WP-Safety

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Security & Risk Analysis

wordpress.org/plugins/wp-scheduled-posts

Automate your WordPress content scheduling with a visual calendar, auto/manual schedulers, missed‑post handler, social sharing options & templates.

10K active installs v5.2.16 PHP 7.4+ WP 4.0+ Updated Feb 3, 2026
auto-schedulerauto-sharingpost-scheduleschedule-calendarsocial-share
98
A · Safe
CVEs total3
Unpatched0
Last CVEJul 15, 2024
Download
Safety Verdict

Is SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Safe to Use in 2026?

Generally Safe

Score 98/100

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jul 15, 2024Updated 1mo ago
Risk Assessment

The wp-scheduled-posts plugin, version 5.2.17, exhibits a mixed security posture. While it demonstrates good practices like a significant number of capability checks and a relatively high percentage of properly escaped outputs, there are notable areas of concern. The presence of one unprotected REST API route is a direct security risk, as it allows unauthenticated access to potentially sensitive functionality. Furthermore, the taint analysis indicates two flows with unsanitized paths, which, although not rated as critical or high severity, suggest potential avenues for injection attacks if exploited.

The plugin's vulnerability history is a significant red flag. With three known medium-severity CVEs, and one occurring very recently (2024-07-15), it indicates a pattern of security weaknesses that attackers have successfully exploited in the past. The types of vulnerabilities—Exposure of Sensitive Information, Missing Authorization, and Improper Authorization—are particularly concerning as they can lead to data breaches and unauthorized control of the website. The fact that all past vulnerabilities are currently patched is positive, but the recurring nature of these issues warrants caution.

In conclusion, while the code shows some positive security implementations, the unprotected REST API endpoint, the presence of unsanitized paths in taint analysis, and a history of medium-severity authorization and information exposure vulnerabilities collectively present a moderate to high risk. Users should be aware of these issues and ensure the plugin is updated to the latest version, and actively monitor for new security advisories.

Key Concerns

  • Unprotected REST API route
  • Taint flows with unsanitized paths
  • History of 3 medium CVEs
  • Recent vulnerability (2024-07-15)
  • Common vulnerability types: auth/exposure
Vulnerabilities
3

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2024-6557medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

SchedulePress <= 5.1.3 - Unauthenticated Full Path Disclosure

Jul 15, 2024 Patched in 5.1.4 (1d)
CVE-2024-32717medium · 4.3Missing Authorization

SchedulePress <= 5.0.8 - Missing Authorization

Apr 22, 2024 Patched in 5.0.9 (8d)
WF-cd2c9b28-d5b5-4930-a441-f889ee2778cd-wp-scheduled-postsmedium · 4.3Improper Authorization

SchedulePress <= 5.0.4 - Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications

Nov 28, 2023 Patched in 5.0.5 (56d)
Code Analysis
Analyzed Mar 16, 2026

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
86
273 escaped
Nonce Checks
13
Capability Checks
36
File Operations
20
External Requests
32
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

67% prepared3 total queries

Output Escaping

76% escaped359 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
social_profile_fetch_user_info_and_token (includes\Social\SocialProfile.php:433)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Attack Surface

Entry Points12
Unprotected1

AJAX Handlers 7

authwp_ajax_optin_wizard_actionincludes\Admin\WPDev\PluginUsageTracker.php:93
authwp_ajax_wpsp_el_editor_formincludes\Admin.php:42
authwp_ajax_wpscp_instant_share_fetch_profileincludes\Social\InstantShare.php:16
authwp_ajax_wpscp_instant_social_single_profile_shareincludes\Social\InstantShare.php:17
authwp_ajax_wpsp_social_add_social_profileincludes\Social\SocialProfile.php:20
authwp_ajax_wpsp_social_profile_fetch_user_info_and_tokenincludes\Social\SocialProfile.php:21
authwp_ajax_wpsp_social_profile_fetch_pinterest_sectionincludes\Social\SocialProfile.php:22

REST API Routes 5

GET/wp-json/wpscp/v1/calendarincludes\Admin\Calendar.php:99
POST/wp-json/wpscp/v1/postsincludes\Admin\Calendar.php:127
GET/wp-json/wpscp/v1/get_tax_termsincludes\Admin\Calendar.php:133
GET/wp-json/wpscp/v1/postincludes\Admin\Calendar.php:143
GET/wp-json/wpscp/v1/scf-fieldsincludes\Admin\Calendar.php:165
WordPress Hooks 94
actionrest_api_initincludes\Admin\Calendar.php:25
filterwpsp_pre_eventDropincludes\Admin\Calendar.php:28
filterwpsp_eventDrop_postsincludes\Admin\Calendar.php:29
actionadmin_menuincludes\Admin\Menu.php:27
actionadmin_enqueue_scriptsincludes\Admin\Settings\Assets.php:18
actionwp_print_scriptsincludes\Admin\Settings\Assets.php:28
actionwpsp_save_settings_default_valueincludes\Admin\Settings.php:23
filterwpsp_settings_before_saveincludes\Admin\Settings.php:24
actionwp_dashboard_setupincludes\Admin\Widgets\ScheduledPostList.php:13
actionput_do_weekly_actionincludes\Admin\WPDev\PluginUsageTracker.php:88
actionadmin_initincludes\Admin\WPDev\PluginUsageTracker.php:91
actionadmin_noticesincludes\Admin\WPDev\PluginUsageTracker.php:96
actionadmin_footer-plugins.phpincludes\Admin\WPDev\PluginUsageTracker.php:100
actioninitincludes\Admin\WPDev\WPDevCoreInstaller.php:25
actioninitincludes\Admin\WPDev\WPDevNotice.php:115
actioninitincludes\Admin\WPDev\WPDevNotice.php:117
actionadmin_noticesincludes\Admin\WPDev\WPDevNotice.php:214
actionadmin_noticesincludes\Admin\WPDev\WPDevNotice.php:217
filterplugin_row_metaincludes\Admin.php:33
actionwpsp_el_modal_pro_fieldsincludes\Admin.php:39
actionwpsp_el_modal_social_share_profileincludes\Admin.php:43
actionelementor/editor/footerincludes\Admin.php:68
actionrest_api_initincludes\API\CustomSocialTemplates.php:43
actionrest_api_initincludes\API\CustomSocialTemplates.php:44
actionwp_insert_postincludes\API\CustomSocialTemplates.php:45
actionpost_updatedincludes\API\CustomSocialTemplates.php:49
actionrest_api_initincludes\API\Settings.php:44
actionrest_api_initincludes\API\Settings.php:45
actionrest_api_initincludes\API\Settings.php:46
actionenqueue_block_assetsincludes\Assets.php:12
actionadmin_enqueue_scriptsincludes\Assets.php:13
actionadmin_enqueue_scriptsincludes\Assets.php:15
actionadmin_enqueue_scriptsincludes\Assets.php:16
actionwp_enqueue_scriptsincludes\Assets.php:17
actionelementor/editor/after_enqueue_scriptsincludes\Assets.php:19
actiontransition_post_statusincludes\Email.php:34
actionwpsp_transition_post_statusincludes\Email.php:35
actionadmin_bar_menuincludes\functions.php:33
filterwp_insert_post_dataincludes\functions.php:237
actionpost_submitbox_misc_actionsincludes\functions.php:239
actioninitincludes\functions.php:249
filterwp_insert_post_dataincludes\functions.php:269
filterhttp_request_timeoutincludes\functions.php:284
actionplugins_loadedincludes\Installer.php:9
actionin_plugin_update_message-wp-scheduled-posts/wp-scheduled-posts.phpincludes\Installer.php:10
actionwpsp_publish_future_postincludes\Social\Facebook.php:39
actionWpScp_Facebook_postincludes\Social\Facebook.php:40
actionwpscp_pro_schedule_republish_shareincludes\Social\Facebook.php:53
filterlanguage_attributesincludes\Social\Facebook.php:81
actionwp_headincludes\Social\Facebook.php:82
actionwpsp_publish_future_postincludes\Social\GoogleBusiness.php:34
actionwpsp_schedule_republish_shareincludes\Social\GoogleBusiness.php:35
actioninitincludes\Social\GoogleBusiness.php:38
actionwpsp_google_business_token_refreshincludes\Social\GoogleBusiness.php:42
actionwpsp_publish_future_postincludes\Social\Instagram.php:38
actionWpScp_Instagram_postincludes\Social\Instagram.php:39
actionwpscp_pro_schedule_republish_shareincludes\Social\Instagram.php:52
actionadd_meta_boxesincludes\Social\InstantShare.php:13
actionsave_postincludes\Social\InstantShare.php:14
actionwpsp_instant_social_single_profile_shareincludes\Social\InstantShare.php:18
actionwpsp_publish_future_postincludes\Social\Linkedin.php:37
actionWpScp_linkedin_postincludes\Social\Linkedin.php:38
actionwpscp_pro_schedule_republish_shareincludes\Social\Linkedin.php:50
actionwpsp_publish_future_postincludes\Social\Medium.php:38
actionWpScp_Medium_postincludes\Social\Medium.php:39
actionwpscp_pro_schedule_republish_shareincludes\Social\Medium.php:52
actionwpsp_publish_future_postincludes\Social\Pinterest.php:37
actionWpScp_pinterest_postincludes\Social\Pinterest.php:38
actionwpscp_pro_schedule_republish_shareincludes\Social\Pinterest.php:50
actionsocial_profile_fetch_pinterest_sectionincludes\Social\SocialProfile.php:23
filterwpsp_instagram_dataincludes\Social\SocialProfile.php:24
actionpost_updatedincludes\Social\SocialProfile.php:47
filterwpsp_filter_linkedin_pagesincludes\Social\SocialProfile.php:58
actionadmin_initincludes\Social\SocialProfile.php:60
actionwpsp_profile_reconnect_linkedinincludes\Social\SocialReconnection.php:9
actionwpsp_linkedin_reconnect_cron_eventincludes\Social\SocialReconnection.php:11
actionwpsp_publish_future_postincludes\Social\Threads.php:36
actionWpScp_Threads_postincludes\Social\Threads.php:37
actionwpscp_pro_schedule_republish_shareincludes\Social\Threads.php:50
filterwpsp_filter_social_content_tagsincludes\Social\Twitter.php:32
actionwpsp_publish_future_postincludes\Social\Twitter.php:46
actionwpsp_twitter_postincludes\Social\Twitter.php:47
actionwpscp_pro_schedule_republish_shareincludes\Social\Twitter.php:59
actionpublish_future_postincludes\Social.php:22
actionwpsp_custom_social_templateincludes\Social.php:23
actionadmin_noticeswp-scheduled-posts.php:14
actionadmin_initwp-scheduled-posts.php:39
actionadmin_noticeswp-scheduled-posts.php:41
actionupgrader_process_completewp-scheduled-posts.php:56
actioninitwp-scheduled-posts.php:60
actionwp_loadedwp-scheduled-posts.php:61
actioninitwp-scheduled-posts.php:62
filterjwt_auth_whitelistwp-scheduled-posts.php:63
actioninitwp-scheduled-posts.php:67

Scheduled Events 12

put_do_weekly_action
WpScp_Facebook_post
wpsp_google_business_token_refresh
wpsp_google_business_token_refresh
wpsp_google_business_token_refresh
WpScp_Instagram_post
WpScp_linkedin_post
WpScp_Medium_post
WpScp_pinterest_post
wpsp_linkedin_reconnect_cron_event
WpScp_Threads_post
wpsp_twitter_post
Maintenance & Trust

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 3, 2026
PHP min version7.4
Downloads873K

Community Trust

Rating92/100
Number of ratings197
Active installs10K
Alternatives

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Alternatives

Post Flow

Post Flow

post-flow

A
100

This plugin will schedule 'auto post checks' to publish new posts and/or recycle old posts automatically.

0 No CVEs
Social Sharing Plugin – Sassy Social Share

Social Sharing Plugin – Sassy Social Share

sassy-social-share

A
94

The Simplest and Optimized Social Share buttons. Facebook, X, Reddit, Pinterest, Whatsapp, Grok, ChatGPT, Gab, Gettr and over 100 more.

100K 11 CVEs
Wp Social Login and Register Social Counter

Wp Social Login and Register Social Counter

wp-social

A
89

Wp social lets you add social login, social counter, and social share buttons of different styles to your WordPress website.

80K 5 CVEs
Ocean Social Sharing

Ocean Social Sharing

ocean-social-sharing

A
99

Website: https://oceanwp.org/ Support: https://oceanwp.org/support/ Documentation: https://docs.oceanwp.org/ Extensions: https://oceanwp.

70K 1 CVE
Hubbub Lite – Fast, free social sharing and follow buttons

Hubbub Lite – Fast, free social sharing and follow buttons

social-pug

A
92

Your content is worth sharing. Let's makes it easier!

30K 9 CVEs
Developer Profile

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher Developer Profile

WPDeveloper

46 plugins · 4.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
163 days
View full developer profile
Detection Fingerprints

How We Detect SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-scheduled-posts/assets/css/backend-style.css/wp-content/plugins/wp-scheduled-posts/assets/css/frontend-style.css/wp-content/plugins/wp-scheduled-posts/assets/css/schedule-calendar.css/wp-content/plugins/wp-scheduled-posts/assets/css/schedule-dashboard.css/wp-content/plugins/wp-scheduled-posts/assets/js/admin-script.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-calendar.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-dashboard.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-editor.js
Script Paths
/wp-content/plugins/wp-scheduled-posts/assets/js/admin-script.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-calendar.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-dashboard.js/wp-content/plugins/wp-scheduled-posts/assets/js/schedule-editor.js
Version Parameters
wp-scheduled-posts/assets/css/backend-style.css?ver=wp-scheduled-posts/assets/css/frontend-style.css?ver=wp-scheduled-posts/assets/css/schedule-calendar.css?ver=wp-scheduled-posts/assets/css/schedule-dashboard.css?ver=wp-scheduled-posts/assets/js/admin-script.js?ver=wp-scheduled-posts/assets/js/schedule-calendar.js?ver=wp-scheduled-posts/assets/js/schedule-dashboard.js?ver=wp-scheduled-posts/assets/js/schedule-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpsp-wrapschedulepress-dashboard-widgetschedulepress-calendar-wrapper
HTML Comments
<!--schedulepress-calendar-wrapper--><!--/schedulepress-calendar-wrapper--><!--schedulepress-dashboard-widget--><!--/schedulepress-dashboard-widget-->+4 more
Data Attributes
data-wpsp-post-iddata-wpsp-datedata-wpsp-titledata-wpsp-schedule-typedata-wpsp-status
JS Globals
WPSP_Adminschedulepress_calendar_settingsschedulepress_calendar_posts
FAQ

Frequently Asked Questions about SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher