Does WP Pipes have any unpatched vulnerabilities?

Yes — WP Pipes currently has 5 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WP Pipes compatible with WordPress 6.8.5?

According to WordPress.org data, WP Pipes 1.4.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WP Pipes compatible with PHP 7.4+?

WP Pipes requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Pipes updated?

WP Pipes was last updated on May 9, 2025. Frequent updates are generally a positive security signal.

What is WP Pipes's security score?

WP Pipes has a WP-Safety security score of 20/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Pipes Security & Risk Analysis

wordpress.org/plugins/wp-pipes

RSS Feed to Post/bbPress, AutoBlogging, auto post to Twitter/Facebook/LinkedIn, CSV importing for Posts/WooCommerce/bbPress, RSS Feed Creator.

400 active installs v1.4.3 PHP 7.4+ WP 6.0+ Updated May 9, 2025

auto-postpipesrsssyndicatesyndication

F · Critical Risk

CVEs total9

Unpatched5

Last CVEAug 14, 2025

Plugin page Download

Safety Verdict

Is WP Pipes Safe to Use in 2026?

Critical Risk — Avoid

Score 20/100

WP Pipes is critically unsafe with 9 known CVEs, 5 still unpatched. Avoid in production.

9 known CVEs 5 unpatched Last CVE: Aug 14, 2025Updated 10mo ago

Risk Assessment

The wp-pipes plugin v1.4.3 presents a mixed security posture. While the static analysis indicates a very limited attack surface with no apparent direct entry points like AJAX handlers, REST API routes, or shortcodes, and a high percentage of SQL queries and output using prepared statements and proper escaping respectively, there are significant concerns. The presence of 10 dangerous `unserialize` function calls is a major red flag, as this function is notoriously susceptible to object injection vulnerabilities if not handled with extreme care, especially when processing untrusted data. Furthermore, the taint analysis revealed 11 flows with unsanitized paths, 4 of which are of high severity. This suggests that user-controlled input might be used to construct file paths or other critical data without adequate sanitization, potentially leading to serious security flaws.

The plugin's vulnerability history is deeply concerning. With a total of 9 known CVEs, 5 of which are currently unpatched, and a significant number of critical and high-severity vulnerabilities, this indicates a persistent pattern of insecure coding practices. The common vulnerability types listed, such as Remote File Inclusion, SQL Injection, Path Traversal, SSRF, and Cross-Site Scripting, are all serious and can lead to complete site compromise. The recent last vulnerability date further emphasizes that these issues have not been a relic of the past.

In conclusion, despite some positive indicators in the static analysis regarding SQL and output escaping, the extensive history of critical unpatched vulnerabilities and the identified dangerous functions and unsanitized taint flows paint a picture of high risk. The plugin's past and present security issues strongly suggest that it is not safe for use without significant remediation and thorough auditing.

Key Concerns

Unpatched Critical CVEs (3)
Unpatched High CVEs (2)
Dangerous functions (unserialize)
High severity taint flows (4)
Flows with unsanitized paths (11)
Medium severity CVEs (4)

Vulnerabilities

WP Pipes Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

6 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

9 total CVEs

CVE-2025-28977medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Pipes <= 1.4.3 - Reflected Cross-Site Scripting

Aug 14, 2025Unpatched

CVE-2025-28979high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP Pipes <= 1.4.3 - Unauthenticated Local File Inclusion

Jul 22, 2025Unpatched

CVE-2025-28982high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Pipes <= 1.4.3 - Unauthenticated SQL Injection

Jul 8, 2025Unpatched

CVE-2025-60227critical · 9.1External Control of File Name or Path

WP Pipes <= 1.4.3 - Unauthenticated Arbitrary File Deletion

Jul 6, 2025Unpatched

CVE-2025-48267critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Pipes <= 1.4.2 - Unauthenticated Arbitrary File Deletion

May 30, 2025 Patched in 1.4.3 (4d)

CVE-2025-47664medium · 5.5Server-Side Request Forgery (SSRF)

WP Pipes <= 1.4.3 - Authenticated (Administrator+) Server-Side Request Forgery

May 7, 2025Unpatched

CVE-2024-12283medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Pipes <= 1.4.1 - Reflected Cross-Site Scripting via x1 Parameter

Dec 10, 2024 Patched in 1.4.2 (1d)

CVE-2023-40009medium · 4.3Cross-Site Request Forgery (CSRF)

WP Pipes <= 1.4.0 - Cross-Site Request Forgery to Settings Update

Aug 11, 2023 Patched in 1.4.1 (165d)

CVE-2022-45355critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Pipes <= 1.33 - Authenticated (Admin+) SQL Injection

Dec 20, 2022 Patched in 1.4.0 (399d)

Code Analysis

Analyzed Mar 16, 2026

WP Pipes Code Analysis

Dangerous Functions

Raw SQL Queries

84 prepared

Unescaped Output

103 escaped

Nonce Checks

Capability Checks

File Operations

103

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$row = unserialize( $row );grab.php:88

unserialize$default = unserialize( $default );helpers\common.php:286

unserialize$this->data = unserialize(serialize($this->data));includes\registry\registry.php:70

unserialize$myvalue = unserialize($myvalue);includes\utilities\arrayhelper.php:611

unserializereturn unserialize( file_get_contents( $this->name ) );plugins\engines\rssreader\helpers\library\SimplePie\Cache\File.php:123

unserializereturn unserialize( $data );plugins\engines\rssreader\helpers\library\SimplePie\Cache\Memcache.php:130

unserialize$data = unserialize( $row[1] );plugins\engines\rssreader\helpers\library\SimplePie\Cache\MySQL.php:264

unserialize$feed['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['entry'][] = unserialize( $row );plugins\engines\rssreader\helpers\library\SimplePie\Cache\MySQL.php:295

unserialize$default = unserialize( $default );plugins\engines\rssreader\rssreader.php:52

unserialize$rows = unserialize( $cache_conten );plugins\engines\rssreader\rssreader.php:82

SQL Query Safety

93% prepared90 total queries

Output Escaping

93% escaped111 total outputs

Data Flows

11 unsanitized

Data Flow Analysis

20 flows11 with unsanitized paths

create_tables (controllers\pipes.php:141)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Pipes Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 8

actionadmin_menuincludes\application.php:46

actionadmin_initincludes\application.php:47

actioninitpipes.php:39

actionadmin_initpipes.php:40

actionwp_enqueue_scriptspipes.php:264

actionwp_print_scriptspipes.php:265

actionwppipes_loaded_adspipes.php:269

actionadmin_footerpipes.php:295

Maintenance & Trust

WP Pipes Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 9, 2025

PHP min version7.4

Downloads131K

Community Trust

Rating86/100

Number of ratings37

Active installs400

Alternatives

WP Pipes Alternatives

FeedWordPress

feedwordpress

FeedWordPress syndicates content from feeds you choose into your WordPress weblog.

10K 5 CVEs

RSS Chimp – Add Featured Images to WP RSS Feeds (Mailchimp, Google News, Feedly)

rss-chimp

100

Add featured images to RSS feeds for Mailchimp, Google News, Feedly and email newsletters. Enhance WordPress RSS feed with thumbnails for better email …

300 No CVEs

FeedWordPress Advanced Filters

faf

Author: Bas Schuiling

200 1 unpatched

Syndicate Press

syndicate-press

Syndicate Press lets you include RSS, RDF or Atom feeds directly in your Wordpress posts, pages, widgets or theme.

200 No CVEs

Subscribe-Remind

subscribe-remind

Subscribe Remind will add a brief message at the bottom of each post inviting users to subscribe to your RSS feed or follow you on Twitter.

90 No CVEs

Developer Profile

WP Pipes Developer Profile

ThimPress

21 plugins · 209K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

265 days

View full developer profile

Detection Fingerprints

How We Detect WP Pipes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-pipes/assets/css/obstyle.css/wp-content/plugins/wp-pipes/assets/css/bootstrap.min.css/wp-content/plugins/wp-pipes/assets/css/process.css/wp-content/plugins/wp-pipes/assets/css/chosen.css/wp-content/plugins/wp-pipes/assets/css/ad_style.css/wp-content/plugins/wp-pipes/assets/js/bootstrap.min.js/wp-content/plugins/wp-pipes/assets/js/process.js/wp-content/plugins/wp-pipes/assets/js/ogb-lib-admin.js+3 more

Script Paths

/wp-content/plugins/wp-pipes/assets/js/bootstrap.min.js/wp-content/plugins/wp-pipes/assets/js/process.js/wp-content/plugins/wp-pipes/assets/js/ogb-lib-admin.js/wp-content/plugins/wp-pipes/assets/js/chosen.jquery.js/wp-content/plugins/wp-pipes/assets/js/angular.js/wp-content/plugins/wp-pipes/assets/js/ad_script.js

HTML / DOM Fingerprints

CSS Classes

pipes-obstylepipes-bootstrap-minpipes-process-csspipes-chosen-csspipes-ads-csspipes-bootstrap-minpipes-processpipes-ogb-lib-admin+4 more

Data Attributes

data-page_prefixdata-prefix

JS Globals

PIPESpipes_settings

FAQ