Does WP-CORS have any unpatched vulnerabilities?

Yes — WP-CORS currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP-CORS compatible with WordPress 6.2.9?

According to WordPress.org data, WP-CORS 0.2.2 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

How often is WP-CORS updated?

WP-CORS was last updated on Jul 28, 2023. Frequent updates are generally a positive security signal.

What is WP-CORS's security score?

WP-CORS has a WP-Safety security score of 61/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-CORS Security & Risk Analysis

wordpress.org/plugins/wp-cors

Allows AJAX requests from other sites to integrate content from your site using the CORS standard.

1K active installs v0.2.2 PHP + WP 3.6+ Updated Jul 28, 2023

ajaxcorsrest

C · Use Caution

CVEs total2

Unpatched1

Last CVEJan 28, 2026

Plugin page Download

Safety Verdict

Is WP-CORS Safe to Use in 2026?

Use With Caution

Score 61/100

WP-CORS has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Jan 28, 2026Updated 2yr ago

Risk Assessment

The wp-cors plugin v0.2.2 presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and properly escaping all identified outputs. There are no file operations or external HTTP requests, and no bundled libraries to worry about outdated versions. However, significant concerns arise from the identified attack surface. A single AJAX handler lacks authentication checks, making it a potential entry point for unauthorized actions. The taint analysis revealed one flow with an unsanitized path, which, while not classified as critical or high severity, still represents a potential risk that needs attention.

The plugin's vulnerability history is a major red flag. With two known CVEs, one of which is currently unpatched, the plugin has a documented history of security flaws. The common vulnerability types, Missing Authorization and Cross-site Scripting, align with the static analysis findings of an unprotected AJAX handler and an unsanitized path. The fact that the last vulnerability was recorded on 2026-01-28, and is still unpatched, suggests a lack of ongoing maintenance and timely security updates, which is a critical concern for any WordPress plugin.

In conclusion, while the plugin has some positive coding practices, the presence of an unprotected AJAX endpoint, a taint flow with an unsanitized path, and a history of unpatched vulnerabilities make it a security risk. The unpatched medium severity vulnerability, coupled with the unprotected entry point, strongly suggests that this plugin should be treated with caution and ideally replaced or updated by its developers.

Key Concerns

Unprotected AJAX handler
Taint flow with unsanitized path
Unpatched CVE (medium severity)
History of Missing Authorization vulnerabilities
History of XSS vulnerabilities

Vulnerabilities

WP-CORS Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2026-25410medium · 4.3Missing Authorization

WP-CORS <= 0.2.2 - Missing Authorization

Jan 28, 2026Unpatched

CVE-2022-47606medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-CORS <= 0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 28, 2023 Patched in 0.2.2 (270d)

Code Analysis

Analyzed Mar 16, 2026

WP-CORS Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped2 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

cors_change_domains (wp-cors.php:88)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP-CORS Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_cors_change_domainswp-cors.php:25

WordPress Hooks 3

actionadmin_menuwp-cors.php:20

actionadmin_initwp-cors.php:21

actionsend_headerswp-cors.php:23

Maintenance & Trust

WP-CORS Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedJul 28, 2023

PHP min version

Downloads39K

Community Trust

Rating46/100

Number of ratings3

Active installs1K

Alternatives

WP-CORS Alternatives

LH Multisite CORS

lh-multisite-cors

Allows AJAX requests from other sites in your multisite network even if they are on another domain or subdomain

300 No CVEs

Enable CORS

enable-cors

100

Please read the plugin description before installing to ensure compatibility and avoid potential issues. This plugin will be free forever.

6K No CVEs

CoCart CORS Support

cocart-cors

Enables support for CORS to allow CoCart to work across multiple domains.

400 No CVEs

Ajax Load More: REST API

ajax-load-more-rest-api

100

An Ajax Load More extension that adds compatibility for the WP REST API.

100 No CVEs

ajax Post Comment

hina-ajax-comment

Post comment form on frontend tobe ajax using WP REST API Version.2

10 No CVEs

Developer Profile

WP-CORS Developer Profile

tstephenson

1 plugin · 1K total installs

trust score

Avg Security Score

61/100

Avg Patch Time

270 days

View full developer profile

Detection Fingerprints

How We Detect WP-CORS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-cors/wp-cors.php

HTML / DOM Fingerprints

FAQ