WP-Safety

WP Group Subscriptions Security & Risk Analysis

wordpress.org/plugins/wp-group-subscriptions

Accepts paying group registrations. Gives access to restricted content for members or groups of members.

0 active installs v0.1.7 PHP 7.0.29+ WP 4.9+ Updated Dec 27, 2018
group-subscriptionmemberspaid-memberssubscriberssubscription-form
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Group Subscriptions Safe to Use in 2026?

Generally Safe

Score 85/100

WP Group Subscriptions has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The wp-group-subscriptions plugin version 0.1.7 exhibits a concerning security posture due to a significant number of unprotected entry points. All four identified AJAX handlers lack authentication checks, exposing them to potential unauthorized access and manipulation. Furthermore, the presence of the `unserialize` function and a high number of unsanitized paths identified in the taint analysis are substantial risks. While the plugin has no recorded vulnerability history, this does not negate the inherent dangers present in the current code. The percentage of prepared statements for SQL queries is good, and the output escaping is decent, but these positive aspects are overshadowed by the critical flaws in access control and data handling.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths
  • Dangerous function: unserialize
Vulnerabilities
None known

WP Group Subscriptions Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

WP Group Subscriptions Code Analysis

Dangerous Functions
5
Raw SQL Queries
13
63 prepared
Unescaped Output
75
125 escaped
Nonce Checks
10
Capability Checks
6
File Operations
22
External Requests
12
Bundled Libraries
0

Dangerous Functions Found

unserializeif( !in_array( $menu_slug, unserialize( H4A_ARRAY_NATIVE_MENUS_SLUGS ) ) ){core\admin\H4AAdminPlugin.php:237
unserializeif( !in_array( $level_notice, unserialize( H4A_NOTICE_LEVELS_ALLOWED ) ) ){core\common\features\notices\CommonNotice.php:17
unserializereturn unserialize( H4A_WGS_CONFIG );core\Config.php:131
unserializeif( isset( $attrs_page['parent'] ) && !in_array( $attrs_page['parent'], unserialize( H4A_ARRAY_NATIVcore\Config.php:516
unserializeif( !in_array( $parent_page_slug, unserialize( H4A_ARRAY_NATIVE_MENUS_SLUGS ) ) ){core\Config.php:1000

SQL Query Safety

83% prepared76 total queries

Output Escaping

63% escaped200 total outputs
Data Flows
17 unsanitized

Data Flow Analysis

24 flows17 with unsanitized paths
init_template_content (admin\headings\accounting\Edit_Subscriber.php:87)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

WP Group Subscriptions Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_getEmailSubscriberByAjaxadmin\Admin.php:28
noprivwp_ajax_getEmailSubscriberByAjaxadmin\Admin.php:29
authwp_ajax_puc_v4_debug_check_nowcore\admin\features\update\Puc\v4p4\DebugBar\Extension.php:21
authwp_ajax_puc_v4_debug_request_infocore\admin\features\update\Puc\v4p4\DebugBar\PluginExtension.php:12
WordPress Hooks 61
actionadmin_menuadmin\Admin.php:35
actionadmin_noticesadmin\Admin.php:37
actionadmin_enqueue_scriptsadmin\Admin.php:39
actionwidgets_initcommon\Common.php:12
actionadmin_footercore\admin\features\page\template\list-table\H4A_List_Table_Base.php:136
filterdebug_bar_panelscore\admin\features\update\Puc\v4p4\DebugBar\Extension.php:18
actiondebug_bar_enqueue_scriptscore\admin\features\update\Puc\v4p4\DebugBar\Extension.php:19
filterplugins_apicore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:91
filterplugin_row_metacore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:93
filterplugin_row_metacore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:94
actionadmin_initcore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:95
actionall_admin_noticescore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:96
filterupgrader_post_installcore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:99
actiondelete_site_transient_update_pluginscore\admin\features\update\Puc\v4p4\Plugin\UpdateChecker.php:100
filtercron_schedulescore\admin\features\update\Puc\v4p4\Scheduler.php:51
actionadmin_initcore\admin\features\update\Puc\v4p4\Scheduler.php:61
actionload-update-core.phpcore\admin\features\update\Puc\v4p4\Scheduler.php:65
actionupgrader_process_completecore\admin\features\update\Puc\v4p4\Scheduler.php:72
actioninitcore\admin\features\update\Puc\v4p4\UpdateChecker.php:83
filterupgrader_source_selectioncore\admin\features\update\Puc\v4p4\UpdateChecker.php:127
filterhttp_request_host_is_externalcore\admin\features\update\Puc\v4p4\UpdateChecker.php:131
actionplugins_loadedcore\admin\features\update\Puc\v4p4\UpdateChecker.php:137
actionpuc_api_errorcore\admin\features\update\Puc\v4p4\UpdateChecker.php:226
filterupgrader_pre_installcore\admin\features\update\Puc\v4p4\UpgraderStatus.php:18
filterupgrader_package_optionscore\admin\features\update\Puc\v4p4\UpgraderStatus.php:19
filterupgrader_post_installcore\admin\features\update\Puc\v4p4\UpgraderStatus.php:20
actionupgrader_process_completecore\admin\features\update\Puc\v4p4\UpgraderStatus.php:21
filterupgrader_pre_downloadcore\admin\features\update\Puc\v4p4\Vcs\GitHubApi.php:362
filterhttp_request_argscore\admin\features\update\Puc\v4p4\Vcs\GitHubApi.php:387
actionwp_loadedcore\admin\H4AAdminPlugin.php:144
actionadmin_menucore\admin\H4AAdminPlugin.php:146
actionadmin_enqueue_scriptscore\admin\H4AAdminPlugin.php:173
actionwp_mail_failedcore\common\features\email\Email.php:18
actionadmin_initcore\common\features\settings\SettingsTrait.php:28
actioninitcore\common\H4ACommonPlugin.php:102
actionadmin_enqueue_scriptscore\common\H4ACommonPlugin.php:104
actionwp_enqueue_scriptscore\common\H4ACommonPlugin.php:106
actionwpcore\front-end\features\shortcode\Shortcode.php:27
actionwp_enqueue_scriptscore\front-end\H4AFrontEndPlugin.php:97
actionplugins_loadedcore\init.php:75
actionplugins_loadedcore\init.php:76
filtertemplate_includefront-end\shortcodes\activation\ActivationShortcode.php:30
actiontemplate_redirectfront-end\shortcodes\activation\ActivationShortcode.php:31
actionwp_enqueue_scriptsfront-end\shortcodes\activation\ActivationShortcode.php:32
filtertemplate_includefront-end\shortcodes\login\LoginShortcode.php:42
actiontemplate_redirectfront-end\shortcodes\login\LoginShortcode.php:43
actionwp_enqueue_scriptsfront-end\shortcodes\login\LoginShortcode.php:48
filtertemplate_includefront-end\shortcodes\my-profile\MyProfileShortcode.php:33
actiontemplate_redirectfront-end\shortcodes\my-profile\MyProfileShortcode.php:34
actionwp_enqueue_scriptsfront-end\shortcodes\my-profile\profile-account\ProfileAccountShortcode.php:29
actionwp_enqueue_scriptsfront-end\shortcodes\my-profile\profile-subscription\ProfileSubscriptionShortcode.php:24
actionwp_enqueue_scriptsfront-end\shortcodes\payment-return\PaymentReturnShortcode.php:30
filtertemplate_includefront-end\shortcodes\payment-return\PaymentReturnShortcode.php:31
actiontemplate_redirectfront-end\shortcodes\plan-forms\PlanFormsShortcode.php:48
actionwp_enqueue_scriptsfront-end\shortcodes\plan-forms\PlanFormsShortcode.php:49
actionwp_enqueue_scriptsfront-end\shortcodes\plan-forms\PlanFormsShortcode.php:50
filtertemplate_includefront-end\shortcodes\plan-forms\PlanFormsShortcode.php:51
actionwp_enqueue_scriptsfront-end\shortcodes\plans-list\PlansListShortcode.php:33
actionwp_enqueue_scriptsfront-end\shortcodes\plans-list\PlansListShortcode.php:44
filtertemplate_includefront-end\shortcodes\restricted-content\RestrictedContentShortcode.php:11
actionwp_enqueue_scriptsfront-end\shortcodes\restricted-content\RestrictedContentShortcode.php:12

Scheduled Events 2

wgs_scheduled_plan_expirations_checking
wgs_scheduled_license_expirations_checking
Maintenance & Trust

WP Group Subscriptions Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedDec 27, 2018
PHP min version7.0.29
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

WP Group Subscriptions Alternatives

Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages

Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages

convertkit

A
97

Build your email subscriber lists, send email marketing newsletters, sell more products and build your membership site with Kit (formerly ConvertKit).

40K 4 CVEs
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

B
82

Feature-packed membership plugin for creating subscription plans, adding recurring payments & content restriction on your membership site.

10K 16 CVEs
Affiliates Manager Paid Membership Pro Integration

Affiliates Manager Paid Membership Pro Integration

affiliates-manager-paid-membership-pro-integration

A
92

Process an affiliate commission via Affiliates Manager after a Paid Membership Pro checkout

100 No CVEs
myCred Paid Memberships Pro

myCred Paid Memberships Pro

mycred-paid-memberships-pro

A
100

📢🚨Important Notice: myCred Paid Memberships Pro is now part of the myCred Toolkit and will no longer receive updates here.

100 No CVEs
GoUrl Paid Memberships Pro – Bitcoin Payment Gateway Addon

GoUrl Paid Memberships Pro – Bitcoin Payment Gateway Addon

gourl-bitcoin-paid-memberships-pro

A
85

Provides Bitcoin Payment Gateway for Paid Memberships Pro 1.8+ or higher. Accept Bitcoin, Bitcoin Cash, Litecoin, Dogecoin, Dash, etc Payments on Your …

70 No CVEs
Developer Profile

WP Group Subscriptions Developer Profile

Hive 4 Apps

2 plugins · 0 total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Group Subscriptions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-group-subscriptions/css/styles.css/wp-content/plugins/wp-group-subscriptions/js/common.js/wp-content/plugins/wp-group-subscriptions/js/form-validation.js/wp-content/plugins/wp-group-subscriptions/js/payment-validation.js/wp-content/plugins/wp-group-subscriptions/js/shortcode-loader.js
Script Paths
/wp-content/plugins/wp-group-subscriptions/js/common.js/wp-content/plugins/wp-group-subscriptions/js/form-validation.js/wp-content/plugins/wp-group-subscriptions/js/payment-validation.js/wp-content/plugins/wp-group-subscriptions/js/shortcode-loader.js
Version Parameters
wp-group-subscriptions/css/styles.css?ver=wp-group-subscriptions/js/common.js?ver=wp-group-subscriptions/js/form-validation.js?ver=wp-group-subscriptions/js/payment-validation.js?ver=wp-group-subscriptions/js/shortcode-loader.js?ver=

HTML / DOM Fingerprints

CSS Classes
wgs-subscriber-edit-formwgs-plan-selectionwgs-payment-formwgs-subscription-details
HTML Comments
<!-- BEGIN WGS SHORTCODE --><!-- END WGS SHORTCODE -->
Data Attributes
data-wgs-plan-iddata-wgs-subscriber-iddata-wgs-action
JS Globals
WGS_AJAX_URLWGS_NONCEWGS_PLAN_OPTIONSWGS_CURRENCY_SYMBOLWGS_FORM_VALIDATION_RULES
REST Endpoints
/wp-json/wp-group-subscriptions/v1/plans/wp-json/wp-group-subscriptions/v1/payment/process
Shortcode Output
[wgs_subscription_form][wgs_member_list][wgs_plan_details]
FAQ

Frequently Asked Questions about WP Group Subscriptions