WP-Safety

WP Admin Audit Security & Risk Analysis

wordpress.org/plugins/wp-admin-audit

WP Admin Audit monitors the security-relevant activities on your site, keeps an event log and tells you when something out of the ordinary happens.

1K active installs v1.2.16 PHP 7.0+ WP 5.5+ Updated Jul 23, 2025
activity-logaudit-logaudit-trailsecurity-audit-loguser-log
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Admin Audit Safe to Use in 2026?

Generally Safe

Score 100/100

WP Admin Audit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago
Risk Assessment

The wp-admin-audit plugin, v1.2.16, exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL queries, with almost all using prepared statements, and a high percentage of output being properly escaped. The plugin also incorporates a significant number of nonce checks and a reasonable number of capability checks, which are crucial for WordPress security. Furthermore, its vulnerability history is clean, with no known CVEs, suggesting a commitment to secure development or at least good luck to date.

However, a significant concern arises from the plugin's attack surface. With 29 AJAX handlers identified, a staggering 28 of them lack authentication checks. This creates a large potential entry point for malicious actors to interact with the plugin's functionalities without proper authorization. While taint analysis did not reveal critical or high severity issues, the presence of one flow with unsanitized paths, even if of lower severity, is a red flag. The use of bundled libraries like Select2 also presents a potential risk if not kept up-to-date, though no specific version issues were reported.

In conclusion, while the plugin shows strengths in database interaction and output handling, and benefits from a clean vulnerability history, the substantial number of unprotected AJAX endpoints poses a considerable risk. This, combined with the single identified unsanitized path flow, warrants attention. The plugin's security would be significantly improved by implementing proper authentication and capability checks on all its AJAX handlers.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
Vulnerabilities
None known

WP Admin Audit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Admin Audit Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
125 prepared
Unescaped Output
145
747 escaped
Nonce Checks
40
Capability Checks
6
File Operations
12
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

99% prepared126 total queries

Output Escaping

84% escaped892 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

6 flows1 with unsanitized paths
search_box (classes\Views\BaseList.php:925)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
28 unprotected

WP Admin Audit Attack Surface

Entry Points29
Unprotected28

AJAX Handlers 29

authwp_ajax__wada_ajax_delete_logclasses\Application\Router.php:14
authwp_ajax__wada_ajax_preview_logclasses\Application\Router.php:15
authwp_ajax__wada_ajax_download_logclasses\Application\Router.php:16
authwp_ajax__wada_ajax_discover_install_sensorsclasses\Application\Router.php:17
authwp_ajax__wada_ajax_events_listclasses\Application\Router.php:18
authwp_ajax__wada_ajax_event_searchclasses\Application\Router.php:19
authwp_ajax__wada_ajax_events_csv_exportclasses\Application\Router.php:20
authwp_ajax__wada_ajax_extensions_listclasses\Application\Router.php:21
authwp_ajax__wada_ajax_activate_keyclasses\Application\Router.php:22
authwp_ajax__wada_ajax_deactivate_keyclasses\Application\Router.php:23
authwp_ajax__wada_ajax_reload_event_details_tableclasses\Application\Router.php:24
authwp_ajax__wada_ajax_check_key_statusclasses\Application\Router.php:25
authwp_ajax__wada_ajax_notification_log_listclasses\Application\Router.php:26
authwp_ajax__wada_ajax_notification_queue_listclasses\Application\Router.php:27
authwp_ajax__wada_ajax_notification_queue_list_bulk_deleteclasses\Application\Router.php:28
authwp_ajax__wada_ajax_notifications_listclasses\Application\Router.php:29
authwp_ajax__wada_ajax_notifications_status_toggleclasses\Application\Router.php:30
authwp_ajax__wada_ajax_process_queueclasses\Application\Router.php:31
authwp_ajax__wada_ajax_debug_actionclasses\Application\Router.php:32
authwp_ajax__wada_ajax_sensors_listclasses\Application\Router.php:33
authwp_ajax__wada_ajax_sensors_status_toggleclasses\Application\Router.php:34
authwp_ajax__wada_ajax_cleanup_event_logclasses\Application\Router.php:35
authwp_ajax__wada_ajax_get_event_log_statsclasses\Application\Router.php:36
authwp_ajax__wada_ajax_logins_listclasses\Application\Router.php:37
authwp_ajax__wada_ajax_logins_csv_exportclasses\Application\Router.php:38
authwp_ajax__wada_ajax_user_searchclasses\Application\Router.php:39
authwp_ajax__wada_ajax_users_listclasses\Application\Router.php:40
authwp_ajax__wada_ajax_users_csv_exportclasses\Application\Router.php:41
authwp_ajax_edit-theme-plugin-fileclasses\Sensors\File.php:20
WordPress Hooks 109
actionupgrader_process_completeclasses\Application\BackendSum.php:136
actionactivated_pluginclasses\Application\BackendSum.php:137
actiondeactivated_pluginclasses\Application\BackendSum.php:138
actiondeleted_pluginclasses\Application\BackendSum.php:139
actionautomatic_updates_completeclasses\Application\BackendSum.php:140
filterwp_update_comment_dataclasses\Sensors\Comment.php:21
actionedit_commentclasses\Sensors\Comment.php:22
actiontransition_comment_statusclasses\Sensors\Comment.php:23
actiontrashed_commentclasses\Sensors\Comment.php:24
actionuntrashed_commentclasses\Sensors\Comment.php:25
actiondeleted_commentclasses\Sensors\Comment.php:26
actionwp_insert_commentclasses\Sensors\Comment.php:27
actioncomment_postclasses\Sensors\Comment.php:28
actionupgrader_process_completeclasses\Sensors\Core.php:19
actionadd_attachmentclasses\Sensors\Media.php:20
actionattachment_updatedclasses\Sensors\Media.php:21
actiondelete_attachmentclasses\Sensors\Media.php:22
filterwp_handle_uploadclasses\Sensors\Media.php:23
filterwp_create_nav_menuclasses\Sensors\Menu.php:25
filteredit_termsclasses\Sensors\Menu.php:26
filterwp_update_nav_menuclasses\Sensors\Menu.php:27
filterwp_get_nav_menu_objectclasses\Sensors\Menu.php:28
filterpre_delete_termclasses\Sensors\Menu.php:29
filterwp_delete_nav_menuclasses\Sensors\Menu.php:30
filterwp_add_nav_menu_itemclasses\Sensors\Menu.php:31
actionshutdownclasses\Sensors\Menu.php:32
actionadded_optionclasses\Sensors\Option.php:18
actionupdated_optionclasses\Sensors\Option.php:19
actiondeleted_optionclasses\Sensors\Option.php:20
actionwp_admin_audit_sensor_status_changeclasses\Sensors\Plg_WADA.php:18
actionwp_admin_audit_sensor_updateclasses\Sensors\Plg_WADA.php:19
actionwp_admin_audit_settings_updateclasses\Sensors\Plg_WADA.php:20
actionwp_admin_audit_notification_status_changeclasses\Sensors\Plg_WADA.php:21
actionwp_admin_audit_notification_createclasses\Sensors\Plg_WADA.php:22
actionwp_admin_audit_notification_updateclasses\Sensors\Plg_WADA.php:23
actionwp_admin_audit_notification_deleteclasses\Sensors\Plg_WADA.php:24
actionadmin_initclasses\Sensors\Plugin.php:21
actionupgrader_process_completeclasses\Sensors\Plugin.php:22
actionactivated_pluginclasses\Sensors\Plugin.php:23
actionupgrader_process_completeclasses\Sensors\Plugin.php:24
actiondeactivated_pluginclasses\Sensors\Plugin.php:25
actiondelete_pluginclasses\Sensors\Plugin.php:26
actiondeleted_pluginclasses\Sensors\Plugin.php:27
actionpre_auto_updateclasses\Sensors\Plugin.php:28
actionautomatic_updates_completeclasses\Sensors\Plugin.php:29
actionpre_post_updateclasses\Sensors\Post.php:23
actionwp_after_insert_postclasses\Sensors\Post.php:24
actionset_object_termsclasses\Sensors\Post.php:25
actiontransition_post_statusclasses\Sensors\Post.php:26
actiondelete_postclasses\Sensors\Post.php:27
actionupdate_post_metaclasses\Sensors\Post.php:28
actionadmin_initclasses\Sensors\Settings.php:19
actioncreated_categoryclasses\Sensors\Taxonomy.php:23
actioncreated_post_tagclasses\Sensors\Taxonomy.php:24
actionedit_termsclasses\Sensors\Taxonomy.php:25
actionedited_categoryclasses\Sensors\Taxonomy.php:26
actionedited_post_tagclasses\Sensors\Taxonomy.php:27
actiondelete_categoryclasses\Sensors\Taxonomy.php:28
actiondelete_post_tagclasses\Sensors\Taxonomy.php:29
actionadmin_initclasses\Sensors\Theme.php:21
actionupgrader_process_completeclasses\Sensors\Theme.php:22
actionswitch_themeclasses\Sensors\Theme.php:23
actionupgrader_process_completeclasses\Sensors\Theme.php:24
actiondelete_themeclasses\Sensors\Theme.php:25
actiondeleted_themeclasses\Sensors\Theme.php:26
actionuser_registerclasses\Sensors\User.php:20
actionwp_loginclasses\Sensors\User.php:21
actionwp_login_failedclasses\Sensors\User.php:22
actionwp_logoutclasses\Sensors\User.php:23
actionprofile_updateclasses\Sensors\User.php:24
actionpersonal_options_updateclasses\Sensors\User.php:25
actionupdate_user_metaclasses\Sensors\User.php:26
actioncurrent_screenclasses\Sensors\User.php:27
actiontemplate_redirectclasses\Sensors\User.php:28
filterwp_authenticate_userclasses\Sensors\User.php:29
actiondelete_userclasses\Sensors\User.php:30
actionpassword_resetclasses\Sensors\User.php:31
actionwp_admin_audit_loaded_post_sensorsclasses\Sensors\User.php:32
filterwp_mail_content_typeclasses\Utils\UserUtils.php:140
filterwp_mail_content_typeclasses\Utils\UserUtils.php:172
actionadmin_footerclasses\Views\Diagnosis.php:16
actionadmin_footerclasses\Views\Events.php:29
actionadmin_footerclasses\Views\ExtensionAction.php:19
actionadmin_footerclasses\Views\Extensions.php:27
actionadmin_footerclasses\Views\Info.php:26
filterwp_mail_content_typeclasses\Views\Info.php:86
actionadmin_footerclasses\Views\Layouts\EventDetailsBase.php:20
filtersafe_style_cssclasses\Views\Layouts\EventDetailsBase.php:234
actionadmin_footerclasses\Views\Logins.php:29
actionadmin_footerclasses\Views\NotificationLog.php:32
actionadmin_footerclasses\Views\NotificationQueue.php:32
actionadmin_footerclasses\Views\Notifications.php:26
actionadmin_footerclasses\Views\NotificationWizard.php:28
actionadmin_footerclasses\Views\Sensors.php:26
actionadmin_footerclasses\Views\Settings.php:16
actionadmin_footerclasses\Views\Users.php:29
actionwp_dashboard_setupclasses\Views\Widgets\LastActivities.php:16
actionwp_dashboard_setupclasses\Views\Widgets\LoginAttempts.php:16
actionwp_loadedwp-admin-audit.php:45
actionplugins_loadedwp-admin-audit.php:47
filtercron_scheduleswp-admin-audit.php:52
actioninitwp-admin-audit.php:146
actionadmin_menuwp-admin-audit.php:147
actionadmin_enqueue_scriptswp-admin-audit.php:148
actionwp_admin_audit_maintenancewp-admin-audit.php:151
actionwp_admin_audit_queue_workwp-admin-audit.php:152
actionwp_admin_audit_queue_workwp-admin-audit.php:153
actionwp_admin_audit_new_eventwp-admin-audit.php:156
filterplugins_apiwp-admin-audit.php:159
Maintenance & Trust

WP Admin Audit Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 23, 2025
PHP min version7.0
Downloads14K

Community Trust

Rating74/100
Number of ratings6
Active installs1K
Alternatives

WP Admin Audit Alternatives

Activity Log – Monitor & Record User Changes

Activity Log – Monitor & Record User Changes

aryo-activity-log

A
85

This top rated Activity Log plugin helps you monitor & log all changes and actions on your WordPress site, so you can remain secure and organized.

200K 9 CVEs
LogDash Activity Log

LogDash Activity Log

logdash-activity-log

A
90

The ultimate solution for tracking activities and security issues on your WordPress site.

100 1 CVE
TeleLog

TeleLog

telelog

A
85

Keep track of everything happening on your WordPress in Telegram

0 No CVEs
Logify WP – Activity Log & User Audit Log

Logify WP – Activity Log & User Audit Log

logify-wp

A
100

Logify WP - Activity Log & User Audit Log tracks critical changes, logins, and updates with searchable logs for site security.

200 No CVEs
Activity Log Pro – Event Logger, Activity Monitor & Audit Log

Activity Log Pro – Event Logger, Activity Monitor & Audit Log

activity-log-pro

A
100

Professional WordPress Activity Log. Track logins, user actions, content changes, and system events to see who did what, when, and where.

100 No CVEs
Developer Profile

WP Admin Audit Developer Profile

brandtoss

2 plugins · 1K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
198 days
View full developer profile
Detection Fingerprints

How We Detect WP Admin Audit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-admin-audit/classes/Constants.php/wp-content/plugins/wp-admin-audit/classes/Setup.php/wp-content/plugins/wp-admin-audit/classes/Application/BackendSum.php/wp-content/plugins/wp-admin-audit/classes/Application/BackendWoosl.php/wp-content/plugins/wp-admin-audit/classes/Application/Database.php/wp-content/plugins/wp-admin-audit/classes/Application/EventListener.php/wp-content/plugins/wp-admin-audit/classes/Application/Extensions.php/wp-content/plugins/wp-admin-audit/classes/Application/Log.php+18 more
Version Parameters
wp-admin-audit/style.css?ver=wp-admin-audit/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
wada-menu-itemwada-submenu-itemwada-content-wrapper
HTML Comments
WP Admin Audit is free software; you can redistribute it and/or modifyWP Admin Audit is distributed in the hope that it will be usefulYou should have received a copy of the GNU General Public License
Data Attributes
data-wada-actiondata-wada-nonce
JS Globals
window.WADA_Adminwindow.WADA_Ajax
REST Endpoints
/wp-json/wp-admin-audit/v1/settings/wp-json/wp-admin-audit/v1/logs/wp-json/wp-admin-audit/v1/system-info
Shortcode Output
[wada_recent_activity][wada_security_dashboard]
FAQ

Frequently Asked Questions about WP Admin Audit