WP-Safety

ManageWP Worker Security & Risk Analysis

wordpress.org/plugins/worker

A better way to manage dozens of WordPress websites.

1.0M active installs v4.9.31 PHP + WP 3.1+ Updated Mar 11, 2026
backupmanage-multiple-sitesmigrateperformancesecurity
98
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 11, 2020
Plugin page Download
Safety Verdict

Is ManageWP Worker Safe to Use in 2026?

Generally Safe

Score 98/100

ManageWP Worker has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 11, 2020Updated 24d ago
Risk Assessment

The "worker" plugin v4.9.31 presents a mixed security posture. While the static analysis shows a commendably small attack surface with no unprotected entry points, the code signals raise significant concerns. The presence of dangerous functions like `exec`, `unserialize`, `create_function`, and `proc_open` is a major red flag, indicating potential for remote code execution if these functions are used with user-supplied input. Furthermore, a low percentage of output escaping (34%) and a high number of unsanitized flows in taint analysis (4 out of 6 analyzed) suggest a substantial risk of cross-site scripting (XSS) and other injection vulnerabilities.

The vulnerability history, though showing no currently unpatched CVEs, reveals a past critical vulnerability related to Authentication Bypass. This, coupled with the code signals, indicates a pattern of historical weaknesses that might be indicative of underlying insecure coding practices. The lack of capability checks on entry points, although currently masked by the absence of direct entry points, could become a significant issue if new endpoints are added or existing ones modified without proper security considerations.

In conclusion, while the plugin has managed to fix past critical issues and appears to have a controlled attack surface for the current version, the internal code quality and the historical presence of critical vulnerabilities warrant caution. The reliance on dangerous functions and insufficient output escaping are significant weaknesses that could be exploited. Careful code review and ongoing monitoring are recommended.

Key Concerns

  • Dangerous functions (exec, unserialize, create_function, proc_open) present
  • Low percentage of properly escaped output
  • High percentage of flows with unsanitized paths
  • Past critical vulnerability (Authentication Bypass)
  • Low number of capability checks
Vulnerabilities
1

ManageWP Worker Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

WF-92915943-c6ff-46df-adbd-382eabe44021-workercritical · 9.8Authentication Bypass Using an Alternate Path or Channel

Manage WP Worker <= 4.9.2 - Authentication Bypass

Feb 11, 2020 Patched in 4.9.3 (1442d)
Code Analysis
Analyzed Mar 16, 2026

ManageWP Worker Code Analysis

Dangerous Functions
7
Raw SQL Queries
41
48 prepared
Unescaped Output
48
25 escaped
Nonce Checks
3
Capability Checks
1
File Operations
151
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

execexec('zip -r ' . $zipName . ' ' . join(' ', $escapedFiles), $output, $exitCode);src\MWP\Action\DownloadFile.php:58
unserialize$result[$field] = unserialize($result[$field]);src\MWP\WordPress\Query\Abstract.php:29
create_functionreturn create_function('$_action, &$self, $_text', $init_crypt.'if ($_action == "encrypt") { '.$encrsrc\PHPSecLib\Crypt\Base.php:2014
unserializeextract(unserialize($partial));src\PHPSecLib\Crypt\RSA.php:628
proc_open$this->process = @proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $thisrc\Symfony\Process\Process.php:300
execexec(sprintf('taskkill /F /T /PID %d 2>&1', $this->getPid()), $output, $exitCode);src\Symfony\Process\Process.php:810
proc_open$proc = @proc_open('echo 1', array(array('pty'), array('pty'), array('pty')), $pipes);src\Symfony\Process\Process.php:1224

SQL Query Safety

54% prepared89 total queries

Output Escaping

34% escaped73 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
mwp_fail_safe (init.php:50)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

ManageWP Worker Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 14
filterdeprecated_function_trigger_errorinit.php:704
actionmwp_update_public_keysinit.php:705
actioninitinit.php:706
filterinstall_plugin_complete_actionsinit.php:707
filtercomment_edit_redirectinit.php:708
actionmwp_auto_updateinit.php:709
filtercron_schedulesinit.php:712
actionsave_postinit.php:715
actiondelete_postinit.php:716
actionadmin_noticesinit.php:752
actionwpmu_new_blogsrc\MMB\Core.php:35
actionnetwork_admin_noticessrc\MMB\Core.php:42
actionadmin_noticessrc\MMB\Core.php:47
actionadmin_noticessrc\MMB\Core.php:52

Scheduled Events 2

mwp_auto_update
mwp_update_public_keys
Maintenance & Trust

ManageWP Worker Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 11, 2026
PHP min version
Downloads26.7M

Community Trust

Rating92/100
Number of ratings676
Active installs1.0M
Alternatives

ManageWP Worker Alternatives

Jetpack – WP Security, Backup, Speed, & Growth

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

A
87

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs
The Hack Repair Guy's Plugin Archiver

The Hack Repair Guy's Plugin Archiver

hackrepair-plugin-archiver

A
97

Disable Plugins Without Deleting — Archive and Restore in One Click

400 2 CVEs
All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
WPvivid — Backup, Migration & Staging

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

B
75

Migrate, staging, backup WordPress, all in one.

900K 26 CVEs
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

mainwp-child

A
91

MainWP Child establishes a secure link between your WordPress sites and your self-hosted MainWP Dashboard, simplifying site management.

700K 7 CVEs
Developer Profile

ManageWP Worker Developer Profile

Vladimir Prelovac

20 plugins · 1.0M total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
2577 days
View full developer profile
Detection Fingerprints

How We Detect ManageWP Worker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/worker/assets/css/backend.css/wp-content/plugins/worker/assets/css/frontend.css/wp-content/plugins/worker/assets/css/frontend_inline.css/wp-content/plugins/worker/assets/js/backend.js/wp-content/plugins/worker/assets/js/frontend.js/wp-content/plugins/worker/assets/js/frontend_inline.js
Script Paths
/wp-content/plugins/worker/assets/js/backend.js/wp-content/plugins/worker/assets/js/frontend.js/wp-content/plugins/worker/assets/js/frontend_inline.js
Version Parameters
worker/assets/css/backend.css?ver=worker/assets/css/frontend.css?ver=worker/assets/css/frontend_inline.css?ver=worker/assets/js/backend.js?ver=worker/assets/js/frontend.js?ver=worker/assets/js/frontend_inline.js?ver=

HTML / DOM Fingerprints

CSS Classes
mwp-worker-backend-settings
HTML Comments
<!-- MWP_RETRY_ME: 1 --><!-- This file is part of the ManageWP Worker plugin. --><!-- Copyright (c) ManageWP LLC <contact@managewp.com> -->
Data Attributes
data-mwp-actiondata-mwp-id
JS Globals
mwp_worker_ajax_objectmwp_worker_backend_objectmwp_worker_frontend_object
REST Endpoints
/wp-json/mwp-worker/
FAQ

Frequently Asked Questions about ManageWP Worker