WordSync Security & Risk Analysis

wordpress.org/plugins/wordsync

WordSync allows you to synchronise posts, pages, users, taxonomies, attachments and settings between two WordPress installs.

10 active installs v0.1.1 PHP + WP 4.0+ Updated Apr 25, 2017
backupmergemigrationsyncsynchronise
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is WordSync Safe to Use in 2026?

Generally Safe

Score 85/100

WordSync has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The 'wordsync' plugin, version 0.1.1, presents a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and has no recorded vulnerabilities or CVEs, suggesting a generally stable and safe history. It also avoids bundling external libraries and makes only one external HTTP request.

However, significant concerns arise from its attack surface and code analysis. The plugin exposes two AJAX handlers, both of which lack authentication checks, creating a substantial risk of unauthorized access and execution of plugin functionalities. Furthermore, only 31% of its output is properly escaped, indicating a high likelihood of cross-site scripting (XSS) vulnerabilities. While taint analysis did not reveal critical or high severity issues, the presence of one flow with unsanitized paths is still a potential risk. The absence of nonce checks on its AJAX endpoints exacerbates the risk posed by the unprotected entry points.

In conclusion, while the lack of historical vulnerabilities and secure SQL handling are strengths, the unprotected AJAX endpoints and poor output escaping practices are critical weaknesses that significantly elevate the risk profile of this plugin. Urgent attention is required to address these security flaws to prevent potential exploits.

Key Concerns

  • AJAX handlers without auth checks
  • Low percentage of output properly escaped
  • No nonce checks on AJAX
  • Flow with unsanitized paths
Vulnerabilities
None known

WordSync Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WordSync Release Timeline

v0.1.1Current
v0.1
Code Analysis
Analyzed Apr 16, 2026

WordSync Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
5 prepared
Unescaped Output
20
9 escaped
Nonce Checks
0
Capability Checks
1
File Operations
6
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared5 total queries

Output Escaping

31% escaped29 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
onAdminAjax (admin/class-wordsync-admin.php:180)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WordSync Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_wordsync_adminadmin/class-wordsync-admin.php:51
noprivwp_ajax_bravewordsyncincludes/sync/class-wordsync-syncer.php:86
WordPress Hooks 5
actionadmin_enqueue_scriptsadmin/class-wordsync-admin.php:46
actionadmin_enqueue_scriptsadmin/class-wordsync-admin.php:47
actionadmin_menuadmin/class-wordsync-admin.php:48
actionadmin_initadmin/class-wordsync-admin.php:49
actionplugins_loadedincludes/class-wordsync.php:146
Maintenance & Trust

WordSync Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedApr 25, 2017
PHP min version
Downloads2K

Community Trust

Rating20/100
Number of ratings1
Active installs10
Developer Profile

WordSync Developer Profile

Brave Digital

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WordSync

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wordsync/css/wordsync-admin.css/wp-content/plugins/wordsync/js/wordsync-admin.js
Script Paths
/wp-content/plugins/wordsync/js/wordsync-admin.js
Version Parameters
wordsync-admin.css?ver=wordsync-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
code
Data Attributes
data-command
JS Globals
wordsync
FAQ

Frequently Asked Questions about WordSync