Does WP-ISPConfig have any unpatched vulnerabilities?

No. All known vulnerabilities in WP-ISPConfig have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-ISPConfig compatible with WordPress 5.3.21?

According to WordPress.org data, WP-ISPConfig 3.1 has been tested up to WordPress 5.3.21. Check the plugin's changelog for the latest compatibility information.

How often is WP-ISPConfig updated?

WP-ISPConfig was last updated on Nov 2, 2019. Frequent updates are generally a positive security signal.

What is WP-ISPConfig's security score?

WP-ISPConfig has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-ISPConfig Security & Risk Analysis

wordpress.org/plugins/wp-ispconfig

WordPress interface for ISPConfig ~ Hosting Control Panel. The plugin allows you to add a new client with all needed steps with just one click.

10 active installs v3.1 PHP + WP 4.9+ Updated Nov 2, 2019

hosthostingispconfigmanagerremote

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WP-ISPConfig Safe to Use in 2026?

Generally Safe

Score 85/100

WP-ISPConfig has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The wp-ispconfig v3.1 plugin demonstrates a generally strong security posture, with no reported vulnerabilities or critical issues identified in the taint analysis. The plugin effectively utilizes prepared statements for all SQL queries, indicating a good practice to prevent SQL injection. Furthermore, the presence of nonce and capability checks on its entry points is a positive sign of robust access control. However, a significant concern arises from the low percentage of properly escaped output. With only 8% of 90 outputs being properly escaped, there's a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website. The plugin also makes an external HTTP request, which, while not inherently a vulnerability, could pose a risk if the external resource is compromised or if the request is not handled securely. Despite the lack of known CVEs and critical taint flows, the insufficient output escaping is a major weakness that warrants immediate attention.

Key Concerns

Low percentage of properly escaped output
Presence of external HTTP request

Vulnerabilities

None known

WP-ISPConfig Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP-ISPConfig Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

7 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

8% escaped90 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

save (includes\domain-alias.php:330)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP-ISPConfig Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 3

authwp_ajax_wpispconfig_cmb_domainincludes\domain-alias.php:21

authwp_ajax_wpispconfig_select_clientincludes\new-website.php:28

authwp_ajax_ispconfig_testconnectionincludes\settings.php:35

WordPress Hooks 17

actionadmin_menuincludes\dashboard.php:27

actionadmin_post_ispconfig_refresh_listincludes\dashboard.php:29

actionadmin_initincludes\default-values.php:34

actionadmin_menuincludes\default-values.php:35

filterparent_fileincludes\default-values.php:37

filtersubmenu_fileincludes\default-values.php:38

actionadmin_menuincludes\domain-alias.php:18

actionadmin_post_ispconfig_domain_alias_saveincludes\domain-alias.php:22

actionadmin_menuincludes\new-website.php:22

actionadmin_post_ispconfig_allinone_saveincludes\new-website.php:24

actionwpispconfig_all_in_one_before_tableincludes\new-website.php:25

filterwpispconfig_all_in_one_success_noticesincludes\new-website.php:26

filterwpispconfig_values_all_in_one_before_createincludes\new-website.php:27

actionadmin_noticesincludes\notices.php:29

actionadmin_initincludes\settings.php:32

actionadmin_menuincludes\settings.php:33

actionplugins_loadedwp-ispconfig.php:154

Maintenance & Trust

WP-ISPConfig Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21

Last updatedNov 2, 2019

PHP min version

Downloads5K

Community Trust

Rating96/100

Number of ratings4

Active installs10

Alternatives

WP-ISPConfig Alternatives

uPress Link

upress-link

uPress Link is a companion plugin for the WordPress hosting manager at https://www.upress.io

200 No CVEs

Rundiz Downloads

rundiz-downloads

100

Download manager for WordPress that support GitHub auto update.

0 No CVEs

Hostinger Tools

hostinger

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE

A2 Optimized WP – Turbocharge and secure your WordPress site

a2-optimized-wp

Make your site faster and more secure with the click of a few buttons

70K 1 CVE

ezCache

ezcache

100

EzCache is an easy and innovative cache plugin that will help you significantly improve your site speed.

10K No CVEs

Developer Profile

WP-ISPConfig Developer Profile

etruel

11 plugins · 13K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

116 days

View full developer profile

Detection Fingerprints

How We Detect WP-ISPConfig

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-ispconfig/assets/images/pror.png/wp-content/plugins/wp-ispconfig/assets/js/domain-alias.js

Script Paths

/wp-content/plugins/wp-ispconfig/assets/js/domain-alias.js

Version Parameters

wp-ispconfig/assets/js/domain-alias.js?ver=/wp-content/plugins/wp-ispconfig/assets/js/domain-alias.js?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

autocomplete="off"

JS Globals

js_wpconfig_domain_alias

FAQ