Does WP Roster have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Roster have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Roster compatible with WordPress 6.0.11?

According to WordPress.org data, WP Roster 2.30 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

Is WP Roster compatible with PHP 5.2.4+?

WP Roster requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Roster updated?

WP Roster was last updated on Sep 29, 2022. Frequent updates are generally a positive security signal.

What is WP Roster's security score?

WP Roster has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Roster Security Review — Score 85/100 (safe)

Safety Verdict

Is WP Roster Safe to Use in 2026?

Generally Safe

Score 85/100

WP Roster has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The wp-roster plugin v2.30 exhibits a concerning security posture primarily due to its extensive use of unprotected AJAX handlers. While the plugin demonstrates good practices in SQL query handling and a significant portion of its output is properly escaped, the presence of 25 AJAX handlers without any authentication checks represents a substantial attack surface. This lack of protection means that any unauthenticated user could potentially trigger these AJAX actions, leading to unintended consequences or information disclosure. The single instance of the 'unserialize' dangerous function, although not flagged with a critical taint flow, warrants careful review to ensure it's used with trusted data. The absence of any recorded CVEs or past vulnerabilities is a positive sign, suggesting a historical commitment to security or a lack of prior discoveries. However, this does not negate the immediate risks identified in the static analysis, particularly the unprotected AJAX endpoints. The plugin has strengths in its secure database interactions but a critical weakness in its API endpoint security.

Key Concerns

Unprotected AJAX handlers
Use of unserialize dangerous function
Missing nonce checks on AJAX
Low capability checks

Vulnerabilities

None known

WP Roster Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

WP Roster Code Analysis

Dangerous Functions

1

Raw SQL Queries

0

0 prepared

Unescaped Output

49

145 escaped

Nonce Checks

0

Capability Checks

1

File Operations

0

External Requests

1

Bundled Libraries

0

Dangerous Functions Found

unserialize$returned_object = unserialize(wp_remote_retrieve_body($response));inc\options\nbw.php:180

Output Escaping

75% escaped194 total outputs

Data Flows

12 unsanitized

Data Flow Analysis

12 flows12 with unsanitized paths

wp_roster_add_roster (inc\functions\helper-functions.php:233)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

25 unprotected

WP Roster Attack Surface

Entry Points26

Unprotected25

AJAX Handlers 25

authwp_ajax_add_rosterinc\functions\helper-functions.php:292

authwp_ajax_delete_rosterinc\functions\helper-functions.php:447

authwp_ajax_duplicate_rosterinc\functions\helper-functions.php:565

authwp_ajax_save_settingsinc\functions\helper-functions.php:688

noprivwp_ajax_save_settingsinc\functions\helper-functions.php:689

authwp_ajax_restore_settingsinc\functions\helper-functions.php:747

noprivwp_ajax_restore_settingsinc\functions\helper-functions.php:748

authwp_ajax_add_dateinc\functions\helper-functions.php:851

noprivwp_ajax_add_dateinc\functions\helper-functions.php:852

authwp_ajax_add_memberinc\functions\helper-functions.php:959

noprivwp_ajax_add_memberinc\functions\helper-functions.php:960

authwp_ajax_use_existing_memberinc\functions\helper-functions.php:1045

noprivwp_ajax_use_existing_memberinc\functions\helper-functions.php:1046

authwp_ajax_update_existing_memberinc\functions\helper-functions.php:1153

noprivwp_ajax_update_existing_memberinc\functions\helper-functions.php:1154

authwp_ajax_delete_existing_memberinc\functions\helper-functions.php:1203

noprivwp_ajax_delete_existing_memberinc\functions\helper-functions.php:1204

authwp_ajax_update_member_information_update_datainc\functions\helper-functions.php:1462

noprivwp_ajax_update_member_information_update_datainc\functions\helper-functions.php:1463

authwp_ajax_add_teaminc\functions\helper-functions.php:1691

noprivwp_ajax_add_teaminc\functions\helper-functions.php:1692

authwp_ajax_add_notification_groupinc\functions\helper-functions.php:1729

noprivwp_ajax_add_notification_groupinc\functions\helper-functions.php:1730

authwp_ajax_add_file_to_rosterinc\functions\helper-functions.php:2060

noprivwp_ajax_add_file_to_rosterinc\functions\helper-functions.php:2061

Shortcodes 1

[wp-roster] inc\shortcode\roster-shortcode.php:147

WordPress Hooks 17

actionshow_user_profileinc\functions\user-profile.php:3

actionedit_user_profileinc\functions\user-profile.php:4

actionpersonal_options_updateinc\functions\user-profile.php:251

actionedit_user_profile_updateinc\functions\user-profile.php:252

actionadmin_menuwp-roster.php:102

actionadmin_initwp-roster.php:103

actionadmin_enqueue_scriptswp-roster.php:192

actionwp_enqueue_scriptswp-roster.php:261

actioninitwp-roster.php:271

filterplugin_row_metawp-roster.php:288

filterpage_attributes_dropdown_pages_argswp-roster.php:332

filtertheme_page_templateswp-roster.php:340

filterwp_insert_post_datawp-roster.php:347

filtertemplate_includewp-roster.php:355

actionplugins_loadedwp-roster.php:445

filtermanage_users_columnswp-roster.php:457

filtermanage_users_custom_columnwp-roster.php:471

Scheduled Events 1

wp_roster_send_automated_notifications

Maintenance & Trust

WP Roster Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedSep 29, 2022

PHP min version5.2.4

Downloads3K

Community Trust

Rating100/100

Number of ratings2

Active installs10

Alternatives

WP Roster Alternatives

Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode

wp-team-manager

C

69

Team plugin to showcase team members, sports rosters, or creative portfolios with grid, list, Slider, table layout. Supports Corporate and Sports Leag …

1K 1 unpatched

Team Rosters

team-rosters

B

72

Manages multiple team rosters. Creates roster tables, player galleries, and player profile pages.

200 1 unpatched

Custom Team Manager

custom-team-manager

C

63

This plugin will display team members using shortcode on your page. You just need to post members details same way as you add a new post.

100 1 unpatched

Awesome Team Showcase

awesome-team-showcase

A

85

This plugin provides to show awesome team showcase to you post or pages just using shortcode.

80 No CVEs

BCD Roster

bcd-roster

A

85

Adds a custom post type for roster members along with a custom taxonomy for assigning categories to the new post type.

10 No CVEs

Developer Profile

WP Roster Developer Profile

Northern Beaches Websites

6 plugins · 50K total installs

82

trust score

Avg Security Score

92/100

Avg Patch Time

72 days

View full developer profile

Detection Fingerprints

How We Detect WP Roster

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-roster/inc/js/userprofile.js/wp-content/plugins/wp-roster/inc/css/flatpickr.min.css/wp-content/plugins/wp-roster/inc/js/flatpickr.js/wp-content/plugins/wp-roster/inc/css/adminstyle.css/wp-content/plugins/wp-roster/inc/css/simple-line-icons.css/wp-content/plugins/wp-roster/inc/js/adminscript.js/wp-content/plugins/wp-roster/inc/js/clipboard.min.js/wp-content/plugins/wp-roster/inc/js/papaparse.min.js+3 more

Script Paths

/inc/js/userprofile.js/inc/js/flatpickr.js/inc/js/adminscript.js/inc/js/clipboard.min.js/inc/js/papaparse.min.js/inc/js/alertify.js

Version Parameters

wp-roster/inc/js/userprofile.js?ver=wp-roster/inc/css/flatpickr.min.css?ver=wp-roster/inc/js/flatpickr.js?ver=wp-roster/inc/css/adminstyle.css?ver=wp-roster/inc/css/simple-line-icons.css?ver=wp-roster/inc/js/adminscript.js?ver=wp-roster/inc/js/clipboard.min.js?ver=wp-roster/inc/js/papaparse.min.js?ver=wp-roster/inc/js/alertify.js?ver=wp-roster/inc/css/frontendstyle.css?ver=wp-roster/inc/css/print.css?ver=wp-roster/inc/css/simple-line-icons.css?ver=wp-roster/inc/css/flatpickr.min.css?ver=

HTML / DOM Fingerprints

CSS Classes

wp_roster_settings_page

HTML Comments

Data Attributes

data-wp-roster-pro

JS Globals

wp_roster_pro_featureswp_roster_is_prowp_roster_settings_page

Shortcode Output

[wp_roster_dates[wp_roster_roster[wp_roster_teams[wp_roster_header

FAQ

WP Roster Security & Risk Analysis