WP-Safety

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Security & Risk Analysis

wordpress.org/plugins/wp-webhooks

Automate everything & connect your website, plugins and services together with no-code automations. Browse 100+ integrations...

20K active installs v3.4.0 PHP + WP 4.7+ Updated Feb 2, 2026
automateautomationautomatorwebhookszapier
87
A · Safe
CVEs total3
Unpatched0
Last CVEDec 12, 2025
Plugin page Download
Safety Verdict

Is WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Safe to Use in 2026?

Generally Safe

Score 87/100

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 12, 2025Updated 2mo ago
Risk Assessment

The wp-webhooks plugin v3.4.0 presents a mixed security picture. On the positive side, the static analysis indicates a robust implementation of security measures, with all identified AJAX handlers and REST API routes protected by authentication checks. The plugin also demonstrates a strong adherence to secure coding practices by exclusively using prepared statements for its SQL queries and implementing a significant number of nonce and capability checks. Furthermore, the absence of critical or high-severity taint analysis findings suggests that data sanitization and validation are generally well-handled within the analyzed flows.

However, there are notable areas of concern. The low percentage of properly escaped output (14%) is a significant weakness, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of 5 flows with unsanitized paths in the taint analysis, even without critical or high severity, indicates potential for Path Traversal vulnerabilities, especially when coupled with the plugin's history.

The plugin's vulnerability history is particularly alarming. Three critical CVEs have been recorded, with common types including Unrestricted File Upload, Deserialization of Untrusted Data, and Path Traversal. While there are currently no unpatched vulnerabilities, the past occurrence of critical issues, particularly Path Traversal and Deserialization, is a strong indicator of past weaknesses that could resurface if not rigorously addressed. The most recent vulnerability being in late 2025 is concerning, as it suggests recent critical issues.

In conclusion, while wp-webhooks v3.4.0 has improved in terms of authentication and SQL practices, the widespread lack of output escaping and the history of critical vulnerabilities, especially Path Traversal and Deserialization, pose significant risks. The 5 unsanitized path flows warrant immediate investigation. The plugin's historical trend with critical issues requires continuous vigilance.

Key Concerns

  • Low percentage of output escaping (14%)
  • 5 flows with unsanitized paths in taint analysis
  • 3 total known CVEs, 2 critical
  • Vulnerability history includes Deserialization of Untrusted Data
  • Vulnerability history includes Unrestricted File Upload
  • Vulnerability history includes Path Traversal
  • Recent critical vulnerability (late 2025)
Vulnerabilities
3

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
Medium
1

3 total CVEs

CVE-2025-66074critical · 9.8Unrestricted Upload of File with Dangerous Type

Webhooks <= 3.3.8 - Unauthenticated Arbitrary File Upload

Dec 12, 2025 Patched in 3.3.9 (8d)
CVE-2025-66073medium · 6.6Deserialization of Untrusted Data

Webhooks <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection

Nov 26, 2025 Patched in 3.3.9 (6d)
CVE-2025-8895critical · 9.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Webhooks <= 3.3.5 - Unauthenticated Arbitrary File Copy

Aug 20, 2025 Patched in 3.3.6 (1d)
Code Analysis
Analyzed Mar 16, 2026

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
12 prepared
Unescaped Output
2421
392 escaped
Nonce Checks
18
Capability Checks
16
File Operations
25
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared12 total queries

Output Escaping

14% escaped2813 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

8 flows5 with unsanitized paths
ironikus_test_webhook_trigger (core\includes\classes\class-wp-webhooks-pro-run.php:401)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Attack Surface

Entry Points13
Unprotected0

AJAX Handlers 13

authwp_ajax_ironikus_add_authentication_templatecore\includes\classes\class-wp-webhooks-pro-auth.php:98
authwp_ajax_ironikus_load_authentication_template_datacore\includes\classes\class-wp-webhooks-pro-auth.php:99
authwp_ajax_ironikus_save_authentication_templatecore\includes\classes\class-wp-webhooks-pro-auth.php:100
authwp_ajax_ironikus_delete_authentication_templatecore\includes\classes\class-wp-webhooks-pro-auth.php:101
authwp_ajax_ironikus_manage_extensionscore\includes\classes\class-wp-webhooks-pro-extensions.php:30
authwp_ajax_ironikus_add_webhook_triggercore\includes\classes\class-wp-webhooks-pro-run.php:54
authwp_ajax_ironikus_add_webhook_actioncore\includes\classes\class-wp-webhooks-pro-run.php:55
authwp_ajax_ironikus_remove_webhook_triggercore\includes\classes\class-wp-webhooks-pro-run.php:56
authwp_ajax_ironikus_remove_webhook_actioncore\includes\classes\class-wp-webhooks-pro-run.php:57
authwp_ajax_ironikus_change_status_webhook_actioncore\includes\classes\class-wp-webhooks-pro-run.php:58
authwp_ajax_ironikus_test_webhook_triggercore\includes\classes\class-wp-webhooks-pro-run.php:59
authwp_ajax_ironikus_save_webhook_trigger_settingscore\includes\classes\class-wp-webhooks-pro-run.php:60
authwp_ajax_ironikus_save_webhook_action_settingscore\includes\classes\class-wp-webhooks-pro-run.php:61
WordPress Hooks 41
actioninitcore\class-wp-webhooks-pro.php:213
filterwpwhpro/admin/webhooks/webhook_datacore\includes\classes\class-wp-webhooks-pro-auth.php:94
filterwpwhpro/admin/webhooks/webhook_http_argscore\includes\classes\class-wp-webhooks-pro-auth.php:95
actionwpwh_after_headercore\includes\classes\class-wp-webhooks-pro-helpers.php:51
actionadmin_noticescore\includes\classes\class-wp-webhooks-pro-helpers.php:53
actionadmin_initcore\includes\classes\class-wp-webhooks-pro-helpers.php:57
actionplugins_loadedcore\includes\classes\class-wp-webhooks-pro-integrations.php:32
actionplugins_loadedcore\includes\classes\class-wp-webhooks-pro-integrations.php:33
filterwpwhpro/webhooks/add_webhook_actionscore\includes\classes\class-wp-webhooks-pro-polling.php:37
actionshutdowncore\includes\classes\class-wp-webhooks-pro-post-delay.php:53
filteradmin_footer_textcore\includes\classes\class-wp-webhooks-pro-run.php:47
actionadmin_enqueue_scriptscore\includes\classes\class-wp-webhooks-pro-run.php:49
actionadmin_menucore\includes\classes\class-wp-webhooks-pro-run.php:50
filterwpwhpro/helpers/throw_admin_notice_bootstrapcore\includes\classes\class-wp-webhooks-pro-run.php:51
filterwpwhpro/admin/settings/menu_datacore\includes\classes\class-wp-webhooks-pro-run.php:64
actionwpwhpro/admin/settings/menu/place_contentcore\includes\classes\class-wp-webhooks-pro-run.php:65
actionadmin_initcore\includes\classes\class-wp-webhooks-pro-run.php:68
actionadmin_initcore\includes\classes\class-wp-webhooks-pro-run.php:71
actionplugins_loadedcore\includes\classes\class-wp-webhooks-pro-webhook.php:74
actioninitcore\includes\classes\class-wp-webhooks-pro-webhook.php:77
actionadmin_noticescore\includes\integrations\contactform7\contactform7.php:29
actionwp_insert_postcore\includes\integrations\edd\actions\edd_create_download.php:783
actionedd_complete_purchasecore\includes\integrations\edd\actions\edd_create_payment.php:460
actionedd_complete_purchasecore\includes\integrations\edd\actions\edd_create_payment.php:464
actionwp_insert_postcore\includes\integrations\edd\actions\edd_update_download.php:792
actionadmin_noticescore\includes\integrations\edd\edd.php:29
actionadmin_noticescore\includes\integrations\woocommerce\woocommerce.php:29
actionwp_insert_commentcore\includes\integrations\wordpress\actions\create_comment.php:301
actionedit_commentcore\includes\integrations\wordpress\actions\update_comment.php:351
filterwpwhpro/remote_file_control/validate_pathcore\includes\integrations\wordpress\helpers\file_helpers.php:69
filterwpwhpro/manage_media_files/validate_pathcore\includes\integrations\wordpress\helpers\file_helpers.php:70
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:26
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:31
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:36
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:41
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:46
actionadmin_noticescore\includes\integrations\wordpress\wordpress.php:51
filterwp_redirectcore\includes\integrations\wpreset\actions\reset_wp.php:113
filterwp-reset-override-is-cli-runningcore\includes\integrations\wpreset\actions\reset_wp.php:114
actionadmin_noticescore\includes\integrations\wpreset\wpreset.php:29
actionadmin_noticeswp-webhooks.php:63

Scheduled Events 1

wpwh_daily_maintenance
Maintenance & Trust

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version
Downloads297K

Community Trust

Rating92/100
Number of ratings54
Active installs20K
Alternatives

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Alternatives

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

automatorwp

A
86

Connect your WordPress plugins, sites & apps together to create automated workflows with the most powerful no-code automator plugin!

8K 9 CVEs
Bit integrations – Easy Automator with no-code automation, integrate Webhook and automate 300+ Platform

Bit integrations – Easy Automator with no-code automation, integrate Webhook and automate 300+ Platform

bit-integrations

A
98

Perfect Automation and integration plugin: Connect 300+ platforms and automate CRM, Email marketing tools, Google Sheets, Contact forms, LMS and more

20K 1 CVE
WunderAutomation

WunderAutomation

wunderautomation

A
85

WordPress and WooCommerce task automation. Without code.

200 No CVEs
Post Webhook – Send Post & Page data to any API or external service

Post Webhook – Send Post & Page data to any API or external service

post-webhook

A
85

Automate your content workflow by automatically sending post and page data to external services.

70 No CVEs
BotMate – Automate or Sync Your Sites With No Code

BotMate – Automate or Sync Your Sites With No Code

botmate

A
85

Automate your multiple sites or sync your sites with no code approach, BotMate provides a unique experience to automate your multiple sites together b &hellip;

10 No CVEs
Developer Profile

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Developer Profile

Cozmoslabs

11 plugins · 520K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
634 days
View full developer profile
Detection Fingerprints

How We Detect WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-webhooks/core/includes/assets/dist/css/admin-styles.min.css/wp-content/plugins/wp-webhooks/core/includes/assets/dist/css/admin-styles.css/wp-content/plugins/wp-webhooks/core/includes/assets/dist/js/admin-vendor.min.js/wp-content/plugins/wp-webhooks/core/includes/assets/dist/js/admin-vendor.js/wp-content/plugins/wp-webhooks/core/includes/assets/dist/js/admin-scripts.min.js/wp-content/plugins/wp-webhooks/core/includes/assets/dist/js/admin-scripts.js
Script Paths
https://fonts.googleapis.com/css2?family=Mulish:wght@300;400;700&family=Poppins:wght@500&display=swap
Version Parameters
wp-webhooks/style.css?ver=wp-webhooks/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpwhpro-admin-styleswpwhpro-admin-vendorswpwhpro-admin-scripts
Data Attributes
data-wpwhpro-nonce
JS Globals
ironikus
REST Endpoints
/wp-json/wp-webhooks/
FAQ

Frequently Asked Questions about WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress