Does WP Bulk Delete have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Bulk Delete compatible with WordPress 6.9.4?

According to WordPress.org data, WP Bulk Delete 1.3.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Bulk Delete compatible with PHP 5.3+?

WP Bulk Delete requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Bulk Delete updated?

WP Bulk Delete was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is WP Bulk Delete's security score?

WP Bulk Delete has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Bulk Delete Security & Risk Analysis

wordpress.org/plugins/wp-bulk-delete

Delete posts, pages, comments, users, taxonomy terms and meta fields in bulk with different powerful filters and conditions.

100K active installs v1.3.9 PHP 5.3+ WP 4.9+ Updated Mar 6, 2026

bulkbulk-cleanbulk-deleteclean-databasedelete

A · Safe

CVEs total2

Unpatched0

Last CVEAug 27, 2025

Plugin page Download

Safety Verdict

Is WP Bulk Delete Safe to Use in 2026?

Generally Safe

Score 98/100

WP Bulk Delete has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Aug 27, 2025Updated 2mo ago

Risk Assessment

The "wp-bulk-delete" plugin v1.3.9 exhibits a generally good security posture with several positive indicators. The absence of unprotected AJAX handlers, REST API routes, and shortcodes significantly limits its immediate attack surface. The high percentage of SQL queries utilizing prepared statements (89%) and proper output escaping (84%) are strong defenses against common vulnerabilities like SQL injection and Cross-Site Scripting. The presence of nonce and capability checks also indicates an effort to secure various functionalities.

However, the static analysis reveals some areas for concern. Two taint flows with unsanitized paths were detected, though they were not classified as critical or high severity. The fact that these flows exist, even without immediate exploitation potential based on the analysis, suggests a potential for future vulnerabilities if the input handling is not thoroughly reviewed and sanitized. Furthermore, the plugin's vulnerability history, with two medium-severity CVEs in the past, both related to missing authorization and XSS, warrants attention. While there are currently no unpatched vulnerabilities, this pattern suggests that improper input validation and authorization checks have been a recurring issue.

In conclusion, while "wp-bulk-delete" v1.3.9 has implemented several security best practices, the presence of unsanitized taint flows and its past vulnerability history are weaknesses that cannot be ignored. The plugin should be kept updated, and a thorough code audit focusing on input validation and authorization for all entry points, especially those associated with the identified taint flows, is recommended to mitigate potential risks.

Key Concerns

Taint flows with unsanitized paths detected
Previous medium severity vulnerabilities (2 total)

Vulnerabilities

2 published

WP Bulk Delete Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-58192medium · 4.3Missing Authorization

WP Bulk Delete <= 1.3.6 - Missing Authorization

Aug 27, 2025 Patched in 1.3.7 (8d)

CVE-2024-47352medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Bulk Delete <= 1.3.1 - Reflected Cross-Site Scripting

Sep 30, 2024 Patched in 1.3.2 (11d)

Version History

WP Bulk Delete Release Timeline

v1.3.9Current

v1.3.8

v1.3.7

v1.3.61 CVE

v1.3.51 CVE

v1.3.41 CVE

v1.3.31 CVE

v1.3.21 CVE

v1.3.12 CVEs

CVE-2025-58192 CVE-2024-47352

v1.3.02 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.92 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.82 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.72 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.62 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.52 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.42 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.32 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.22 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.12 CVEs

CVE-2025-58192 CVE-2024-47352

v1.2.02 CVEs

CVE-2025-58192 CVE-2024-47352

Code Analysis

Analyzed Mar 17, 2026

WP Bulk Delete Code Analysis

Dangerous Functions

Raw SQL Queries

62 prepared

Unescaped Output

236 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery

SQL Query Safety

89% prepared70 total queries

Output Escaping

84% escaped281 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wpbd_delete_posts_page (includes\admin\posts\display-delete-posts.php:23)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Bulk Delete Attack Surface

Entry Points8

Unprotected0

AJAX Handlers 8

authwp_ajax_delete_posts_countincludes\ajax-functions.php:67

authwp_ajax_render_taxonomy_by_posttypeincludes\ajax-functions.php:102

authwp_ajax_render_terms_by_taxonomyincludes\ajax-functions.php:142

authwp_ajax_delete_users_countincludes\ajax-functions.php:196

authwp_ajax_delete_comments_countincludes\ajax-functions.php:253

authwp_ajax_delete_meta_countincludes\ajax-functions.php:332

authwp_ajax_delete_terms_countincludes\ajax-functions.php:398

authwp_ajax_render_postdropdown_by_posttypeincludes\ajax-functions.php:438

WordPress Hooks 38

actionadmin_menuincludes\admin\admin-pages.php:45

filtersubmenu_fileincludes\admin\admin-pages.php:67

actionwpbd_add_addon_menuincludes\admin\admin-pages.php:85

actionadmin_footerincludes\class-wpbd-plugin-deactivation.php:41

actionwpbd_display_available_in_proincludes\common-functions.php:106

actiontimeout_memory_is_enoughincludes\common-functions.php:134

actionadmin_post_wpbd_delete_postincludes\common-functions.php:137

actiondelete_pctu_noticeincludes\common-functions.php:336

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:15

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:16

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:17

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:18

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:19

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:20

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:21

actionwpbd_delete_comments_formincludes\delele-comments-form-functions.php:22

actionrender_form_by_posttypeincludes\delele-posts-form-functions.php:16

actionrender_form_by_authorincludes\delele-posts-form-functions.php:19

actionrender_form_by_titleincludes\delele-posts-form-functions.php:22

actionrender_form_by_taxonomyincludes\delele-posts-form-functions.php:25

actionrender_form_by_custom_fieldsincludes\delele-posts-form-functions.php:28

actionrender_form_generalincludes\delele-posts-form-functions.php:31

actionrender_form_by_charector_countincludes\delele-posts-form-functions.php:32

actionrender_form_by_charector_countincludes\delele-posts-form-functions.php:33

actionrender_form_by_charector_countincludes\delele-posts-form-functions.php:34

actionwpbd_delete_terms_formincludes\delele-terms-form-functions.php:15

actionwpbd_delete_terms_formincludes\delele-terms-form-functions.php:16

actionwpbd_delete_users_formincludes\delele-users-form-functions.php:15

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:16

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:17

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:18

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:19

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:20

actionwpbd_delete_users_advance_formincludes\delele-users-form-functions.php:21

actionwpbd_delete_users_date_formincludes\delele-users-form-functions.php:22

actionwpbd_delete_users_action_limit_formincludes\delele-users-form-functions.php:23

actionadmin_enqueue_scriptsincludes\scripts.php:58

actionadmin_enqueue_scriptsincludes\scripts.php:59

Scheduled Events 2

wpbd_run_scheduled_delete

Maintenance & Trust

WP Bulk Delete Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 6, 2026

PHP min version5.3

Downloads1.3M

Community Trust

Rating92/100

Number of ratings122

Active installs100K

Alternatives

WP Bulk Delete Alternatives

Bulk Delete

bulk-delete

100

Bulk delete posts, pages, users, attachments, and meta fields based on complex bulk conditions & filters.

30K 1 CVE

Users Bulk Delete With Preview

users-bulk-delete-with-preview

100

Easily delete multiple WordPress users with the Users Bulk Delete With Preview plugin. Preview details before removal for accuracy and better control.

40 No CVEs

Bulk Manager

bulk-manager

An easier way to update/delete your pages/posts content, excerpt, categories, tags, taxonomies, author and media at once.

0 No CVEs

Delete User Media Files

delete-user-media

This is simple plugin to remove media files uploaded by the user, plugin offer to include/exclude certain users to delete bulk media files or you can …

0 No CVEs

Bulk Clean

easy-clean

Bulk clean allow you to delete unwanted posts, pages, custom post etc with a single click.

0 No CVEs

Developer Profile

WP Bulk Delete Developer Profile

Xylus Themes

13 plugins · 110K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

105 days

View full developer profile

Detection Fingerprints

How We Detect WP Bulk Delete

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-bulk-delete/assets/css/main.css/wp-content/plugins/wp-bulk-delete/assets/css/select2.min.css/wp-content/plugins/wp-bulk-delete/assets/js/main.js/wp-content/plugins/wp-bulk-delete/assets/js/select2.min.js/wp-content/plugins/wp-bulk-delete/assets/js/clipboard.min.js

Script Paths

/wp-content/plugins/wp-bulk-delete/assets/js/main.js/wp-content/plugins/wp-bulk-delete/assets/js/select2.min.js/wp-content/plugins/wp-bulk-delete/assets/js/clipboard.min.js

Version Parameters

wp-bulk-delete/assets/css/main.css?ver=wp-bulk-delete/assets/css/select2.min.css?ver=wp-bulk-delete/assets/js/main.js?ver=wp-bulk-delete/assets/js/select2.min.js?ver=wp-bulk-delete/assets/js/clipboard.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpbd-bulk-delete-formwpbd-delete-posts-formwpbd-delete-users-formwpbd-delete-comments-formwpbd-delete-meta-formwpbd-delete-terms-formwpbd-cleanup-formwpbd-support-page-form

HTML Comments

+13 more

Data Attributes

data-bulk-delete-noncedata-bulk-delete-type

JS Globals

WPBD_AJAX_URLWPBD_DELETE_API_NONCEWPBD_AJAX_NONCE

FAQ

WP Bulk Delete Security & Risk Analysis

Is WP Bulk Delete Safe to Use in 2026?

Generally Safe

Key Concerns

WP Bulk Delete Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Bulk Delete Release Timeline

WP Bulk Delete Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Bulk Delete Attack Surface

AJAX Handlers 8

Scheduled Events 2

WP Bulk Delete Maintenance & Trust

Maintenance Signals

Community Trust

WP Bulk Delete Alternatives

Bulk Delete

Users Bulk Delete With Preview

Bulk Manager

Delete User Media Files

Bulk Clean

WP Bulk Delete Developer Profile

How We Detect WP Bulk Delete

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Bulk Delete