Does WP User Profiles have any unpatched vulnerabilities?

Yes — WP User Profiles currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP User Profiles compatible with WordPress 6.6.5?

According to WordPress.org data, WP User Profiles 2.6.2 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is WP User Profiles compatible with PHP 7.2+?

WP User Profiles requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP User Profiles updated?

WP User Profiles was last updated on Aug 27, 2024. Frequent updates are generally a positive security signal.

What is WP User Profiles's security score?

WP User Profiles has a WP-Safety security score of 68/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP User Profiles Security & Risk Analysis

wordpress.org/plugins/wp-user-profiles

WP User Profiles is a sophisticated way to edit users in WordPress.

300 active installs v2.6.2 PHP 7.2+ WP 5.2+ Updated Aug 27, 2024

editmetaboxprofileuser

C · Use Caution

CVEs total1

Unpatched1

Last CVEApr 8, 2025

Plugin page Download

Safety Verdict

Is WP User Profiles Safe to Use in 2026?

Use With Caution

Score 68/100

WP User Profiles has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 8, 2025Updated 1yr ago

Risk Assessment

The wp-user-profiles plugin v2.6.2 exhibits a mixed security posture. On the positive side, the code demonstrates strong adherence to secure coding practices by exclusively using prepared statements for SQL queries and having a high percentage of properly escaped output. Furthermore, it performs a reasonable number of capability checks and includes nonce checks for its entry points. However, significant security concerns arise from the attack surface. All three identified AJAX handlers lack authentication checks, presenting a direct pathway for unauthorized actions. The single external HTTP request is also a potential area for vulnerability if not properly handled. The plugin's vulnerability history, specifically a high-severity, unpatched CVE related to Improper Privilege Management, is a critical red flag that overshadows the positive coding practices. This suggests a recurring pattern of security weaknesses that have not been fully addressed, increasing the risk of exploitation.

Key Concerns

Unprotected AJAX handlers
Unpatched High severity CVE
Flow with unsanitized paths
External HTTP request present

Vulnerabilities

WP User Profiles Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-31524high · 8.8Improper Privilege Management

WP User Profiles <= 2.6.2 - Authenticated (Subscriber+) Privilege Escalation

Apr 8, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP User Profiles Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

102 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

83% escaped123 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths

wp_user_profiles_filter_role_column (wp-user-profiles\includes\metaboxes\sites-list.php:166)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

WP User Profiles Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_wp_user_profiles_common_roleswp-user-profiles\includes\hooks.php:62

authwp_ajax_wp_user_profiles_export_roleswp-user-profiles\includes\hooks.php:63

noprivwp_ajax_wp_user_profiles_export_roleswp-user-profiles\includes\hooks.php:64

WordPress Hooks 41

actioninitwp-user-profiles\includes\hooks.php:13

actioninitwp-user-profiles\includes\hooks.php:16

actioninitwp-user-profiles\includes\hooks.php:17

actioninitwp-user-profiles\includes\hooks.php:18

actioninitwp-user-profiles\includes\hooks.php:19

actioninitwp-user-profiles\includes\hooks.php:20

actioninitwp-user-profiles\includes\hooks.php:21

actioninitwp-user-profiles\includes\hooks.php:24

actionadmin_menuwp-user-profiles\includes\hooks.php:27

actionnetwork_admin_menuwp-user-profiles\includes\hooks.php:28

actionuser_admin_menuwp-user-profiles\includes\hooks.php:29

actionwp_user_profiles_do_admin_headwp-user-profiles\includes\hooks.php:32

actionwp_user_profiles_do_admin_headwp-user-profiles\includes\hooks.php:33

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:34

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:35

actionwp_user_profiles_do_admin_loadwp-user-profiles\includes\hooks.php:36

actionwp_user_profiles_add_meta_boxeswp-user-profiles\includes\hooks.php:39

actionwp_user_profiles_admin_noticeswp-user-profiles\includes\hooks.php:42

actionadmin_initwp-user-profiles\includes\hooks.php:45

filterwp_user_profiles_savewp-user-profiles\includes\hooks.php:46

actionwp_user_profiles_get_admin_noticeswp-user-profiles\includes\hooks.php:47

filterwp_user_profiles_save_permissions_sectionwp-user-profiles\includes\hooks.php:48

filtermap_meta_capwp-user-profiles\includes\hooks.php:51

filterload-profile.phpwp-user-profiles\includes\hooks.php:54

filterload-user-edit.phpwp-user-profiles\includes\hooks.php:55

filteredit_profile_urlwp-user-profiles\includes\hooks.php:58

filterget_edit_user_linkwp-user-profiles\includes\hooks.php:59

filterwp_user_profiles_show_other_sectionwp-user-profiles\includes\hooks.php:67

actionwp_user_profiles_nav_actionswp-user-profiles\includes\hooks.php:70

actionwp_user_profiles_nav_actionswp-user-profiles\includes\hooks.php:71

actionbp_initwp-user-profiles\includes\hooks.php:74

filterms_sites_list_table_query_argswp-user-profiles\includes\metaboxes\sites-list.php:38

filterviews_network-siteswp-user-profiles\includes\metaboxes\sites-list.php:63

filterbulk_actions-network-siteswp-user-profiles\includes\metaboxes\sites-list.php:64

filtermanage_sites_custom_columnwp-user-profiles\includes\metaboxes\sites-list.php:65

filterscreen_options_show_screenwp-user-profiles\includes\screen-options.php:19

filterwp_user_profiles_savewp-user-profiles\includes\sections\base.php:177

actionwp_user_profiles_add_meta_boxeswp-user-profiles\includes\sections\base.php:180

actionwp_user_profiles_add_contextual_helpwp-user-profiles\includes\sections\base.php:183

actionadmin_initwp-user-profiles\includes\sponsor.php:17

actionplugins_loadedwp-user-profiles.php:75

Maintenance & Trust

WP User Profiles Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedAug 27, 2024

PHP min version7.2

Downloads33K

Community Trust

Rating86/100

Number of ratings19

Active installs300

Alternatives

WP User Profiles Alternatives

WP Edit Username

wp-edit-username

Easily Edit User Profile Username clicking a button.

2K 2 CVEs

WP User Profile Restriction

wp-user-profile-restriction

100

Restrict user profile editing with granular role-based controls, custom redirects, and automatic menu hiding for enhanced WordPress security.

400 No CVEs

Classic Visual Editor Options

classic-visual-editor-options

100

Restores the “Visual Editor Options” section in user profiles.

200 No CVEs

Edit Usernames

edit-usernames

100

The Edit Usernames plugin allows WordPress admins and WooCommerce managers to edit the users' usernames through the admin dashboard. Simple!

90 No CVEs

Admin Credentials Editor

admin-credentials-editor

100

Easily change your admin credentials (username, email, password) from the dashboard.

10 No CVEs

Developer Profile

WP User Profiles Developer Profile

John James Jacoby

28 plugins · 332K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

1401 days

View full developer profile

Detection Fingerprints

How We Detect WP User Profiles

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-user-profiles/assets/css/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/css/min/ltr/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/css/min/rtl/user-profiles.css/wp-content/plugins/wp-user-profiles/assets/js/user-profiles.js/wp-content/plugins/wp-user-profiles/assets/js/app-passwords.js

Script Paths

/wp-content/plugins/wp-user-profiles/assets/js/user-profiles.js/wp-content/plugins/wp-user-profiles/assets/js/app-passwords.js

Version Parameters

wp-user-profiles/assets/css/user-profiles.css?ver=wp-user-profiles/assets/css/min/ltr/user-profiles.css?ver=wp-user-profiles/assets/css/min/rtl/user-profiles.css?ver=wp-user-profiles/assets/js/user-profiles.js?ver=wp-user-profiles/assets/js/app-passwords.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-user-profiles-admin-wrapwp-user-profiles-sectionwp-user-profiles-metabox

Data Attributes

data-wp-user-profiles-sectiondata-wp-user-profiles-metabox

JS Globals

wpUserProfile

FAQ