WP-Safety

WP Ultimate Post Grid Security & Risk Analysis

wordpress.org/plugins/wp-ultimate-post-grid

Easily create filterable responsive grids for your posts, pages or custom post types

4K active installs v4.0.1 PHP + WP 3.5+ Updated Dec 1, 2025
custom-post-typefiltergridisotope
99
A · Safe
CVEs total2
Unpatched0
Last CVEOct 10, 2024
Plugin page Download
Safety Verdict

Is WP Ultimate Post Grid Safe to Use in 2026?

Generally Safe

Score 99/100

WP Ultimate Post Grid has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 10, 2024Updated 4mo ago
Risk Assessment

The "wp-ultimate-post-grid" plugin v4.0.1 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices with 100% of SQL queries using prepared statements and 95% of output properly escaped. The absence of external HTTP requests and zero critical or high severity vulnerabilities in its history are also favorable indicators. However, several areas warrant concern. The presence of two REST API routes without permission callbacks represents a significant attack vector that could be exploited without proper authentication. The use of the `unserialize` function is a critical code signal that, if not handled with extreme care and input validation, can lead to serious vulnerabilities like Remote Code Execution. While there are no currently unpatched CVEs, the plugin has a history of two medium severity vulnerabilities, both related to Cross-Site Scripting. This pattern suggests that while the developers are addressing vulnerabilities, there's a recurring weakness in input neutralization which needs constant vigilance. The relatively small attack surface and the proactive patching of past vulnerabilities are strengths, but the unprotected REST API endpoints and the dangerous `unserialize` function present clear risks that require immediate attention.

Key Concerns

  • REST API routes without permission callbacks
  • Dangerous function: unserialize
  • History of medium severity XSS vulnerabilities
Vulnerabilities
2

WP Ultimate Post Grid Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-9051medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Ultimate Post Grid <= 3.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode

Oct 10, 2024 Patched in 4.0.0 (1d)
CVE-2024-4043medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Ultimate Post Grid <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-text Shortcode

May 22, 2024 Patched in 3.9.2 (1d)
Code Analysis
Analyzed Mar 17, 2026

WP Ultimate Post Grid Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
1 prepared
Unescaped Output
11
231 escaped
Nonce Checks
1
Capability Checks
5
File Operations
1
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialized = unserialize( preg_replace_callback( '!s:(\d+):"(.*?)";!', array( $this, 'regex_replaincludes\public\class-wpupg-grid.php:340

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

95% escaped242 total outputs
Attack Surface
2 unprotected

WP Ultimate Post Grid Attack Surface

Entry Points14
Unprotected2

REST API Routes 9

POST/wp-json/wp-ultimate-post-grid/v1/itemsincludes\public\api\class-wpupg-api-items.php:38
POST/wp-json/wp-ultimate-post-grid/v1/manage/gridsincludes\public\api\class-wpupg-api-manage-grids.php:38
DELETE/wp-json/wp-ultimate-post-grid/v1/noticeincludes\public\api\class-wpupg-api-notices.php:38
POST/wp-json/wp-ultimate-post-grid/v1/previewincludes\public\api\class-wpupg-api-preview-grid.php:38
GET/wp-json/wp-ultimate-post-grid/v1/templateincludes\public\api\class-wpupg-api-templates.php:38
POST/wp-json/wp-ultimate-post-grid/v1/templateincludes\public\api\class-wpupg-api-templates.php:43
DELETE/wp-json/wp-ultimate-post-grid/v1/templateincludes\public\api\class-wpupg-api-templates.php:48
POST/wp-json/wp-ultimate-post-grid/v1/template/previewincludes\public\api\class-wpupg-api-templates.php:53
POST/wp-json/wp-ultimate-post-grid/v1/template/preview-itemincludes\public\api\class-wpupg-api-templates.php:58

Shortcodes 5

[wpupg-grid-limit] includes\public\class-wpupg-shortcode.php:28
[wpupg-grid-with-filters] includes\public\class-wpupg-shortcode.php:29
[wpupg-grid] includes\public\class-wpupg-shortcode.php:30
[wpupg-filter] includes\public\class-wpupg-shortcode.php:31
[wpupg-condition] includes\public\shortcodes\special\class-wpupg-sc-condition.php:22
WordPress Hooks 61
actionadmin_menuincludes\admin\class-wpupg-manage-modal.php:28
actionadmin_footerincludes\admin\class-wpupg-manage-modal.php:29
actionadmin_enqueue_scriptsincludes\admin\class-wpupg-manage-modal.php:31
actionadmin_menuincludes\admin\class-wpupg-marketing.php:84
filterwpupg_admin_noticesincludes\admin\class-wpupg-marketing.php:85
filterwpupg_admin_noticesincludes\admin\class-wpupg-notices.php:28
filterwpupg_admin_noticesincludes\admin\class-wpupg-notices.php:29
actionadmin_menuincludes\admin\menu\class-wpupg-admin-menu-addons.php:28
actionadmin_head-grids_page_wpupg_faqincludes\admin\menu\class-wpupg-admin-menu-faq.php:28
actionadmin_menuincludes\admin\menu\class-wpupg-admin-menu-faq.php:29
actionadmin_menuincludes\admin\menu\class-wpupg-admin-menu.php:28
actionplugins_loadedincludes\class-wp-ultimate-post-grid.php:49
actionadmin_noticesincludes\class-wp-ultimate-post-grid.php:50
actioninitincludes\class-wpupg-i18n.php:31
actionrest_api_initincludes\public\api\class-wpupg-api-grids.php:28
actionrest_api_initincludes\public\api\class-wpupg-api-items.php:28
actionrest_api_initincludes\public\api\class-wpupg-api-manage-grids.php:28
filterposts_whereincludes\public\api\class-wpupg-api-manage-grids.php:126
actionrest_api_initincludes\public\api\class-wpupg-api-notices.php:28
actionrest_api_initincludes\public\api\class-wpupg-api-preview-grid.php:28
actionrest_api_initincludes\public\api\class-wpupg-api-templates.php:28
actionwp_enqueue_scriptsincludes\public\class-wpupg-assets.php:37
actionadmin_enqueue_scriptsincludes\public\class-wpupg-assets.php:38
actionwp_headincludes\public\class-wpupg-assets.php:39
actionenqueue_block_editor_assetsincludes\public\class-wpupg-assets.php:40
actionwp_footerincludes\public\class-wpupg-assets.php:41
actioninitincludes\public\class-wpupg-blocks.php:28
filterblock_categoriesincludes\public\class-wpupg-blocks.php:33
filterblock_categories_allincludes\public\class-wpupg-blocks.php:35
filtermce_external_pluginsincludes\public\class-wpupg-button.php:28
filtermce_buttonsincludes\public\class-wpupg-button.php:29
filterwpupg_filter_defaultsincludes\public\class-wpupg-filter-clear.php:28
filterwpupg_filter_sanitize_optionsincludes\public\class-wpupg-filter-clear.php:29
filterwpupg_output_filterincludes\public\class-wpupg-filter-clear.php:30
filterwpupg_filter_defaultsincludes\public\class-wpupg-filter-isotope.php:28
filterwpupg_filter_sanitize_optionsincludes\public\class-wpupg-filter-isotope.php:29
filterwpupg_javascript_args_filterincludes\public\class-wpupg-filter-isotope.php:30
filterwpupg_output_filterincludes\public\class-wpupg-filter-isotope.php:31
filterwpupg_filter_defaultsincludes\public\class-wpupg-filter.php:28
filterwpupg_filter_sanitize_optionsincludes\public\class-wpupg-filter.php:29
actioninitincludes\public\class-wpupg-meta-box.php:28
actionadmin_initincludes\public\class-wpupg-meta-box.php:29
actionedit_attachmentincludes\public\class-wpupg-meta-box.php:31
actionsave_postincludes\public\class-wpupg-meta-box.php:32
actionadmin_initincludes\public\class-wpupg-migrations.php:28
actionpre_get_postsincludes\public\class-wpupg-multilingual.php:37
filterwpupg_javascript_argsincludes\public\class-wpupg-order.php:28
filterwpupg_output_item_dataincludes\public\class-wpupg-order.php:29
filterwpupg_pagination_defaultsincludes\public\class-wpupg-pagination-pages.php:28
filterwpupg_pagination_sanitize_optionsincludes\public\class-wpupg-pagination-pages.php:29
filterwpupg_javascript_args_paginationincludes\public\class-wpupg-pagination-pages.php:30
filterwpupg_query_post_argsincludes\public\class-wpupg-pagination-pages.php:31
filterwpupg_grid_idsincludes\public\class-wpupg-pagination-pages.php:32
filterwpupg_output_item_classesincludes\public\class-wpupg-pagination-pages.php:33
filterwpupg_output_paginationincludes\public\class-wpupg-pagination-pages.php:34
actioninitincludes\public\class-wpupg-post-type.php:28
filterwpupg_settings_required_addonsincludes\public\class-wpupg-settings.php:44
filtershortcode_atts_wpupg_grid_with_filtersincludes\public\class-wpupg-shortcode-takeover.php:28
filtershortcode_atts_wpupg_gridincludes\public\class-wpupg-shortcode-takeover.php:29
actionadmin_menuincludes\public\class-wpupg-template-editor.php:27
actionwp_footerincludes\public\class-wpupg-template-manager.php:45
Maintenance & Trust

WP Ultimate Post Grid Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 1, 2025
PHP min version
Downloads163K

Community Trust

Rating88/100
Number of ratings32
Active installs4K
Alternatives

WP Ultimate Post Grid Alternatives

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

ultimate-post

A
88

A highly customizable plugin to create news, magazines, and any kind of blog site with post grid, post filter, post slider, and post blocks.

40K 23 CVEs
Post Grid

Post Grid

post-grid

F
20

Post Grid is a powerful WordPress plugin for creating customizable post grid layouts with advanced query options, allowing users to display posts dyna &hellip;

30K 2 unpatched
Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

advanced-post-block

A
99

Advanced Post Block lets you add dynamic post grids, lists, sliders, and tickers. Filter content by category, tag, author, or custom post type.

10K 1 CVE
Blog Filter Post Filtering

Blog Filter Post Filtering

blog-filter

A
98

Blog Filter helps users display posts in filterable grid and masonry layouts. Organize content by categories or tags with customizable designs.

7K 2 CVEs
Post grid and filter ultimate

Post grid and filter ultimate

post-grid-and-filter-ultimate

A
100

A quick, easy way to display WordPress post in grid view and post grid with filter. Also work with Gutenberg shortcode block.

5K No CVEs
Developer Profile

WP Ultimate Post Grid Developer Profile

Brecht

6 plugins · 79K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect WP Ultimate Post Grid

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-ultimate-post-grid/dist/admin-manage-modal.css/wp-content/plugins/wp-ultimate-post-grid/dist/admin-manage-modal.js/wp-content/plugins/wp-ultimate-post-grid/dist/public.css/wp-content/plugins/wp-ultimate-post-grid/dist/public.js/wp-content/plugins/wp-ultimate-post-grid/dist/admin.css/wp-content/plugins/wp-ultimate-post-grid/dist/admin.js
Script Paths
/wp-content/plugins/wp-ultimate-post-grid/dist/admin-manage-modal.js/wp-content/plugins/wp-ultimate-post-grid/dist/public.js/wp-content/plugins/wp-ultimate-post-grid/dist/admin.js
Version Parameters
wp-ultimate-post-grid/dist/admin-manage-modal.css?ver=wp-ultimate-post-grid/dist/admin-manage-modal.js?ver=wp-ultimate-post-grid/dist/public.css?ver=wp-ultimate-post-grid/dist/public.js?ver=wp-ultimate-post-grid/dist/admin.css?ver=wp-ultimate-post-grid/dist/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpupg-admin-manage-modalwpupg-admin-modalwpupg-admin-modal-tinymce-placeholderwpupg-admin-managewpultimatepostgridwpupg-frontend-grid
Data Attributes
data-wpupg-grid-id
JS Globals
wpupg_admin_manage_modal
FAQ

Frequently Asked Questions about WP Ultimate Post Grid