Does WP Source Control have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Source Control compatible with WordPress 4.0.38?

According to WordPress.org data, WP Source Control 3.1.1 has been tested up to WordPress 4.0.38. Check the plugin's changelog for the latest compatibility information.

How often is WP Source Control updated?

WP Source Control was last updated on Oct 28, 2014. Frequent updates are generally a positive security signal.

What is WP Source Control's security score?

WP Source Control has a WP-Safety security score of 84/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Source Control Security & Risk Analysis

wordpress.org/plugins/wp-source-control

WP Source Control is a WordPress plugin that allows you to source control your theme directory and your posts/pages. You can even see how your theme h …

10 active installs v3.1.1 PHP + WP 3.0.1+ Updated Oct 28, 2014

backupcontrolsourcesource-controltemplates

B · Generally Safe

CVEs total1

Unpatched0

Last CVEAug 19, 2014

Plugin page Download

Safety Verdict

Is WP Source Control Safe to Use in 2026?

Mostly Safe

Score 84/100

WP Source Control is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved.

1 known CVELast CVE: Aug 19, 2014Updated 11yr ago

Risk Assessment

The wp-source-control plugin version 3.1.1 exhibits a mixed security posture. While it boasts a zero attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events, and has a high percentage of SQL queries using prepared statements, several critical security concerns are present. The presence of dangerous functions like `create_function` and a complete lack of output escaping for 74 identified outputs are significant weaknesses. Furthermore, the taint analysis reveals three flows with unsanitized paths, two of which are rated as high severity, indicating potential vulnerabilities related to path manipulation.

The plugin's vulnerability history, while showing no currently unpatched CVEs, includes one high-severity vulnerability from 2014, specifically a 'Path Traversal' issue. This historical pattern, coupled with the high-severity taint flows involving unsanitized paths, strongly suggests a recurring risk of path-related vulnerabilities. The complete absence of nonce and capability checks on any entry points is also a major concern, as it allows for unauthorized actions if any entry points are indeed discovered or introduced in future versions. The plugin's reliance on outdated or insecure coding practices like `create_function` and the failure to escape output are fundamental security flaws that could be exploited.

Key Concerns

High severity taint flows with unsanitized paths
0% proper output escaping for 74 outputs
Dangerous function: create_function used
No nonce checks found
No capability checks found
Historical high severity path traversal vulnerability
Taint flows with unsanitized paths (3 total)

Vulnerabilities

1 published

WP Source Control Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2014-5368high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Source Control < 3.1.1 - Directory Traversal

Aug 19, 2014 Patched in 3.1.1 (3444d)

Version History

WP Source Control Release Timeline

v3.1.1Current

v3.1.01 CVE

v3.0.01 CVE

v2.4.01 CVE

v2.3.31 CVE

v2.3.21 CVE

v2.3.11 CVE

v2.31 CVE

v2.21 CVE

v2.1.11 CVE

v2.11 CVE

v2.01 CVE

v1.11 CVE

v1.01 CVE

Code Analysis

Analyzed Mar 17, 2026

WP Source Control Code Analysis

Dangerous Functions

Raw SQL Queries

53 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_function$return_path = array_reduce(explode('/', $path), create_function('$a, $b', 'source_control_path.php:45

create_functionreturn self::normalize(array_reduce($arguments, create_function('$a,$b', 'source_control_path.php:74

SQL Query Safety

84% prepared63 total queries

Output Escaping

0% escaped74 total outputs

Data Flows · Security

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

<download> (downloadfiles\download.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Source Control Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionadmin_menuwp-content_source_control.php:19

actionsave_postwp-content_source_control.php:191

actiontrashed_postwp-content_source_control.php:206

Maintenance & Trust

WP Source Control Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38

Last updatedOct 28, 2014

PHP min version

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

WP Source Control Alternatives

Heartbeat Control

heartbeat-control

Allows you to easily manage the frequency of the WordPress heartbeat API.

80K No CVEs

All-in-One WP Migration and Backup

all-in-one-wp-migration

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs

Starter Templates – AI-Powered Templates for Elementor & Gutenberg

astra-sites

The growing library of 300+ ready-to-use templates that work with all WordPress themes including Astra, Hello, OceanWP, GeneratePress and more

2.0M 7 CVEs

Developer Profile

WP Source Control Developer Profile

MMDeveloper

7 plugins · 2K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

2139 days

View full developer profile

Detection Fingerprints

How We Detect WP Source Control

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-source-control/lib/tom-m8te.php/wp-content/plugins/wp-source-control/source_control_path.php/wp-content/plugins/wp-source-control/source_control_template_diff.php/wp-content/plugins/wp-source-control/source_control_post_diff.php/wp-content/plugins/wp-source-control/downloadfiles/

Version Parameters

wp-source-control/style.css?ver=wp-source-control/script.js?ver=

HTML / DOM Fingerprints

Data Attributes

job_nodescriptiontheme_timestampjob_idorig_file_namefile_name+7 more

FAQ

WP Source Control Security & Risk Analysis

Is WP Source Control Safe to Use in 2026?

Mostly Safe

Key Concerns

WP Source Control Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Source Control Release Timeline

WP Source Control Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Source Control Attack Surface

WP Source Control Maintenance & Trust

Maintenance Signals

Community Trust

WP Source Control Alternatives

Heartbeat Control

All-in-One WP Migration and Backup

Jetpack – WP Security, Backup, Speed, & Growth

UpdraftPlus: WP Backup & Migration Plugin

Starter Templates – AI-Powered Templates for Elementor & Gutenberg

WP Source Control Developer Profile

How We Detect WP Source Control

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Source Control