Does WP-Project have any unpatched vulnerabilities?

No. All known vulnerabilities in WP-Project have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-Project compatible with WordPress 2.5.1?

According to WordPress.org data, WP-Project 1.2.3 has been tested up to WordPress 2.5.1. Check the plugin's changelog for the latest compatibility information.

How often is WP-Project updated?

WP-Project was last updated on Unknown. Frequent updates are generally a positive security signal.

What is WP-Project's security score?

WP-Project has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-Project Security & Risk Analysis

wordpress.org/plugins/wp-project

WP-Project is a complete project management solution seamlessly integrated into the WordPress administrative area.

10 active installs v1.2.3 PHP + WP 2.5+ Updated Unknown

adminprojectproject-managementtimetime-tracking

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP-Project Safe to Use in 2026?

Generally Safe

Score 100/100

WP-Project has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The "wp-project" plugin v1.2.3 exhibits a concerning security posture, primarily due to a significant lack of basic security checks. The presence of an unprotected AJAX handler is a critical vulnerability, as it represents a direct entry point for attackers. Furthermore, the complete absence of output escaping is a severe issue, almost guaranteeing Cross-Site Scripting (XSS) vulnerabilities if any user-supplied data is rendered on the frontend without sanitization. The taint analysis revealing four high-severity flows with unsanitized paths indicates potential for serious exploitation, likely leading to data corruption or unauthorized actions. The use of `unserialize` without proper validation is a major red flag, as it can lead to Remote Code Execution (RCE) if an attacker can control the serialized data.

While the plugin has no recorded vulnerability history, this cannot be interpreted as a sign of inherent security. Instead, it likely reflects a lack of scrutiny or that past vulnerabilities have not been publicly disclosed or discovered. The high number of SQL queries, with a substantial portion not using prepared statements, increases the risk of SQL injection. Coupled with the unprotected AJAX handler and lack of capability checks, the plugin is highly susceptible to attacks. The only positive aspect is the absence of external HTTP requests and file operations, which limit some attack vectors. Overall, "wp-project" v1.2.3 is a high-risk plugin requiring immediate attention to address its numerous security deficiencies.

Key Concerns

Unprotected AJAX handler
Critical taint flows with unsanitized paths (4)
Dangerous function: unserialize without validation
No output escaping
SQL queries not using prepared statements (59%)
No nonce checks
No capability checks

Vulnerabilities

None known

WP-Project Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP-Project Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$this->options = unserialize( get_option( 'WP-Project Options' ) );wp-project.php:53

SQL Query Safety

41% prepared29 total queries

Output Escaping

0% escaped82 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths

on_timer_toggle (wp-project.php:158)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP-Project Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_timer_togglewp-project.php:1043

WordPress Hooks 3

actionadmin_menuwp-project.php:1040

actionadmin_headwp-project.php:1041

actioninitwp-project.php:1042

Maintenance & Trust

WP-Project Maintenance & Trust

Maintenance Signals

WordPress version tested2.5.1

Last updatedUnknown

PHP min version

Downloads19K

Community Trust

Rating80/100

Number of ratings1

Active installs10

Alternatives

WP-Project Alternatives

Desert Companion

desert-companion

100

Desert Companion Enhances Desert Themes with additional functionality.

20K No CVEs

Arile Extra

arile-extra

100

Arile Extra is a companion plugin for ArileWP WordPress theme by ThemeArile.

10K No CVEs

WP Last Login

wp-last-login

100

Make the last login for each user visible in the user overview.

10K No CVEs

Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker

wedevs-project-manager

Ease Project Management and Task Management using a powerful project manager with Kanban board, Gantt chart, milestone tracking & project reporting.

7K 1 unpatched

FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

fluent-boards

The Simplest Project & Task Management Plugin Specifically Crafted for Agencies, Freelancers & Founders.

6K 2 CVEs

Developer Profile

WP-Project Developer Profile

nickohrn

12 plugins · 760 total installs

trust score

Avg Security Score

86/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP-Project

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-project/js/wp-project.js/wp-content/WP-Project/css/wp-project.css

Script Paths

/wp-content/plugins/wp-project/js/wp-project.js

Version Parameters

wp-project/style.css?ver=WP-Project/css/wp-project.css?ver=wp-project.js?ver=

HTML / DOM Fingerprints

HTML Comments

<!-- Default 
		 constructor initializes variables and other data needed for the plugin to operate
		 correctly. -->

<!-- 
		 Check to see if tables for the WP-Project plugin are installed and that the plugin is the current version.
		 If those two things are true, then leave the data alone.  Otherwise, upgrade or install the necessary
		 tables. -->

<!-- 
		 This function will not make any changes to data that exists in the database.  That is reserved for the 
		 uninstall_data function.  For now, this is just a placeholder in case some action becomes necessary
		 on deactivation. -->

+12 more

Data Attributes

id="WP-Project"data-current-timer

JS Globals

old_id

FAQ