WP-Safety

WP User Groups Security & Risk Analysis

wordpress.org/plugins/wp-user-groups

WP User Groups allows users to be categorized using custom taxonomies & terms.

600 active installs v2.5.0 PHP + WP 4.7+ Updated Mar 28, 2026
grouptaxonomytermtypeuser
99
A · Safe
CVEs total1
Unpatched0
Last CVEMay 11, 2018
Plugin page Download
Safety Verdict

Is WP User Groups Safe to Use in 2026?

Generally Safe

Score 99/100

WP User Groups has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: May 11, 2018Updated 1mo ago
Risk Assessment

The "wp-user-groups" plugin v2.5.0 exhibits a generally strong security posture based on the provided static analysis. The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events with unprotected entry points is a significant positive. Furthermore, the code signals indicate a diligent approach to security with 100% of SQL queries utilizing prepared statements and a high percentage (93%) of output being properly escaped. The presence of nonce and capability checks further reinforces this. The taint analysis also shows no concerning unsanitized flows.

However, the plugin's vulnerability history, while currently unpatched and appearing to have no critical or high severity vulnerabilities outstanding, does reveal a past high-severity Cross-Site Request Forgery (CSRF) vulnerability. This, even though it's from 2018 and patched, suggests that the plugin has been susceptible to certain types of attacks in the past. While the current version appears to have addressed these issues, the historical pattern warrants a degree of caution and emphasizes the importance of ongoing maintenance and vigilance.

In conclusion, the plugin demonstrates good coding practices that mitigate many common web application vulnerabilities. The absence of immediate critical risks in the static analysis is reassuring. The primary area of potential concern lies in its past vulnerability history, indicating a need for continued scrutiny and a commitment to patching any future issues promptly.

Key Concerns

  • Past high severity vulnerability (CSRF)
  • Slightly less than 100% output escaping
Vulnerabilities
1 published

WP User Groups Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

WF-5cbbce9e-bfb5-49b3-9829-1f90e0d8f517-wp-user-groupshigh · 8.8Cross-Site Request Forgery (CSRF)

WP User Groups <= 2.1.0 - Cross-Site Request Forgery

May 11, 2018 Patched in 2.1.1 (2083d)
Version History

WP User Groups Release Timeline

v2.5.0Current
Code Analysis
Analyzed Mar 16, 2026

WP User Groups Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
55 escaped
Nonce Checks
1
Capability Checks
6
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

93% escaped59 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<class-user-taxonomy> (wp-user-groups\includes\classes\class-user-taxonomy.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP User Groups Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 27
filteradmin_noticeswp-user-groups\includes\classes\class-user-taxonomy.php:121
filterbulk_actions-userswp-user-groups\includes\classes\class-user-taxonomy.php:122
filterbulk_actions-userswp-user-groups\includes\classes\class-user-taxonomy.php:123
actionhandle_bulk_actions-userswp-user-groups\includes\classes\class-user-taxonomy.php:124
actionpre_get_userswp-user-groups\includes\classes\class-user-taxonomy.php:127
filterviews_userswp-user-groups\includes\classes\class-user-taxonomy.php:130
actionadmin_headwp-user-groups\includes\classes\class-user-taxonomy.php:133
actionadmin_menuwp-user-groups\includes\classes\class-user-taxonomy.php:134
actionwp_user_profiles_add_meta_boxeswp-user-groups\includes\classes\class-user-taxonomy.php:137
filtermanage_users_columnswp-user-groups\includes\classes\class-user-taxonomy.php:144
actionmanage_users_custom_columnwp-user-groups\includes\classes\class-user-taxonomy.php:145
actionpersonal_options_updatewp-user-groups\includes\classes\class-user-taxonomy.php:148
actionedit_user_profile_updatewp-user-groups\includes\classes\class-user-taxonomy.php:149
actionshow_user_profilewp-user-groups\includes\classes\class-user-taxonomy.php:153
actionedit_user_profilewp-user-groups\includes\classes\class-user-taxonomy.php:154
actiondelete_userwp-user-groups\includes\classes\class-user-taxonomy.php:158
filtersanitize_userwp-user-groups\includes\classes\class-user-taxonomy.php:159
actionload-users.phpwp-user-groups\includes\classes\class-user-taxonomy.php:189
actionload-edit-tags.phpwp-user-groups\includes\classes\class-user-taxonomy.php:190
actionload-term.phpwp-user-groups\includes\classes\class-user-taxonomy.php:191
actionload-edit-tags.phpwp-user-groups\includes\classes\class-user-taxonomy.php:192
filteradmin_body_classwp-user-groups\includes\classes\class-user-taxonomy.php:218
actioninitwp-user-groups\includes\functions\hooks.php:13
actioninitwp-user-groups\includes\functions\hooks.php:14
actionadmin_headwp-user-groups\includes\functions\hooks.php:17
filterwp_user_profiles_sectionswp-user-groups\includes\functions\hooks.php:20
actionplugins_loadedwp-user-groups.php:37
Maintenance & Trust

WP User Groups Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13
Last updatedMar 28, 2026
PHP min version
Downloads39K

Community Trust

Rating86/100
Number of ratings6
Active installs600
Alternatives

WP User Groups Alternatives

WP Better Permalinks

WP Better Permalinks

wp-better-permalinks

A
99

Set custom friendly permalinks structure: Custom Post Type > Taxonomy > Post and Custom Post Type > Taxonomy instead of default WordPress structure.

1K 1 CVE
Ultimate Carousel For Divi

Ultimate Carousel For Divi

ultimate-carousel-for-divi

A
100

Create stunning, branded carousels with ease. Showcase your products, post types, categories, and images like never before with Ultimate Divi Carousel

800 No CVEs
Super recent posts

Super recent posts

super-recent-posts

A
85

Widget that can display recent posts from multiple categories, taxonomies, terms custom post types.

100 No CVEs
Custom Taxonomy Columns

Custom Taxonomy Columns

custom-taxonomy-columns

A
85

Automatically adds custom taxonomy columns to admin list tables.

30 No CVEs
Widget Taxonomy

Widget Taxonomy

widget-taxonomy

A
85

Widget Taxonomy provides widget for post and custom post type taxonomy display. Taxonomy and Terms disply with listing options and post count of terms &hellip;

10 No CVEs
Developer Profile

WP User Groups Developer Profile

John James Jacoby

28 plugins · 331K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1401 days
View full developer profile
Detection Fingerprints

How We Detect WP User Groups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-user-groups/assets/css/user-groups.css
Version Parameters
wp-user-groups/assets/css/user-groups.css?ver=

HTML / DOM Fingerprints

CSS Classes
user-groups-profile-section
FAQ

Frequently Asked Questions about WP User Groups