updated Mar 17, 2026
admincustomerssearchuserswoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is User Supersearch Safe to Use in 2026?

Generally Safe

Score 100/100

User Supersearch has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The user-supersearch plugin v1.0.1 exhibits a generally strong security posture based on the provided static analysis. The absence of any identified dangerous functions, properly escaped output, and the exclusive use of prepared statements for all SQL queries are commendable practices. Furthermore, the plugin demonstrates a minimal attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. The lack of file operations and external HTTP requests also reduces potential vectors for attack.

However, the static analysis reveals a critical deficiency: the complete absence of nonce checks and capability checks. This means that any entry points, even if not immediately apparent in this analysis (e.g., hidden AJAX actions or AJAX called from admin areas), are entirely unprotected against CSRF attacks or unauthorized access by users who should not be performing these actions. The taint analysis showing zero flows is positive but might be limited by the scope of the analysis or the plugin's minimal functionality. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive indicator of past development practices or simply a lack of discovered vulnerabilities.

In conclusion, while the plugin employs good secure coding practices for data handling and query execution, the lack of authorization and nonce checks presents a significant security risk. This oversight makes the plugin vulnerable to potentially severe attacks if any functionality can be triggered by unauthenticated or lower-privileged users. The clean vulnerability history is a strength, but it does not negate the fundamental security flaw identified in the code signals. Users should be made aware of the potential for CSRF and unauthorized access.

Key Concerns

  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

User Supersearch Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

User Supersearch Release Timeline

v1.0.1Current
v1.0.0
Code Analysis
Analyzed Apr 16, 2026

User Supersearch Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
0
34 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared8 total queries

Output Escaping

100% escaped34 total outputs
Attack Surface

User Supersearch Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 7
actionadmin_menusrc/Settings.php:21
actionadmin_initsrc/Settings.php:22
actionadmin_enqueue_scriptssrc/Settings.php:23
actionpre_get_userssrc/UserQuery.php:31
actionpre_user_querysrc/UserQuery.php:33
actionplugins_loadeduser-supersearch.php:50
actionbefore_woocommerce_inituser-supersearch.php:66
Maintenance & Trust

User Supersearch Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 17, 2026
PHP min version7.4
Downloads306

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

User Supersearch Developer Profile

QuokkaCoders

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect User Supersearch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-supersearch/assets/js/admin-settings.js
Script Paths
/wp-content/plugins/user-supersearch/assets/js/admin-settings.js
Version Parameters
user-supersearch/assets/js/admin-settings.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-user-supersearch-search-buttondata-user-supersearch-input
JS Globals
window.userSupersearchAdmin
FAQ

Frequently Asked Questions about User Supersearch