Does WP w3all phpBB have any unpatched vulnerabilities?

No. All known vulnerabilities in WP w3all phpBB have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP w3all phpBB compatible with WordPress 6.9.4?

According to WordPress.org data, WP w3all phpBB 3.0.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP w3all phpBB compatible with PHP 7.2+?

WP w3all phpBB requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP w3all phpBB updated?

WP w3all phpBB was last updated on Oct 12, 2025. Frequent updates are generally a positive security signal.

What is WP w3all phpBB's security score?

WP w3all phpBB has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP w3all phpBB Security & Risk Analysis

wordpress.org/plugins/wp-w3all-phpbb-integration

w3all WP phpBB integration - easy, light.

300 active installs v3.0.4 PHP 7.2+ WP 6.0.0+ Updated Oct 12, 2025

integrationloginphpbbtemplateuser

A · Safe

CVEs total2

Unpatched0

Last CVEApr 9, 2025

Plugin page Download

Safety Verdict

Is WP w3all phpBB Safe to Use in 2026?

Generally Safe

Score 98/100

WP w3all phpBB has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 9, 2025Updated 5mo ago

Risk Assessment

The 'wp-w3all-phpbb-integration' plugin version 3.0.4 presents a mixed security posture. While it has a relatively small attack surface with no unprotected entry points identified in the static analysis, and there are no currently unpatched CVEs, several significant concerns arise from the code signals and taint analysis. The high number of dangerous functions like `unserialize` and `preg_replace(/e)`, coupled with the complete lack of prepared statements for SQL queries, indicate a substantial risk of injection vulnerabilities and insecure deserialization. Furthermore, only 29% of outputs are properly escaped, leaving room for cross-site scripting (XSS) vulnerabilities.

The vulnerability history, although showing no critical or high severity CVEs currently unpatched, does reveal a pattern of medium severity issues, primarily Cross-Site Request Forgery (CSRF). This history, combined with the static analysis findings, suggests a plugin that has historically struggled with robust input validation and output sanitization. The presence of 8 flows with unsanitized paths in the taint analysis is particularly worrying and could lead to serious security breaches if exploited. Overall, while the absence of unpatched critical CVEs is a positive sign, the underlying code quality issues, particularly around SQL and data handling, necessitate caution and thorough review.

Key Concerns

Dangerous functions: unserialize, preg_replace(/e)
SQL queries: 0% using prepared statements
Output escaping: only 29% properly escaped
Taint analysis: 8 flows with unsanitized paths
Vulnerability history: 2 medium CVEs

Vulnerabilities

WP w3all phpBB Security Vulnerabilities

CVEs by Year

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-32575medium · 6.1Cross-Site Request Forgery (CSRF)

WP w3all phpBB <= 2.9.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Apr 9, 2025 Patched in 3.0.0 (93d)

CVE-2025-32274medium · 6.1Cross-Site Request Forgery (CSRF)

WP w3all phpBB <= 2.9.8 - Cross-Site Request Forgery

Apr 4, 2025 Patched in 2.9.9 (98d)

Code Analysis

Analyzed Mar 16, 2026

WP w3all phpBB Code Analysis

Dangerous Functions

Raw SQL Queries

206

0 prepared

Unescaped Output

383

153 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$w3all_config_avatars = unserialize($config_avatars);admin\config.php:79

unserialize$w3all_conf_pref = empty(trim($w3all_conf_pref)) ? array() : unserialize($w3all_conf_pref);admin\config.php:81

unserialize$w3all_iframe_phpbb_link = unserialize(get_option('w3all_conf_pref_template_embed_link'));admin\config.php:84

unserialize$phpbb_config = unserialize(W3PHPBBCONFIG);admin\wp_w3all_users_fix_phpbb_usernames.php:9

unserialize$phpbb_config = unserialize(W3PHPBBCONFIG);admin\wp_w3all_users_fix_wp_usernames.php:12

unserialize$w3all_conf_pref = empty(trim($w3all_conf_pref)) ? array() : unserialize($w3all_conf_pref);class.wp.w3all-admin.php:19

preg_replace(/e)preg_replace('~\<s\>\[code\]\</s\>(.*?)\<e\>\[/code\]\</eclass.wp.w3all-phpbb.php:2889

unserialize$r = unserialize($w3all_config_db['option_value']);class.wp.w3all-phpbb.php:100

unserialize$metavS = unserialize($wpuS->meta);class.wp.w3all-phpbb.php:1411

unserialize$ned = unserialize($um[0]);class.wp.w3all-phpbb.php:1763

unserialize$phpbb_unread_topics = empty($phpbb_unread_topics) ? array() : unserialize($phpbb_unread_topics);class.wp.w3all-phpbb.php:2545

unserialize$phpbb_unread_topics = unserialize(W3UNREADTOPICS);class.wp.w3all-phpbb.php:2600

unserialize$last_topics = unserialize(W3PHPBBLASTOPICS); // see wp_w3all.phpclass.wp.w3all-phpbb.php:2605

unserialize$phpbb_unread_topics = unserialize(W3UNREADTOPICS);class.wp.w3all-phpbb.php:2736

unserialize$short_call_add_users_ava = unserialize(W3ALLFORUMSIDSSHORT);class.wp.w3all-phpbb.php:3097

unserialize$w3all_last_posts_users = unserialize(W3PHPBBLASTOPICS);class.wp.w3all-phpbb.php:3132

unserialize$uids_urls = unserialize(W3ALLPHPBBUAVA);class.wp.w3all-phpbb.php:3235

unserialize$uids_urls = unserialize(W3ALLPHPBBUAVAADDSHORTUSERS);class.wp.w3all-phpbb.php:3238

unserialize$uids_urls = unserialize(W3ALLPHPBBUAVA);class.wp.w3all-phpbb.php:3301

unserialize$phpbb_unread_topics = unserialize(W3UNREADTOPICS);class.wp.w3all.widgets-phpbb.php:151

unserialize$last_topics = unserialize(W3PHPBBLASTOPICS); // see wp_w3all.phpclass.wp.w3all.widgets-phpbb.php:156

unserialize$wpunewemail = unserialize($wpunewemail->meta_value);functions.php:820

unserialize$w3phpbbuava = unserialize(W3ALLPHPBBUAVA);views\phpbb_last_topics.php:19

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:73

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:79

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:85

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:91

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:98

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:106

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:111

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:118

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:125

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:130

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:137

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:143

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:149

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:155

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:161

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:167

unserialize$nd = unserialize($nnn->notification_data);views\wp_w3all_phpbb_unotifications_short.php:172

unserialize$w3all_iframe_phpbb_link = !empty(get_option('w3all_conf_pref_template_embed_link')) ? unserialize(gwp_w3all.php:74

unserialize$w3all_config_avatars = unserialize($config_avatars);wp_w3all.php:87

unserialize$w3all_conf_pref = empty($w3all_conf_pref) ? array() : unserialize($w3all_conf_pref);wp_w3all.php:93

SQL Query Safety

0% prepared206 total queries

Output Escaping

29% escaped536 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

17 flows8 with unsanitized paths

<page-forum> (addons\page-forum.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP w3all phpBB Attack Surface

Entry Points9

Unprotected0

Shortcodes 9

[w3allphpbbiframe] common\wp_phpbb_iframe_shortcode.php:7

[w3allogin] wp_w3all.php:358

[w3all_phpbb_unotifications] wp_w3all.php:369

[w3allphpbbuserposts] wp_w3all.php:375

[w3allphpbbupm] wp_w3all.php:376

[w3allforumpost] wp_w3all.php:377

[w3allastopics] wp_w3all.php:378

[w3allastopicforumsids] wp_w3all.php:379

[w3allastopicswithimage] wp_w3all.php:381

WordPress Hooks 58

actionwp_enqueue_scriptsaddons\page-forum.php:224

actionwp_headaddons\page-forum.php:225

actionadmin_menuclass.wp.w3all-admin.php:6

filterget_avatarclass.wp.w3all-phpbb.php:3287

filterget_avatarclass.wp.w3all-phpbb.php:3289

actionwidgets_initclass.wp.w3all.widgets-phpbb.php:281

filterwpmem_register_datacommon\custom_functions.php:20

actionwp_enqueue_scriptscommon\wp_phpbb_iframe_shortcode.php:5

actionwp_headcommon\wp_phpbb_iframe_shortcode.php:6

actioninitwp_w3all.php:227

actioninitwp_w3all.php:228

actioninitwp_w3all.php:229

actionuser_profile_update_errorswp_w3all.php:236

actionprofile_updatewp_w3all.php:237

actionuser_registerwp_w3all.php:238

actiondelete_userwp_w3all.php:239

actiondelete_userwp_w3all.php:247

actiondeleted_userwp_w3all.php:248

actionset_logged_in_cookiewp_w3all.php:251

actionadmin_bar_menuwp_w3all.php:254

actioninitwp_w3all.php:259

actioninitwp_w3all.php:313

filterlogin_messagewp_w3all.php:320

filterlogin_messagewp_w3all.php:326

filterpre_user_emailwp_w3all.php:335

actioninitwp_w3all.php:339

filterauth_cookie_expirationwp_w3all.php:341

filterregistration_errorswp_w3all.php:343

actionuser_registerwp_w3all.php:344

actionpassword_resetwp_w3all.php:345

actionwp_authenticatewp_w3all.php:347

actionprofile_updatewp_w3all.php:349

actiondelete_userwp_w3all.php:350

actionuser_profile_update_errorswp_w3all.php:351

actionadmin_bar_menuwp_w3all.php:353

filterauthenticatewp_w3all.php:356

actioninitwp_w3all.php:364

actionwp_logoutwp_w3all.php:391

actioninitwp_w3all.php:399

actionwp_loginwp_w3all.php:405

actioninitwp_w3all.php:408

actionwp_headwp_w3all.php:410

filterlostpassword_urlwp_w3all.php:416

filterregister_urlwp_w3all.php:417

filtervalidate_usernamewp_w3all.php:422

actioninitwp_w3all.php:423

filterwp_pre_insert_user_datawp_w3all.php:425

actionwp_enqueue_scriptswp_w3all.php:430

actioninitwp_w3all.php:655

actionnetwork_user_new_created_userwp_w3all.php:659

filterwpmu_validate_user_signupwp_w3all.php:665

actionwpmu_delete_userwp_w3all.php:667

actionwpmu_activate_userwp_w3all.php:669

actionwpmu_new_userwp_w3all.php:671

actionremove_user_from_blogwp_w3all.php:672

actionwp_footerwp_w3all.php:683

actioninitwp_w3all.php:684

filterheartbeat_receivedwp_w3all.php:685

Maintenance & Trust

WP w3all phpBB Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedOct 12, 2025

PHP min version7.2

Downloads82K

Community Trust

Rating94/100

Number of ratings31

Active installs300

Alternatives

WP w3all phpBB Alternatives

When Last Login

when-last-login

100

Show a users last login date by creating a sortable column in your WordPress users list.

50K 1 CVE

Username Changer

username-changer

100

Unlock the power to change WordPress usernames with complete security and data integrity.

40K No CVEs

Login as User

100

30K No CVEs

Inactive Logout

inactive-logout

Automatically logout idle user sessions, with logout redirections and concurrent limit logins all in one place.

20K 3 CVEs

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

userswp

Light weight Front-end login form, User Registration, User Profile and Members Directory plugin.

20K 14 CVEs

Developer Profile

WP w3all phpBB Developer Profile

axew3

1 plugin · 300 total installs

trust score

Avg Security Score

98/100

Avg Patch Time

96 days

View full developer profile

Detection Fingerprints

How We Detect WP w3all phpBB

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-w3all-phpbb-integration//wp-content/plugins/wp-w3all-phpbb-integration/phpbb/phpbb_functions.php/wp-content/plugins/wp-w3all-phpbb-integration/phpbb/phpbb_adapter.php/wp-content/plugins/wp-w3all-phpbb-integration/phpbb/w3all_user_phpbb.php/wp-content/plugins/wp-w3all-phpbb-integration/phpbb/w3all_phpbb_session.php/wp-content/plugins/wp-w3all-phpbb-integration/js/w3all_script.js/wp-content/plugins/wp-w3all-phpbb-integration/css/w3all_style.css

Script Paths

/wp-content/plugins/wp-w3all-phpbb-integration/js/w3all_script.js

Version Parameters

wp-w3all-phpbb-integration/phpbb/phpbb_functions.php?ver=wp-w3all-phpbb-integration/phpbb/phpbb_adapter.php?ver=wp-w3all-phpbb-integration/phpbb/w3all_user_phpbb.php?ver=wp-w3all-phpbb-integration/phpbb/w3all_phpbb_session.php?ver=wp-w3all-phpbb-integration/js/w3all_script.js?ver=wp-w3all-phpbb-integration/css/w3all_style.css?ver=

HTML / DOM Fingerprints

CSS Classes

w3all_phpbb_iframe

Data Attributes