Does WP Better Permalinks have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Better Permalinks have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Better Permalinks compatible with WordPress 6.9.4?

According to WordPress.org data, WP Better Permalinks 4.2.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Better Permalinks compatible with PHP 7.0+?

WP Better Permalinks requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Better Permalinks updated?

WP Better Permalinks was last updated on Dec 8, 2025. Frequent updates are generally a positive security signal.

What is WP Better Permalinks's security score?

WP Better Permalinks has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Better Permalinks Security & Risk Analysis

wordpress.org/plugins/wp-better-permalinks

Set custom friendly permalinks structure: Custom Post Type > Taxonomy > Post and Custom Post Type > Taxonomy instead of default WordPress structure.

1K active installs v4.2.1 PHP 7.0+ WP 5.0+ Updated Dec 8, 2025

custom-post-type-permalinksfriendly-permalinkspermalinks-structurepermalinks-treetaxonomy-term-permalinks

A · Safe

CVEs total1

Unpatched0

Last CVEJun 27, 2019

Plugin page Download

Safety Verdict

Is WP Better Permalinks Safe to Use in 2026?

Generally Safe

Score 99/100

WP Better Permalinks has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 27, 2019Updated 3mo ago

Risk Assessment

The "wp-better-permalinks" plugin version 4.2.1 presents a mixed security posture. On the positive side, the code analysis shows a commitment to secure database interactions with all SQL queries using prepared statements and a lack of dangerous functions or file operations. The absence of critical or high severity taint flows and external HTTP requests is also reassuring.

However, significant concerns arise from the attack surface and output escaping. The plugin exposes a single AJAX handler that lacks authentication checks, creating a direct entry point for unauthorized actions. Furthermore, a concerning 0% of its 39 output operations are properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The vulnerability history, while not showing currently unpatched issues, reveals a past high-severity CSRF vulnerability. This pattern suggests a tendency for vulnerabilities related to input validation and authorization, which is unfortunately echoed in the current static analysis findings.

In conclusion, while the plugin demonstrates good practices in database security and avoids known dangerous code patterns, the unprotected AJAX endpoint and widespread output escaping flaws are critical weaknesses. These issues significantly outweigh the positive aspects and demand immediate attention. The historical CSRF vulnerability further underscores the need for robust input validation and authorization checks.

Key Concerns

Unprotected AJAX handler
No output escaping
Past high severity vulnerability
No capability checks on AJAX

Vulnerabilities

WP Better Permalinks Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2019-15835high · 8.8Cross-Site Request Forgery (CSRF)

WP Better Permalinks < 3.0.5 - Cross-Site Request Forgery

Jun 27, 2019 Patched in 3.0.5 (1671d)

Code Analysis

Analyzed Mar 16, 2026

WP Better Permalinks Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped39 total outputs

Attack Surface

1 unprotected

WP Better Permalinks Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_wbp_noticeapp\Admin\Notice.php:13

WordPress Hooks 23

filteradmin_enqueue_scriptsapp\Admin\Assets.php:9

filteradmin_enqueue_scriptsapp\Admin\Assets.php:10

filterwbp_notice_urlapp\Admin\Notice.php:11

actionadmin_noticesapp\Admin\Notice.php:12

filterwbp_post_termapp\Posttype\Cache.php:11

actionsave_postapp\Posttype\Cache.php:12

actionpost_type_linkapp\Posttype\Link.php:9

filterregister_post_type_argsapp\Posttype\Register.php:9

actiongenerate_rewrite_rulesapp\Posttype\Rewrites.php:9

filterwbp_term_primaryapp\Posttype\Yoast.php:9

filterwbp_configapp\Settings\Config.php:11

filterwbp_rewritesapp\Settings\Config.php:12

filterwbp_posttypesapp\Settings\Options.php:9

actionadmin_menuapp\Settings\Page.php:9

actionadmin_initapp\Settings\Refresh.php:13

actionadmin_initapp\Settings\Save.php:11

actionpre_delete_termapp\Taxonomy\Actions.php:18

actioninitapp\Taxonomy\Init.php:9

filterterm_linkapp\Taxonomy\Link.php:9

filterwbp_term_linkapp\Taxonomy\Link.php:10

filterterm_linkapp\Taxonomy\Link.php:30

filterregister_taxonomy_argsapp\Taxonomy\Register.php:9

actiongenerate_rewrite_rulesapp\Taxonomy\Rewrites.php:9

Maintenance & Trust

WP Better Permalinks Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 8, 2025

PHP min version7.0

Downloads33K

Community Trust

Rating98/100

Number of ratings26

Active installs1K

Alternatives

WP Better Permalinks Alternatives

No alternatives data available yet.

Developer Profile

WP Better Permalinks Developer Profile

Mateusz Gbiorczyk

3 plugins · 541K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

962 days

View full developer profile

Detection Fingerprints

How We Detect WP Better Permalinks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-better-permalinks/public/build/css/styles.css/wp-content/plugins/wp-better-permalinks/public/build/js/scripts.js

Script Paths

/wp-content/plugins/wp-better-permalinks/public/build/js/scripts.js

Version Parameters

wp-better-permalinks/public/build/css/styles.css?ver=wp-better-permalinks/public/build/js/scripts.js?ver=

HTML / DOM Fingerprints

FAQ