Does WP Docs have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Docs have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Docs compatible with WordPress 6.9.4?

According to WordPress.org data, WP Docs 2.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Docs compatible with PHP 7.0+?

WP Docs requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Docs updated?

WP Docs was last updated on Mar 13, 2026. Frequent updates are generally a positive security signal.

What is WP Docs's security score?

WP Docs has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Docs Security & Risk Analysis

wordpress.org/plugins/wp-docs

A documents management tool for education portals.

1K active installs v2.3.0 PHP 7.0+ WP 3.5+ Updated Mar 13, 2026

directorydocumentslibrary-foldersmemphis-documents-librarywp-docs

A · Safe

CVEs total8

Unpatched0

Last CVEJan 21, 2026

Plugin page Download

Safety Verdict

Is WP Docs Safe to Use in 2026?

Generally Safe

Score 95/100

WP Docs has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jan 21, 2026Updated 21d ago

Risk Assessment

The 'wp-docs' v2.3.0 plugin exhibits a mixed security posture. On one hand, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing nonce checks on all identified AJAX handlers. The absence of external HTTP requests and the minimal number of file operations are also positive indicators. However, there are notable concerns. The presence of one AJAX handler without authentication checks represents a significant attack vector, especially given the plugin's history. The taint analysis, while not revealing critical or high-severity issues in this version, did identify two flows with unsanitized paths, suggesting potential for injection vulnerabilities if not handled meticulously. The output escaping, while high overall, has a concerning 32% of outputs not being properly escaped, which could lead to XSS vulnerabilities.

The vulnerability history of this plugin is a major red flag. With a total of 8 known CVEs, all of which are medium severity, it indicates a recurring pattern of security flaws. The types of past vulnerabilities, including missing authorization, SQL injection, XSS, and CSRF, align with the potential risks identified in the code analysis. The fact that all past vulnerabilities are currently unpatched (based on the provided data suggesting the last vulnerability was in 2026) is particularly alarming, suggesting potential for exploitation of these known weaknesses. The plugin's strengths lie in its database query security and nonce checks, but these are significantly overshadowed by its historical vulnerability record and the presence of unprotected entry points in the current version.

Key Concerns

Unprotected AJAX handler found
2 unsanitized paths in taint analysis
32% of outputs not properly escaped
8 medium severity CVEs recorded

Vulnerabilities

WP Docs Security Vulnerabilities

CVEs by Year

2 CVEs in 2023

2023

3 CVEs in 2024

2024

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

8 total CVEs

CVE-2026-24990medium · 4.3Missing Authorization

WP Docs <= 2.2.8 - Missing Authorization

Jan 21, 2026 Patched in 2.2.9 (21d)

CVE-2025-31417medium · 4.3Missing Authorization

WP Docs <= 2.2.6 - Missing Authorization

Mar 29, 2025 Patched in 2.2.7 (11d)

CVE-2024-56288medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Docs <= 2.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 3, 2025 Patched in 2.2.2 (6d)

CVE-2024-12635medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Docs <= 2.2.0 - Authenticated (Subscriber+) Time-Based SQL Injection via 'dir_id'

Dec 20, 2024 Patched in 2.2.1 (1d)

CVE-2024-35695medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Docs <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 6, 2024 Patched in 2.1.4 (8d)

CVE-2024-35696medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Docs <= 2.1.3 - Reflected Cross-Site Scripting

Jun 6, 2024 Patched in 2.1.4 (8d)

CVE-2023-32106medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Docs <= 1.9.9 - Reflected Cross-Site Scripting

May 2, 2023 Patched in 2.0.0 (266d)

CVE-2023-30873medium · 4.3Cross-Site Request Forgery (CSRF)

WP Docs <= 1.9.8 - Cross-Site Request Forgery to folder management

Apr 18, 2023 Patched in 1.9.9 (280d)

Code Analysis

Analyzed Mar 16, 2026

WP Docs Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

108

234 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared13 total queries

Output Escaping

68% escaped342 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths

<wpdocs_settings> (inc\wpdocs_settings.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP Docs Attack Surface

Entry Points11

Unprotected1

AJAX Handlers 10

authwp_ajax_wpdocs_create_folderinc\functions.php:627

authwp_ajax_wpdocs_add_filesinc\functions.php:762

authwp_ajax_wpdocs_update_folderinc\functions.php:2043

authwp_ajax_wpdocs_delete_folderinc\functions.php:2097

authwp_ajax_wpdocs_delete_filesinc\functions.php:2124

authwp_ajax_wpdocs_update_optioninc\functions.php:2244

authwp_ajax_wpdocs_update_viewinc\functions.php:2527

noprivwp_ajax_wpdocs_update_viewinc\functions.php:2528

authwp_ajax_wp_docs_import_memphis_docsinc\functions.php:2952

authwp_ajax_wp_docs_import_memphis_rollbackinc\functions.php:2991

Shortcodes 1

[wpdocs] inc\functions.php:945

WordPress Hooks 12

actionadmin_initinc\common.php:2

filterajax_query_attachments_argsinc\functions.php:117

actionadmin_enqueue_scriptsinc\functions.php:281

actionwp_enqueue_scriptsinc\functions.php:283

filterupload_mimesinc\functions.php:384

actionadmin_menuinc\functions.php:466

actionadmin_footerinc\functions.php:2242

actionwpdocs_before_docs_listinc\functions.php:2474

actioninitinc\functions.php:2749

filterpre_delete_attachmentinc\functions.php:3287

actionpre_uninstall_plugininc\functions.php:3306

actioninitinc\functions.php:3635

Maintenance & Trust

WP Docs Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version7.0

Downloads61K

Community Trust

Rating96/100

Number of ratings17

Active installs1K

Alternatives

WP Docs Alternatives

FileBird – WordPress Media Library Folders & File Manager

filebird

Organize thousands of WordPress media files in folders / categories with ease.

200K 10 CVEs

Real Media Library: Media Library Folder & File Manager

real-media-library-lite

Organize uploaded media in folders, collections and galleries: A file manager for WordPress. Media management made easy with Real Media Library! (Alte …

100K 4 CVEs

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 20 CVEs

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

embed-any-document

Embed PDF, DOC, PPT and XLS documents easily on your WordPress website with the help of Google Docs Viewer or Microsoft Office Online.

50K 4 CVEs

Directorist: AI-Powered Business Directory, Listings & Classified Ads

directorist

Build any type of directory website such as a business directory, job directory, classifieds directory, and more with this WordPress directory plugin.

20K 2 unpatched

Developer Profile

WP Docs Developer Profile

Fahad Mahmood

40 plugins · 33K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

237 days

View full developer profile

Detection Fingerprints

How We Detect WP Docs

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-docs/css/bootstrap.min.css/wp-content/plugins/wp-docs/css/slimselect.css/wp-content/plugins/wp-docs/css/jquery-ui.css/wp-content/plugins/wp-docs/css/fontawesome.min.css/wp-content/plugins/wp-docs/css/common-styles.css/wp-content/plugins/wp-docs/css/admin-styles.css

Script Paths

/wp-content/plugins/wp-docs/js/bootstrap.min.js/wp-content/plugins/wp-docs/js/slimselect.js/wp-content/plugins/wp-docs/js/jquery.blockUI.js/wp-content/plugins/wp-docs/js/admin-scripts.js/wp-content/plugins/wp-docs/pro/wp-docs-admin.js

Version Parameters

wpdocs-common?ver=wpdocs-admin?ver=wpdocs_admin_scripts?ver=

HTML / DOM Fingerprints

CSS Classes

wpdocs-common-styles

Data Attributes

data-wpdocs-update-options-nonce

JS Globals

wpdocs_ajax_objectwpdocs_prowpdocs_optionswpdocs_delete_msgwpdocs_delete_shortcut_msgtarget_dir_msg+8 more

FAQ