WP-Safety

WP Assistant Security & Risk Analysis

wordpress.org/plugins/wp-assistant

Caution

40 active installs v0.4.3 PHP + WP 4.4.1+ Updated Apr 5, 2016
option-framework
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Assistant Safe to Use in 2026?

Generally Safe

Score 85/100

WP Assistant has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The 'wp-assistant' plugin v0.4.3 exhibits a mixed security posture. On one hand, the plugin demonstrates good security practices with 92% of SQL queries using prepared statements, robust nonce checks (4 total), and capability checks (3 total). Furthermore, the absence of any known CVEs or past vulnerabilities is a positive indicator of diligent development. However, several areas raise concerns. The presence of dangerous functions like 'create_function' and 'unserialize' is a significant red flag, as these can be exploited if user input is not meticulously handled. The taint analysis revealing two flows with unsanitized paths, classified as high severity, directly points to potential vulnerabilities where untrusted data could be processed insecurely. Additionally, only 38% of output escaping suggests a substantial risk of Cross-Site Scripting (XSS) vulnerabilities.

While the plugin boasts a seemingly secure attack surface with all entry points protected by authentication, the identified high-severity taint flows and the low output escaping rate are critical weaknesses. The lack of past vulnerabilities could indicate either a historically secure plugin or a lack of thorough historical auditing. The combination of dangerous function usage and unsanitized taint paths suggests that while the plugin's entry points might be secured, the internal handling of data within these points requires significant attention. The low output escaping is a systemic issue that needs immediate remediation to prevent common web attacks.

Key Concerns

  • High severity unsanitized taint flows
  • Low output escaping rate (38%)
  • Presence of dangerous functions (create_function, unserialize)
Vulnerabilities
None known

WP Assistant Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WP Assistant Release Timeline

v0.4.3Current
v0.4.2
v0.4.1
v0.4.0
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.9
v0.2.8
v0.2.7
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.
v0.2.0
v0.1.9
v0.1.8
Code Analysis
Analyzed Mar 16, 2026

WP Assistant Code Analysis

Dangerous Functions
5
Raw SQL Queries
2
24 prepared
Unescaped Output
85
52 escaped
Nonce Checks
4
Capability Checks
3
File Operations
9
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_filter( 'pre_site_transient_update_plugins', create_function( '$a', "return null;" ) );modules\admin\admin.php:573
create_functionadd_filter( 'pre_site_transient_update_themes', create_function( '$a', "return null;" ) );modules\admin\admin.php:577
create_functionadd_filter( 'pre_site_transient_update_plugins', create_function( '$a', "return null;" ) );modules\cleanup\cleanup.php:324
create_functionadd_filter( 'pre_site_transient_update_themes', create_function( '$a', "return null;" ) );modules\cleanup\cleanup.php:328
unserialize$defaults = unserialize( 'a:23:{s:23:"modules_list_cf7AjaxZip";s:1:"0";s:23:"modules_list_menuEditorwp-assistant.php:93

SQL Query Safety

92% prepared26 total queries

Output Escaping

38% escaped137 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
template_save_data (modules\templateEditor\templateEditor.php:149)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Assistant Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 3

authwp_ajax_update_wpaupports_optioninc\settings.php:35
authwp_ajax_run_optimizemodules\optimize\optimize.php:26
authwp_ajax_wpa_option_importmodules\tools\tools.php:20

Shortcodes 1

[wpa_breadcrumb] modules\breadcrumb\breadcrumb.php:45
WordPress Hooks 84
actionwp_enqueue_scriptsinc\fields\media.php:20
actionadmin_initinc\settings.php:30
actionadmin_menuinc\settings.php:31
actionadmin_initinc\settings.php:32
actionadmin_enqueue_scriptsinc\settings.php:34
actionadmin_enqueue_scriptsmodules\aceEditor\aceEditor.php:20
actionadmin_initmodules\activation\activation.php:23
actionadmin_initmodules\admin\admin.php:30
actionload_templatemodules\admin\admin.php:32
actiontemplate_includemodules\admin\admin.php:33
actionlocate_templatemodules\admin\admin.php:34
actionwpmodules\admin\admin.php:46
filterwp_calculate_image_srcsetmodules\admin\admin.php:299
actionwp_headmodules\admin\admin.php:350
actionwp_headmodules\admin\admin.php:351
actionwp_headmodules\admin\admin.php:352
actionwp_headmodules\admin\admin.php:368
actionwp_enqueue_scriptsmodules\admin\admin.php:447
filterwp_headmodules\admin\admin.php:467
filterxmlrpc_methodsmodules\admin\admin.php:480
filterwp_headersmodules\admin\admin.php:489
actiontemplate_redirectmodules\admin\admin.php:512
filterauthor_linkmodules\admin\admin.php:548
filterpre_site_transient_update_coremodules\admin\admin.php:567
filterpre_site_transient_update_pluginsmodules\admin\admin.php:573
filterpre_site_transient_update_themesmodules\admin\admin.php:577
actionadmin_bar_menumodules\admin\admin.php:593
actionadmin_initmodules\admin\admin.php:656
filtertiny_mce_pluginsmodules\admin\admin.php:728
actionload-post.phpmodules\adminPostNav\adminPostNav.php:34
actionadmin_enqueue_scriptsmodules\adminPostNav\adminPostNav.php:49
actionadmin_print_footer_scriptsmodules\adminPostNav\adminPostNav.php:50
actiondo_meta_boxesmodules\adminPostNav\adminPostNav.php:51
actionadmin_initmodules\breadcrumb\breadcrumb.php:46
actionwpa_settings_fields_aftermodules\cache\cache.php:27
actioninitmodules\cache\cache.php:29
actiondelete_postmodules\cache\cache.php:34
actionpost_updatedmodules\cache\cache.php:35
actionwp_set_comment_statusmodules\cache\cache.php:36
actionwp_insert_commentmodules\cache\cache.php:37
actiontrash_commentmodules\cache\cache.php:38
actionspam_commentmodules\cache\cache.php:39
actionedit_commentmodules\cache\cache.php:40
actionwp_enqueue_scriptsmodules\cf7AjaxZip\cf7AjaxZip.php:40
actionwp_headmodules\cf7AjaxZip\cf7AjaxZip.php:44
actionload_templatemodules\cleanup\cleanup.php:47
actiontemplate_includemodules\cleanup\cleanup.php:48
actionlocate_templatemodules\cleanup\cleanup.php:49
actionwp_print_scriptsmodules\cleanup\cleanup.php:182
actionwp_enqueue_scriptsmodules\cleanup\cleanup.php:200
filterxmlrpc_methodsmodules\cleanup\cleanup.php:218
filterwp_headersmodules\cleanup\cleanup.php:227
actiontemplate_redirectmodules\cleanup\cleanup.php:245
filterauthor_linkmodules\cleanup\cleanup.php:281
actionwp_enqueue_scriptsmodules\cleanup\cleanup.php:299
filterpre_site_transient_update_coremodules\cleanup\cleanup.php:318
filterpre_site_transient_update_pluginsmodules\cleanup\cleanup.php:324
filterpre_site_transient_update_themesmodules\cleanup\cleanup.php:328
actionadmin_bar_menumodules\cleanup\cleanup.php:344
actionadmin_initmodules\cleanup\cleanup.php:402
actionadmin_initmodules\customizeAdmin\customizeAdmin.php:19
actionadmin_headmodules\customizeAdmin\customizeAdmin.php:20
actionlogin_enqueue_scriptsmodules\customizeAdmin\customizeAdmin.php:21
filteradmin_footer_textmodules\customizeAdmin\customizeAdmin.php:22
actionadmin_initmodules\dashboard\dashboard.php:20
actionwp_dashboard_setupmodules\dashboard\dashboard.php:23
actionload-index.phpmodules\dashboard\dashboard.php:24
actionadmin_initmodules\menuEditor\menuEditor.php:36
actionadmin_print_scriptsmodules\menuEditor\menuEditor.php:37
actionadmin_print_scriptsmodules\menuEditor\menuEditor.php:39
actionadmin_initmodules\optimize\optimize.php:25
actionadmin_initmodules\originalCss\originalCss.php:29
actionwpmodules\originalCss\originalCss.php:37
filterwp_headmodules\originalCss\originalCss.php:46
actionadmin_initmodules\originalJs\originalJs.php:29
actionwpmodules\originalJs\originalJs.php:37
filterwp_headmodules\originalJs\originalJs.php:46
actionadmin_menumodules\templateEditor\templateEditor.php:25
actionsave_postmodules\templateEditor\templateEditor.php:28
filtermanage_pages_columnsmodules\templateEditor\templateEditor.php:30
actionmanage_pages_custom_columnmodules\templateEditor\templateEditor.php:31
actionadmin_initmodules\tools\tools.php:19
actionplugins_loadedwp-assistant.php:51
actionplugins_loadedwp-assistant.php:58
Maintenance & Trust

WP Assistant Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedApr 5, 2016
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Alternatives

WP Assistant Alternatives

Extend Theme Customizer

Extend Theme Customizer

extend-theme-cusotomizer

A
85

It is a plugin that allows you to set the theme customizer from json file.

10 No CVEs
Developer Profile

WP Assistant Developer Profile

ishihara takashi

2 plugins · 50 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Assistant

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-assistant/modules/aceEditor/assets/aceinit.js/wp-content/plugins/wp-assistant/modules/aceEditor/assets/ace-editor-style.css
Script Paths
//cdnjs.cloudflare.com/ajax/libs/ace/1.1.9/ace.js//nightwing.github.io/emmet-core/emmet.js//cdnjs.cloudflare.com/ajax/libs/ace/1.1.9/ext-emmet.js//cdnjs.cloudflare.com/ajax/libs/ace/1.1.9/ext-language_tools.js
Version Parameters
wp-assistant/modules/aceEditor/assets/aceinit.js?ver=wp-assistant/modules/aceEditor/assets/ace-editor-style.css?ver=

HTML / DOM Fingerprints

JS Globals
window.Ace
FAQ

Frequently Asked Questions about WP Assistant