WP-Safety

WP Experience API Security & Risk Analysis

wordpress.org/plugins/wp-experience-api

Adds the ability for WordPress to send preset xAPI statements to a Learning Record Store

20 active installs v1.0 PHP + WP 3.5+ Updated Aug 11, 2015
badgeosexperience-apilrstincanxapi
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Experience API Safe to Use in 2026?

Generally Safe

Score 85/100

WP Experience API has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The wp-experience-api plugin v1.0 exhibits a generally good security posture, with no known historical vulnerabilities and a commendable lack of critical or high severity issues in taint analysis. The static analysis reveals a small attack surface with all entry points adequately protected by nonce and capability checks. The plugin also demonstrates good practices in its SQL query handling, with a high percentage of prepared statements and generally good output escaping.

However, there is a significant concern regarding the use of the `unserialize` function. Without proper validation of the serialized data, this can lead to Remote Code Execution (RCE) vulnerabilities, especially if the data originates from user input or an untrusted source. Although no taint flows were identified as unsanitized, the mere presence of `unserialize` is a red flag that requires careful attention. The plugin's vulnerability history being empty is a positive sign, but it doesn't negate the inherent risk associated with dangerous functions if not handled with extreme caution.

Key Concerns

  • Use of unserialize() function
Vulnerabilities
None known

WP Experience API Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Experience API Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
4 prepared
Unescaped Output
16
53 escaped
Nonce Checks
1
Capability Checks
1
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$instance->statement = new TinCan\Statement( unserialize( $data->statement ) );wp-experience-api-queue-obj.php:174

SQL Query Safety

80% prepared5 total queries

Output Escaping

77% escaped69 total outputs
Attack Surface

WP Experience API Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_run_queuewp-experience-api-admin.php:82
authwp_ajax_run_queuewp-experience-api-admin.php:620
WordPress Hooks 13
actionadmin_menuwp-experience-api-admin.php:75
actionadmin_initwp-experience-api-admin.php:76
actionadmin_footerwp-experience-api-admin.php:83
actionnetwork_admin_menuwp-experience-api-admin.php:615
actionadmin_initwp-experience-api-admin.php:616
actionadmin_footerwp-experience-api-admin.php:621
actionadmin_noticeswp-experience-api.php:91
actionadmin_noticeswp-experience-api.php:109
actionadmin_noticeswp-experience-api.php:117
actionadmin_noticeswp-experience-api.php:123
actioninitwp-experience-api.php:136
actionadmin_noticeswp-experience-api.php:139
actionnetwork_admin_noticeswp-experience-api.php:140
Maintenance & Trust

WP Experience API Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedAug 11, 2015
PHP min version
Downloads5K

Community Trust

Rating90/100
Number of ratings2
Active installs20
Alternatives

WP Experience API Alternatives

Experience API for LearnPress by GrassBlade

Experience API for LearnPress by GrassBlade

grassblade-xapi-learnpress

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5 , SCORM 1.2, SCORM 2004 and SCORM Dispatch on the LearnPress LMS by integrating with Gra …

200 No CVEs
Experience API for LifterLMS by Grassblade

Experience API for LifterLMS by Grassblade

grassblade-xapi-lifterlms

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the LifterLMS by integrating with GrassBlade xAPI Compan …

100 No CVEs
Experience API for WP Courseware by Grassblade

Experience API for WP Courseware by Grassblade

grassblade-xapi-wp-courseware

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5, SCORM 1.2 and SCORM 2004 support on the WP Courseware LMS by integrating with GrassBlad …

50 No CVEs
Experience API for MasterStudy by GrassBlade

Experience API for MasterStudy by GrassBlade

grassblade-xapi-masterstudy

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2, SCORM 2004 cmi5 standard content support on the MasterStudy LMS by integrating wi …

30 No CVEs
Experience API for Sensei LMS by GrassBlade

Experience API for Sensei LMS by GrassBlade

grassblade-xapi-sensei

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the Sensei LMS by integrating with GrassBlade xAPI Compa …

20 No CVEs
Developer Profile

WP Experience API Developer Profile

ctltwp

15 plugins · 6K total installs

77
trust score
Avg Security Score
84/100
Avg Patch Time
34 days
View full developer profile
Detection Fingerprints

How We Detect WP Experience API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-experience-api/includes/tin-can-php/tin-can.min.js/wp-content/plugins/wp-experience-api/js/wpxapi-admin.js/wp-content/plugins/wp-experience-api/css/wpxapi-admin.css
Version Parameters
wp-experience-api/css/wpxapi-admin.css?ver=wp-experience-api/js/wpxapi-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpxapi-options-pagewpxapi-network-options-page
JS Globals
WPXAPIAdmin
FAQ

Frequently Asked Questions about WP Experience API