Does WP User Profiles have any unpatched vulnerabilities?

Yes — WP User Profiles currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP User Profiles compatible with WordPress 6.6.5?

According to WordPress.org data, WP User Profiles 2.6.2 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is WP User Profiles compatible with PHP 7.2+?

WP User Profiles requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP User Profiles updated?

WP User Profiles was last updated on Mar 26, 2026. Frequent updates are generally a positive security signal.

What is WP User Profiles's security score?

WP User Profiles has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP User Profiles Security & Risk Analysis

wordpress.org/plugins/wp-user-profiles

WP User Profiles is a sophisticated way to edit users in WordPress.

300 active installs v2.6.2 PHP 7.2+ WP 5.2+ Updated Mar 26, 2026

editmetaboxprofileuser

B · Generally Safe

CVEs total1

Unpatched1

Last CVEApr 8, 2025

Plugin page Download

Safety Verdict

Is WP User Profiles Safe to Use in 2026?

Mostly Safe

Score 77/100

WP User Profiles is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Apr 8, 2025Updated 1mo ago

Risk Assessment

The wp-user-profiles plugin v2.6.2 exhibits a mixed security posture. On the positive side, the code demonstrates strong adherence to secure coding practices by exclusively using prepared statements for SQL queries and having a high percentage of properly escaped output. Furthermore, it performs a reasonable number of capability checks and includes nonce checks for its entry points. However, significant security concerns arise from the attack surface. All three identified AJAX handlers lack authentication checks, presenting a direct pathway for unauthorized actions. The single external HTTP request is also a potential area for vulnerability if not properly handled. The plugin's vulnerability history, specifically a high-severity, unpatched CVE related to Improper Privilege Management, is a critical red flag that overshadows the positive coding practices. This suggests a recurring pattern of security weaknesses that have not been fully addressed, increasing the risk of exploitation.

Key Concerns

Unprotected AJAX handlers
Unpatched High severity CVE
Flow with unsanitized paths
External HTTP request present

Vulnerabilities

1 published

WP User Profiles Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-31524high · 8.8Improper Privilege Management

WP User Profiles <= 2.6.2 - Authenticated (Subscriber+) Privilege Escalation

Apr 8, 2025Unpatched

Version History

WP User Profiles Release Timeline

v2.6.2Current1 CVE

CVE-2025-31524

Code Analysis

Analyzed Mar 16, 2026

WP User Profiles Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

102 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

83% escaped123 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths

wp_user_profiles_filter_role_column (wp-user-profiles\includes\metaboxes\sites-list.php:166)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

WP User Profiles Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_wp_user_profiles_common_roleswp-user-profiles\includes\hooks.php:62

authwp_ajax_wp_user_profiles_export_roleswp-user-profiles\includes\hooks.php:63

noprivwp_ajax_wp_user_profiles_export_roleswp-user-profiles\includes\hooks.php:64

WordPress Hooks 41

actioninitwp-user-profiles\includes\hooks.php:13

actioninitwp-user-profiles\includes\hooks.php:16

actioninitwp-user-profiles\includes\hooks.php:17

actioninitwp-user-profiles\includes\hooks.php:18

actioninitwp-user-profiles\includes\hooks.php:19

actioninitwp-user-profiles\includes\hooks.php:20

actioninitwp-user-profiles\includes\hooks.php:21

actioninitwp-user-profiles\includes\hooks.php:24

actionadmin_menuwp-user-profiles\includes\hooks.php:27

actionnetwork_admin_menuwp-user-profiles\includes\hooks.php:28

actionuser_admin_menuwp-user-profiles\includes\hooks.php:29

actionwp_user_profiles_do_admin_headwp-user-profiles\includes\hooks.php:32

actionwp_user_profiles_do_admin_headwp-user-profiles\includes\hooks.php:33

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:34

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:35

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:36

actionwp_user_profiles_add_meta_boxeswp-user-profiles\includes\hooks.php:39

actionwp_user_profiles_admin_noticeswp-user-profiles\includes\hooks.php:42

actionadmin_initwp-user-profiles\includes\hooks.php:45

filterwp_user_profiles_savewp-user-profiles\includes\hooks.php:46

actionwp_user_profiles_get_admin_noticeswp-user-profiles\includes\hooks.php:47

filterwp_user_profiles_save_permissions_sectionwp-user-profiles\includes\hooks.php:48

filtermap_meta_capwp-user-profiles\includes\hooks.php:51

filterload-profile.phpwp-user-profiles\includes\hooks.php:54

filterload-user-edit.phpwp-user-profiles\includes\hooks.php:55

filteredit_profile_urlwp-user-profiles\includes\hooks.php:58

filterget_edit_user_linkwp-user-profiles\includes\hooks.php:59

filterwp_user_profiles_show_other_sectionwp-user-profiles\includes\hooks.php:67

actionwp_user_profiles_nav_actionswp-user-profiles\includes\hooks.php:70

actionwp_user_profiles_nav_actionswp-user-profiles\includes\hooks.php:71

actionbp_initwp-user-profiles\includes\hooks.php:74

filterms_sites_list_table_query_argswp-user-profiles\includes\metaboxes\sites-list.php:38

filterviews_network-siteswp-user-profiles\includes\metaboxes\sites-list.php:63

filterbulk_actions-network-siteswp-user-profiles\includes\metaboxes\sites-list.php:64

filtermanage_sites_custom_columnwp-user-profiles\includes\metaboxes\sites-list.php:65

filterscreen_options_show_screenwp-user-profiles\includes\screen-options.php:19

filterwp_user_profiles_savewp-user-profiles\includes\sections\base.php:177

actionwp_user_profiles_add_meta_boxeswp-user-profiles\includes\sections\base.php:180

actionwp_user_profiles_add_contextual_helpwp-user-profiles\includes\sections\base.php:183

actionadmin_initwp-user-profiles\includes\sponsor.php:17

actionplugins_loadedwp-user-profiles.php:75

Maintenance & Trust

WP User Profiles Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedMar 26, 2026

PHP min version7.2

Downloads34K

Community Trust

Rating86/100

Number of ratings19

Active installs300

Alternatives

WP User Profiles Alternatives

WP Edit Username

wp-edit-username

Easily Edit User Profile Username clicking a button.

2K 2 CVEs

Classic Visual Editor Options

classic-visual-editor-options

100

Restores the “Visual Editor Options” section in user profiles.

900 No CVEs

WP User Profile Restriction

wp-user-profile-restriction

100

Restrict user profile editing with granular role-based controls, custom redirects, and automatic menu hiding for enhanced WordPress security.

400 No CVEs

Edit Usernames

edit-usernames

100

The Edit Usernames plugin allows WordPress admins and WooCommerce managers to edit the users' usernames through the admin dashboard. Simple!

80 No CVEs

Admin Credentials Editor

admin-credentials-editor

100

Easily change your admin credentials (username, email, password) from the dashboard.

10 No CVEs

Developer Profile

WP User Profiles Developer Profile

John James Jacoby

28 plugins · 331K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1401 days

View full developer profile

Detection Fingerprints

How We Detect WP User Profiles

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-user-profiles/assets/css/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/css/min/ltr/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/css/min/rtl/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/js/user-profiles.js/wp-content/plugins/wp-user-profiles/assets/js/app-passwords.js

Script Paths

/wp-content/plugins/wp-user-profiles/assets/js/user-profiles.js/wp-content/plugins/wp-user-profiles/assets/js/app-passwords.js

Version Parameters

wp-user-profiles/assets/css/user-profiles.css?ver=wp-user-profiles/assets/css/min/ltr/user-profiles.css?ver=wp-user-profiles/assets/css/min/rtl/user-profiles.css?ver=wp-user-profiles/assets/js/user-profiles.js?ver=wp-user-profiles/assets/js/app-passwords.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-user-profiles-admin-wrapwp-user-profiles-sectionwp-user-profiles-metabox

Data Attributes

data-wp-user-profiles-sectiondata-wp-user-profiles-metabox

JS Globals

wpUserProfile

FAQ