Does WP To Do have any unpatched vulnerabilities?

No. All known vulnerabilities in WP To Do have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP To Do compatible with WordPress 6.8.5?

According to WordPress.org data, WP To Do 2.1.7 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WP To Do compatible with PHP 7.2.24+?

WP To Do requires PHP 7.2.24 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP To Do updated?

WP To Do was last updated on Oct 31, 2025. Frequent updates are generally a positive security signal.

What is WP To Do's security score?

WP To Do has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP To Do Security & Risk Analysis

wordpress.org/plugins/wp-todo

WP-Todo: Smart To-Do List & Task Management Plugin for WordPress

100 active installs v2.1.7 PHP 7.2.24+ WP 6.4+ Updated Oct 31, 2025

checklistprojectstasksto-do-listto-do-management

A · Safe

CVEs total7

Unpatched0

Last CVEAug 28, 2024

Plugin page Download

Safety Verdict

Is WP To Do Safe to Use in 2026?

Generally Safe

Score 97/100

WP To Do has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Aug 28, 2024Updated 5mo ago

Risk Assessment

The wp-todo plugin version 2.1.7 exhibits a mixed security posture. While the code demonstrates strong adherence to secure coding practices, such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. A total of four AJAX handlers are present, and alarmingly, all of them lack authentication checks. This creates a considerable risk of unauthorized actions being performed on the site. The taint analysis shows no critical or high severity unsanitized paths, which is positive, but the lack of authentication on AJAX endpoints bypasses any potential security checks that might otherwise be present.

Key Concerns

4 AJAX handlers without auth checks
7 medium severity CVEs, 0 currently unpatched

Vulnerabilities

WP To Do Security Vulnerabilities

CVEs by Year

7 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

7 total CVEs

CVE-2024-3944medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP To Do <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Task Comments

Aug 28, 2024 Patched in 2.0.1 (436d)

CVE-2024-37539medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP To Do <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 6, 2024 Patched in 2.0.2 (413d)

CVE-2024-3943medium · 4.3Cross-Site Request Forgery (CSRF)

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_addcomment

May 29, 2024 Patched in 2.0.1 (526d)

CVE-2024-3945medium · 4.3Cross-Site Request Forgery (CSRF)

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_manage()

May 29, 2024 Patched in 2.0.1 (526d)

CVE-2024-3947medium · 4.3Cross-Site Request Forgery (CSRF)

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_settings

May 29, 2024 Patched in 2.0.1 (526d)

CVE-2024-3946medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP To Do <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings

May 29, 2024 Patched in 2.0.1 (526d)

CVE-2024-22292medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP To Do <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 17, 2024 Patched in 1.2.9 (29d)

Code Analysis

Analyzed Mar 16, 2026

WP To Do Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

56 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

95% escaped59 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<modal_view> (todo\modal_view.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

WP To Do Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_get_todosinc\dashboard.php:47

authwp_ajax_update_todo_statusinc\dashboard.php:82

authwp_ajax_wp-todo_quick_viewtodo\modal_view.php:5

authwp_ajax_wp-todo_add_commenttodo\modal_view.php:176

WordPress Hooks 21

actionadmin_menuinc\dashboard.php:2

actionadmin_enqueue_scriptsinc\enqueue.php:2

actionadmin_enqueue_scriptsinc\enqueue.php:25

filtermanage_wp-todo_posts_columnslist_table\custom_columns.php:3

actionmanage_wp-todo_posts_custom_columnlist_table\custom_columns.php:16

filtermanage_edit-wp-todo_sortable_columnslist_table\custom_columns.php:66

actionpre_get_postslist_table\custom_columns.php:75

actionadmin_headlist_table\custom_columns.php:87

filtermanage_wp-todo_posts_columnslist_table\custom_columns.php:112

actioninitmeta_boxes\wptodo_meta_boxe.php:28

actionadd_meta_boxesmeta_boxes\wptodo_meta_boxe.php:40

actionsave_postmeta_boxes\wptodo_meta_boxe.php:120

actioninitmeta_boxes\wptodo_meta_boxe.php:143

actionsave_post_wptodonotification\notify.php:3

filtermanage_wp-todo_posts_columnstodo\count_down_timer.php:2

actionmanage_wp-todo_posts_custom_columntodo\count_down_timer.php:7

actionadmin_enqueue_scriptstodo\count_down_timer.php:20

actionadmin_footer-edit.phptodo\modal_view.php:85

actionadmin_enqueue_scriptstodo\modal_view.php:168

filterpre_comment_approvedtodo\modal_view.php:214

actioninittodo\wptodo_custom_post_type.php:2

Maintenance & Trust

WP To Do Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 31, 2025

PHP min version7.2.24

Downloads14K

Community Trust

Rating74/100

Number of ratings6

Active installs100

Alternatives

WP To Do Alternatives

Zephyr Project Manager

zephyr-project-manager

Zephyr Project Manager is a modern, easy to use sophisticated project manager for WordPress.

1K 20 CVEs

Todo Block

todo-block

100

Adds ToDo list block that shows checkboxes on frontend and backend of your site.

200 No CVEs

Eonet Project Manager

eonet-project-manager

Make your site a complete project management tool: create projects, set permissions and assign tasks your users.

40 No CVEs

Easy Project

iprojectweb

Easy to use yet powerful project management tool

10 No CVEs

To Do List Member

todo-lists-for-membership-sites

To Do List Member adds todolists and tasks using custom taxonomy and post type to your blog.

10 No CVEs

Developer Profile

WP To Do Developer Profile

Md Delower Hossain

1 plugin · 100 total installs

trust score

Avg Security Score

97/100

Avg Patch Time

426 days

View full developer profile

Detection Fingerprints

How We Detect WP To Do

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-todo/assets/js/wptodo-admin.js/wp-content/plugins/wp-todo/assets/css/style.css/wp-content/plugins/wp-todo/assets/js/FullCalendar.min.js/wp-content/plugins/wp-todo/assets/js/Sortable.min.js/wp-content/plugins/wp-todo/assets/js/wptodo-dashboard.js

Script Paths

/wp-content/plugins/wp-todo/assets/js/wptodo-admin.js/wp-content/plugins/wp-todo/assets/js/FullCalendar.min.js/wp-content/plugins/wp-todo/assets/js/Sortable.min.js/wp-content/plugins/wp-todo/assets/js/wptodo-dashboard.js

Version Parameters

wp-todo/style.css?ver=wptodo-admin-js?ver=style?ver=fullcalendar-js?ver=sortable-js?ver=wptodo-dashboard-js?ver=

HTML / DOM Fingerprints

CSS Classes

wptodo-clickablewptodo-modalwptodo-comment

Data Attributes

data-post-id

JS Globals

wptodo_ajaxwptodo_dashboard

REST Endpoints

/wp-json/wp-todo/v1/tasks

FAQ

WP To Do Security & Risk Analysis

Is WP To Do Safe to Use in 2026?

Generally Safe

Key Concerns

WP To Do Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP To Do Code Analysis

Output Escaping

Data Flow Analysis

WP To Do Attack Surface

AJAX Handlers 4

WP To Do Maintenance & Trust

Maintenance Signals

Community Trust

WP To Do Alternatives

Zephyr Project Manager

Todo Block

Eonet Project Manager

Easy Project

To Do List Member

WP To Do Developer Profile

How We Detect WP To Do

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP To Do