WP-Safety

User Upgrade Capability Security & Risk Analysis

wordpress.org/plugins/user-upgrade-capability

Link multiple network sites/blogs together - Maintain only one site list of users.

10 active installs v2.4 PHP + WP 3.5+ Updated Sep 24, 2024
capabilitymultisitepermissionroleuser
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is User Upgrade Capability Safe to Use in 2026?

Generally Safe

Score 92/100

User Upgrade Capability has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The user-upgrade-capability v2.4 plugin exhibits a generally strong security posture based on the provided static analysis. The absence of any recorded vulnerabilities in its history, combined with the plugin's limited attack surface (zero entry points found), suggests a well-maintained and secure codebase. The code analysis reveals good practices such as a significant percentage of SQL queries using prepared statements and a high rate of output escaping. The presence of nonce and capability checks further bolsters its defenses.

However, the analysis does highlight a minor area of concern: 71% of SQL queries are not using prepared statements. While not a critical issue given the limited number of SQL queries and the plugin's overall lack of external interaction points, it represents a potential avenue for SQL injection if the input used in these queries is not rigorously sanitized elsewhere. The taint analysis showing zero flows with unsanitized paths is encouraging and mitigates this concern significantly in practice.

In conclusion, user-upgrade-capability v2.4 appears to be a secure plugin with a robust security development lifecycle, as evidenced by its clean vulnerability history and strong defense mechanisms. The primary area for improvement lies in ensuring all SQL queries utilize prepared statements for maximum protection against potential injection vulnerabilities.

Key Concerns

  • SQL queries not using prepared statements
Vulnerabilities
None known

User Upgrade Capability Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

User Upgrade Capability Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
2 prepared
Unescaped Output
42
165 escaped
Nonce Checks
7
Capability Checks
17
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

29% prepared7 total queries

Output Escaping

80% escaped207 total outputs
Attack Surface

User Upgrade Capability Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 45
actioninitincludes\class-tabbed-settings.php:73
actionadmin_initincludes\class-tabbed-settings.php:75
actionadmin_menuincludes\class-tabbed-settings.php:77
actioninitincludes\class-tgm-plugin-activation.php:268
filterload_textdomain_mofileincludes\class-tgm-plugin-activation.php:269
actioninitincludes\class-tgm-plugin-activation.php:272
actionadmin_menuincludes\class-tgm-plugin-activation.php:421
actionadmin_headincludes\class-tgm-plugin-activation.php:422
filterinstall_plugin_complete_actionsincludes\class-tgm-plugin-activation.php:425
filterupdate_plugin_complete_actionsincludes\class-tgm-plugin-activation.php:426
actionadmin_noticesincludes\class-tgm-plugin-activation.php:429
actionadmin_initincludes\class-tgm-plugin-activation.php:430
actionadmin_enqueue_scriptsincludes\class-tgm-plugin-activation.php:431
actionload-plugins.phpincludes\class-tgm-plugin-activation.php:436
actionswitch_themeincludes\class-tgm-plugin-activation.php:439
actionswitch_themeincludes\class-tgm-plugin-activation.php:442
actionadmin_initincludes\class-tgm-plugin-activation.php:447
actionswitch_themeincludes\class-tgm-plugin-activation.php:452
actionadmin_headincludes\class-tgm-plugin-activation.php:456
actionload_textdomain_mofileincludes\class-tgm-plugin-activation.php:478
filterupgrader_source_selectionincludes\class-tgm-plugin-activation.php:892
actionplugins_loadedincludes\class-tgm-plugin-activation.php:2133
filtertgmpa_table_data_itemsincludes\class-tgm-plugin-activation.php:2257
filterupgrader_source_selectionincludes\class-tgm-plugin-activation.php:3000
actionadmin_initincludes\class-tgm-plugin-activation.php:3170
actionupgrader_process_completeincludes\class-tgm-plugin-activation.php:3265
filterupgrader_post_installincludes\class-tgm-plugin-activation.php:3324
filterupgrader_post_installincludes\class-tgm-plugin-activation.php:3469
actionplugins_loadedincludes\class-user-upgrade-capability-network-info.php:23
filtermanage_sites-network_columnsincludes\class-user-upgrade-capability-network-info.php:31
actionmanage_sites_custom_columnincludes\class-user-upgrade-capability-network-info.php:32
actiontabbed_settings_after_updateincludes\class-user-upgrade-capability-network-info.php:35
actiontgmpa_registerincludes\plugin-install.php:8
actiontabbed_settings_after_updateincludes\settings-general.php:17
actionadmin_noticesuser-upgrade-capability.php:56
actionplugins_loadeduser-upgrade-capability.php:61
actionplugins_loadeduser-upgrade-capability.php:64
actionplugins_loadeduser-upgrade-capability.php:67
actioninituser-upgrade-capability.php:70
actionafter_setup_themeuser-upgrade-capability.php:74
actionadmin_inituser-upgrade-capability.php:77
actionadmin_inituser-upgrade-capability.php:80
actionadmin_noticesuser-upgrade-capability.php:81
actioninituser-upgrade-capability.php:84
actioninituser-upgrade-capability.php:87
Maintenance & Trust

User Upgrade Capability Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedSep 24, 2024
PHP min version
Downloads4K

Community Trust

Rating94/100
Number of ratings7
Active installs10
Alternatives

User Upgrade Capability Alternatives

WPFront User Role Editor

WPFront User Role Editor

wpfront-user-role-editor

A
94

Easily allows you to manage WordPress user roles. You can create, edit, delete and manage capabilities, also copy existing roles.

30K 5 CVEs
Custom Role Creator (CRC)

Custom Role Creator (CRC)

custom-role-creator

A
100

Custom Role Creator plugin allows you to add or change user roles and capabilities easily.

200 No CVEs
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

capability-manager-enhanced

A
96

PublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.

100K 4 CVEs
Controlled Admin Access

Controlled Admin Access

controlled-admin-access

A
96

Give a temporarily limited admin access to themes designers, plugins developers and support agents.

10K 2 CVEs
Hide This

Hide This

hide-this

A
85

This plugin provides a shortcode that lets you hide some parts of the content from your posts and pages.

3K No CVEs
Developer Profile

User Upgrade Capability Developer Profile

Justin Fletcher

5 plugins · 290 total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect User Upgrade Capability

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-upgrade-capability/assets/css/admin.css/wp-content/plugins/user-upgrade-capability/assets/js/admin.js
Script Paths
/wp-content/plugins/user-upgrade-capability/assets/js/admin.js
Version Parameters
user-upgrade-capability/assets/css/admin.css?ver=user-upgrade-capability/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
uuc-wrapper
HTML Comments
<!-- Start of Reference Site --><!-- End of Reference Site --><!-- Upgrade capability: You must choose a reference site --><!-- Admin notice hide prompt notice catch -->+7 more
Data Attributes
data-uuc-user-iddata-uuc-nonce
JS Globals
uuc_admin_ajax_objectuuc_user_upgrade_capability
FAQ

Frequently Asked Questions about User Upgrade Capability