WP-Safety

WP Mechanic Security & Risk Analysis

wordpress.org/plugins/wp-mechanic

WP Mechanic is a combination of WordPress and Android Playstore Applications. Experience a set of hybrid software applications.

10 active installs v1.6.9 PHP + WP 3.0+ Updated Nov 4, 2024
hybrid-applicationusers-list-and-users-rolesusers-profiles-like-administrators-authors-and-contributorswoocommerce-customerswordpress-and-android-users
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Mechanic Safe to Use in 2026?

Generally Safe

Score 92/100

WP Mechanic has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "wp-mechanic" v1.6.9 plugin presents a concerning security posture primarily due to a significant attack surface composed entirely of unprotected AJAX handlers. While the plugin demonstrates good practices by using prepared statements for all SQL queries and avoiding external HTTP requests, the lack of authentication and capability checks on all eight AJAX entry points is a critical weakness. This exposes the plugin to potential unauthorized actions and data manipulation if an attacker can trigger these AJAX calls.

The static analysis reveals no dangerous functions, critical taint flows, or issues with output escaping beyond a moderate concern (35% properly escaped). The absence of any recorded vulnerabilities in its history is a positive sign, suggesting a relatively stable codebase or good security development practices. However, this historical absence of vulnerabilities does not mitigate the immediate risks posed by the unprotected AJAX endpoints.

In conclusion, while the plugin benefits from secure database interaction and a clean vulnerability history, the significant number of unprotected AJAX handlers creates a substantial and immediate risk. The absence of nonces and capability checks on these handlers is the most pressing security concern, potentially allowing for cross-site request forgery (CSRF) attacks or unauthorized execution of plugin functions.

Key Concerns

  • 8 AJAX handlers without auth checks
  • 0 Nonce checks detected
  • Only 2 Capability checks detected
  • 35% output escaping - potential XSS
Vulnerabilities
None known

WP Mechanic Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Mechanic Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
24
13 escaped
Nonce Checks
0
Capability Checks
2
File Operations
10
External Requests
0
Bundled Libraries
0

Output Escaping

35% escaped37 total outputs
Attack Surface
8 unprotected

WP Mechanic Attack Surface

Entry Points8
Unprotected8

AJAX Handlers 8

authwp_ajax_wm_generate_qrcodeinc\functions-inner.php:802
authwp_ajax_wm_disconnect_appinc\functions-inner.php:803
authwp_ajax_wm_app_connect_statusinc\functions-inner.php:804
noprivwp_ajax_wm_login_actionsinc\functions.php:184
noprivwp_ajax_wm_login_grid_loginc\functions.php:185
noprivwp_ajax_wm_login_grid_statusinc\functions.php:186
noprivwp_ajax_wm_login_access_statusinc\functions.php:187
authwp_ajax_wm_force_logout_checkinc\functions.php:188
WordPress Hooks 15
actionrest_api_initinc\functions-inner.php:796
actionrest_api_initinc\functions-inner.php:797
actionrest_api_initinc\functions-inner.php:798
actionrest_api_initinc\functions-inner.php:799
actionrest_api_initinc\functions-inner.php:800
actionrest_api_initinc\functions-inner.php:801
actionwoocommerce_before_main_contentinc\functions-inner.php:1935
actionlogin_enqueue_scriptsinc\functions.php:183
actioncurrent_screeninc\functions.php:445
actionadmin_menuindex.php:141
actionadmin_enqueue_scriptsindex.php:142
actionwp_enqueue_scriptsindex.php:143
actionadmin_enqueue_scriptsindex.php:173
actionadmin_menuindex.php:180
actionnetwork_admin_menuindex.php:181
Maintenance & Trust

WP Mechanic Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedNov 4, 2024
PHP min version
Downloads5K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

WP Mechanic Alternatives

Premmerce WooCommerce Customers Manager

Premmerce WooCommerce Customers Manager

woo-customers-manager

A
99

This plugin extends the standard user list and the edit user page in WordPress and adds the customer data from WooCommerce.

800 1 CVE
Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets

Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets

wpsyncsheets-woocommerce

A
99

Export WooCommerce orders, products, customers, and coupons to Google Sheets automatically in real-time.

700 1 CVE
CIO Custom Fields for Woo

CIO Custom Fields for Woo

custom-fields-for-woo-customers

A
85

Simple and easy. Add unlimited custom fields in groups to registration, checkout, profile, my account & product pages with location rules*.

40 No CVEs
Easy Woocommerce ZOHO CRM Integration

Easy Woocommerce ZOHO CRM Integration

easy-woocommerce-zoho-crm-integration

A
85

WooCommerce – Zoho CRM Integration plugin can integrates your WooCommerce Orders and Customers with Zoho CRM as Contacts or Leads.

10 No CVEs
Developer Profile

WP Mechanic Developer Profile

Fahad Mahmood

40 plugins · 33K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
237 days
View full developer profile
Detection Fingerprints

How We Detect WP Mechanic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-mechanic/css/style.css/wp-content/plugins/wp-mechanic/css/front-style.css/wp-content/plugins/wp-mechanic/js/wm_scripts.js
Script Paths
/wp-content/plugins/wp-mechanic/js/wm_scripts.js
Version Parameters
wp-mechanic/css/style.css?ver=wp-mechanic/css/front-style.css?ver=wp-mechanic/js/wm_scripts.js?ver=

HTML / DOM Fingerprints

JS Globals
wm_ajax_obj
REST Endpoints
/wp-json/wordpress-users/v1
FAQ

Frequently Asked Questions about WP Mechanic