Does Nested Pages have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Nested Pages compatible with WordPress 6.7.5?

According to WordPress.org data, Nested Pages 3.2.13 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Nested Pages compatible with PHP 5.4+?

Nested Pages requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Nested Pages updated?

Nested Pages was last updated on Feb 11, 2025. Frequent updates are generally a positive security signal.

What is Nested Pages's security score?

Nested Pages has a WP-Safety security score of 86/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Nested Pages Security & Risk Analysis

wordpress.org/plugins/wp-nested-pages

Nested Pages provides a drag and drop interface for managing pages & posts in the WordPress admin, while maintaining quick edit functionality.

90K active installs v3.2.13 PHP 5.4+ WP 3.8+ Updated Feb 11, 2025

adminnestedpage-treepagestree-view

A · Safe

CVEs total10

Unpatched0

Last CVEMar 2, 2025

Plugin page Download

Safety Verdict

Is Nested Pages Safe to Use in 2026?

Generally Safe

Score 86/100

Nested Pages has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Mar 2, 2025Updated 1yr ago

Risk Assessment

The "wp-nested-pages" plugin v3.2.13 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to modern WordPress security practices by utilizing prepared statements for all SQL queries, implementing a significant number of capability checks, and performing nonce checks. The static analysis also indicates a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication. Furthermore, the taint analysis did not reveal any critical or high-severity vulnerabilities stemming from unsanitized input flows. However, concerns arise from the presence of the `unserialize` function, which, if not handled with extreme care regarding input sources, can be a gateway to deserialization vulnerabilities. Additionally, the plugin has a substantial history of known CVEs, with a significant portion classified as high and medium severity, including common web vulnerabilities like Cross-Site Scripting and Missing Authorization. While there are currently no unpatched vulnerabilities, this history suggests a recurring pattern of security weaknesses that require diligent monitoring and prompt updating by users.

Key Concerns

Use of unserialize function
High historical CVE count
Multiple high/medium severity CVEs historically
70% output escaping (potentially 30% unescaped)

Vulnerabilities

10 published

Nested Pages Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

2 CVEs in 2021

2021

1 CVE in 2022

2022

2 CVEs in 2023

2023

2 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

Low

10 total CVEs

CVE-2025-0718medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nested Pages <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 2, 2025 Patched in 3.2.13 (32d)

CVE-2025-24579medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nested Pages <= 3.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 3.2.10 (5d)

CVE-2024-8759medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nested Pages <= 3.2.8 - Authenticated (Editor+) Stored Cross-Site Scripting

Oct 9, 2024 Patched in 3.2.9 (234d)

CVE-2024-5943high · 8.8Cross-Site Request Forgery (CSRF)

Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion

Jul 3, 2024 Patched in 3.2.8 (1d)

CVE-2023-49195medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nested Pages <= 3.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 1, 2023 Patched in 3.2.7 (53d)

CVE-2023-2434low · 3.8Missing Authorization

Nested Pages <= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset

May 30, 2023 Patched in 3.2.4 (238d)

CVE-2022-1990medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nested Pages <= 3.1.20 - Stored Cross-Site Scripting

Jun 6, 2022 Patched in 3.1.21 (596d)

CVE-2021-38343medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

Nested Pages <= 3.1.15 - Open Redirect

Aug 25, 2021 Patched in 3.1.16 (881d)

CVE-2021-38342high · 8.1Cross-Site Request Forgery (CSRF)

Nested Pages <= 3.1.15 - Cross-Site Request Forgery to Arbitrary Post Deletion and Modification

Aug 25, 2021 Patched in 3.1.16 (881d)

WF-1a76571a-f820-4902-afa9-287b59a11d14-wp-nested-pagesmedium · 6.4Missing Authorization

Nested Pages <= 3.0.7 - Missing Authorization

Mar 26, 2019 Patched in 3.0.8 (1764d)

Version History

Nested Pages Release Timeline

v3.2.13Current

v3.2.121 CVE

CVE-2025-0718

v3.2.111 CVE

CVE-2025-0718

v3.2.101 CVE

CVE-2025-0718

v3.2.92 CVEs

CVE-2025-0718 CVE-2025-24579

v3.2.83 CVEs

CVE-2024-8759 CVE-2025-0718 CVE-2025-24579

v3.2.74 CVEs

CVE-2024-8759 CVE-2024-5943 CVE-2025-0718 +1 more

v3.2.65 CVEs

CVE-2024-8759 CVE-2024-5943 CVE-2025-0718 +2 more

v3.2.55 CVEs

CVE-2024-8759 CVE-2024-5943 CVE-2025-0718 +2 more

v3.2.45 CVEs

CVE-2024-8759 CVE-2024-5943 CVE-2025-0718 +2 more

v3.2.36 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.2.26 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.2.16 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.2.06 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.1.226 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.1.216 CVEs

CVE-2024-8759 CVE-2023-2434 CVE-2024-5943 +3 more

v3.1.207 CVEs

CVE-2024-8759 CVE-2022-1990 CVE-2023-2434 +4 more

v3.1.197 CVEs

CVE-2024-8759 CVE-2022-1990 CVE-2023-2434 +4 more

v3.1.187 CVEs

CVE-2024-8759 CVE-2022-1990 CVE-2023-2434 +4 more

v3.1.177 CVEs

CVE-2024-8759 CVE-2022-1990 CVE-2023-2434 +4 more

Code Analysis

Analyzed Mar 16, 2026

Nested Pages Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

175

417 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$visible = unserialize($meta);app\Entities\Listing\ListingRepository.php:40

unserializereturn unserialize(get_user_meta(get_current_user_id(), 'np_visible_posts', true));app\Entities\User\UserRepository.php:198

SQL Query Safety

100% prepared32 total queries

Output Escaping

70% escaped592 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

pageRestored (app\Redirects.php:43)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Nested Pages Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 33

actionadmin_enqueue_scriptsapp\Activation\Dependencies.php:45

actionadmin_enqueue_scriptsapp\Activation\Dependencies.php:46

actionadmin_enqueue_scriptsapp\Activation\Dependencies.php:47

actionwp_loadedapp\Bootstrap.php:12

actioninitapp\Bootstrap.php:13

actionadmin_menuapp\Config\Settings.php:65

actionadmin_initapp\Config\Settings.php:66

actionadmin_menuapp\Entities\AdminCustomization\AdminMenuItems.php:12

actionadmin_menuapp\Entities\AdminCustomization\AdminMenuItems.php:13

actionadmin_menuapp\Entities\AdminCustomization\AdminMenuItems.php:14

actionadmin_menuapp\Entities\AdminCustomization\AdminMenuItems.php:15

filterpre_update_option_nestedpages_adminapp\Entities\AdminCustomization\AdminMenuSanitization.php:11

actionadmin_menuapp\Entities\AdminMenu\AdminMenu.php:16

actionadmin_headapp\Entities\AdminMenu\AdminMenu.php:17

filterposts_whereapp\Entities\Listing\ListingActions.php:8

filterposts_clausesapp\Entities\Listing\ListingQuery.php:113

actionwp_update_nav_menuapp\Entities\NavMenu\NavMenuActions.php:25

filternav_menu_link_attributesapp\Entities\NavMenu\NavMenuFrontEnd.php:19

filternav_menu_link_attributesapp\Entities\NavMenu\NavMenuFrontEnd.php:20

actionbefore_delete_postapp\Entities\NavMenu\NavMenuTrashActions.php:19

actionbefore_delete_postapp\Entities\NavMenu\NavMenuTrashActions.php:20

actioninitapp\Entities\PluginIntegration\EditorialAccessManager.php:23

actionsave_postapp\Entities\Post\PostSaveActions.php:28

actiontrashed_postapp\Entities\Post\PostTrashActions.php:29

actiondelete_postapp\Entities\Post\PostTrashActions.php:30

filterwp_dropdown_pagesapp\Entities\Post\PrivatePostParent.php:13

actioninitapp\Entities\PostType\RegisterPostTypes.php:20

actioninitapp\Entities\User\UserCapabilities.php:19

actionload-edit.phpapp\Redirects.php:11

actionload-edit.phpapp\Redirects.php:12

actiondeleted_postapp\Redirects.php:13

filterpage_linkapp\RedirectsFrontEnd.php:11

actionparse_requestapp\RedirectsFrontEnd.php:12

Maintenance & Trust

Nested Pages Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedFeb 11, 2025

PHP min version5.4

Downloads2.2M

Community Trust

Rating94/100

Number of ratings125

Active installs90K

Alternatives

Nested Pages Alternatives

Admin Menu Tree Page View

admin-menu-tree-page-view

100

Get a tree view of all your pages directly in the admin menu. Search, add, edit, view, re-order – all is just one click away!

10K No CVEs

Admin Collapse Subpages

admin-collapse-subpages

Using this plugin one can easily collapse/expand pages with children and grand children.

4K No CVEs

LH Archived Post Status

lh-archived-post-status

Allows posts and pages to be archived so you can remove content from the main loop and feed without having to trash it.

4K No CVEs

Sortable Word Count Reloaded

sortable-word-count-reloaded

100

Adds a sortable column to the posts and pages admin list with the word count of each page/post.

2K No CVEs

Bulk Edit YOAST SEO fields in Spreadsheet

wp-sheet-editor-yoast-seo

Bulk Edit posts, pages, and WooCommerce products YOAST SEO fields using a spreadsheet.

1K No CVEs

Developer Profile

Nested Pages Developer Profile

Kyle Phillips

3 plugins · 100K total installs

trust score

Avg Security Score

78/100

Avg Patch Time

399 days

View full developer profile

Detection Fingerprints

How We Detect Nested Pages

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-nested-pages/assets/css/nestedpages.css/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.ui.touch-punch.min.js/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.mjs.nestedSortable.js/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.js/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.min.js

Script Paths

/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.ui.touch-punch.min.js/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.mjs.nestedSortable.js/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.js/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.min.js

Version Parameters

/wp-content/plugins/wp-nested-pages/assets/css/nestedpages.css?ver=/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.ui.touch-punch.min.js?ver=/wp-content/plugins/wp-nested-pages/assets/js/lib/jquery.mjs.nestedSortable.js?ver=/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.js?ver=/wp-content/plugins/wp-nested-pages/assets/js/nestedpages.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

nestedpages-wrappernestedpages-sortablenp-settings-sectionnp-add-linknestedpages-menu-sync

HTML Comments

Data Attributes

data-np-noncedata-nestedpages-noncedata-np-actiondata-np-iddata-nestedpages-iddata-np-parent-id+3 more

JS Globals

npArgsnestedPagesnestedpages_ajax_objectnp_page_paramsnp_envnp_version

REST Endpoints

/wp-json/nestedpages/v1/bulk-edit

FAQ

Nested Pages Security & Risk Analysis

Is Nested Pages Safe to Use in 2026?

Generally Safe

Key Concerns

Nested Pages Security Vulnerabilities

CVEs by Year

Severity Breakdown

Nested Pages Release Timeline

Nested Pages Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Nested Pages Attack Surface

Nested Pages Maintenance & Trust

Maintenance Signals

Community Trust

Nested Pages Alternatives

Admin Menu Tree Page View

Admin Collapse Subpages

LH Archived Post Status

Sortable Word Count Reloaded

Bulk Edit YOAST SEO fields in Spreadsheet

Nested Pages Developer Profile

How We Detect Nested Pages

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Nested Pages