WP-Safety

WPAlerts Security & Risk Analysis

wordpress.org/plugins/wpalerts

WPAlerts is a web-based software (http://wp-alerts.com/) that allows one person to update multiple WordPress web sites from one dashboard.

10 active installs v1.5.3 PHP + WP 3.0+ Updated Apr 22, 2017
pluginsthemesupdateswordpress-coreswpalerts
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WPAlerts Safe to Use in 2026?

Generally Safe

Score 85/100

WPAlerts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The wpalerts plugin v1.5.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices by having a very limited attack surface with no unprotected entry points and all SQL queries utilizing prepared statements. The absence of known vulnerabilities and a clean vulnerability history are also strong indicators of a generally secure plugin.

However, several significant concerns are raised by the static analysis. The presence of the 'shell_exec' dangerous function is a major red flag, as it can lead to arbitrary code execution if not handled with extreme caution and proper sanitization. While no taint flows were identified, the potential for exploitation via 'shell_exec' remains high. Furthermore, the plugin's output escaping is only at 55%, suggesting a substantial risk of cross-site scripting (XSS) vulnerabilities. The large number of file operations also warrants scrutiny, as misconfigurations or vulnerabilities in these could lead to data leakage or compromise.

In conclusion, while the plugin has a clean history and a controlled entry point, the identified 'shell_exec' function and the significant portion of unescaped output present critical security risks. These issues demand immediate attention and remediation to improve the plugin's overall security. The plugin's strengths lie in its limited attack surface and secure database interactions, but these are overshadowed by the potential for severe exploitation through the identified code signals.

Key Concerns

  • Dangerous function (shell_exec) found
  • Significant portion of outputs not properly escaped
  • No capability checks on entry points
Vulnerabilities
None known

WPAlerts Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WPAlerts Release Timeline

v1.5
v1.0
Code Analysis
Analyzed Mar 16, 2026

WPAlerts Code Analysis

Dangerous Functions
9
Raw SQL Queries
0
1 prepared
Unescaped Output
5
6 escaped
Nonce Checks
1
Capability Checks
0
File Operations
46
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

shell_execif ( ! @shell_exec( 'echo backupwordpress' ) )wpalerts.php:532
shell_execif ( is_null( shell_exec( 'hash mysqldump 2>&1' ) ) ) {wpalerts.php:791
shell_execif ( is_null( shell_exec( 'hash zip 2>&1' ) ) ) {wpalerts.php:843
shell_exec$stderr = shell_exec( $cmd );wpalerts.php:999
shell_exec$error = shell_exec( 'cd ' . escapeshellarg( $this->get_path() ) . ' && ' . escapeshellcmd( $this->gwpalerts.php:1141
shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_root() ) . ' && ' . escapeshellcmd( $this->wpalerts.php:1236
shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_root() ) . ' && ' . escapeshellcmd( $this->wpalerts.php:1240
shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_path() ) . ' && ' . escapeshellcmd( $this->wpalerts.php:1246
shell_execreturn shell_exec( 'cd ' . escapeshellarg( $this->get_root() ) . ' && ' . escapeshellcmd( $this->getwpalerts.php:1265

SQL Query Safety

100% prepared1 total queries

Output Escaping

55% escaped11 total outputs
Attack Surface

WPAlerts Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

noprivwp_ajax_wpalerts_calculate_backup_sizewpalerts.php:2124
WordPress Hooks 6
actioninitwpalerts.php:46
actionadmin_initwpalerts.php:47
actionadmin_menuwpalerts.php:48
actionadmin_noticeswpalerts.php:49
filterrequest_filesystem_credentialswpalerts.php:50
filterpre_site_transient_update_pluginswpalerts.php:213
Maintenance & Trust

WPAlerts Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedApr 22, 2017
PHP min version
Downloads2K

Community Trust

Rating60/100
Number of ratings2
Active installs10
Alternatives

WPAlerts Alternatives

Advanced Automatic Updates

Advanced Automatic Updates

automatic-updater

A
85

Adds extra options to WordPress' built-in Automatic Updates feature.

30K No CVEs
WP Disables Updates

WP Disables Updates

wp-disable-updates

A
85

WP Disables Updates allow you to disables plugin or themes or wordpress core updates.

800 No CVEs
Site Update Notification

Site Update Notification

site-update-notification

A
92

A plugin that sends email notifications when plugins, themes, or WordPress need updates.

50 No CVEs
Version Locker

Version Locker

version-locker

A
100

Lock plugin and theme updates to prevent accidental or automatic updates. Simple, secure update control for WordPress.

20 No CVEs
L7 Automatic Updates

L7 Automatic Updates

l7-automatic-updates

A
85

Set individual plugins, major and minor WordPress releases, themes and all plugins to automatically update.

10 No CVEs
Developer Profile

WPAlerts Developer Profile

webstylemedia

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WPAlerts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpalerts/css/wpalerts-admin.css/wp-content/plugins/wpalerts/js/wpalerts-admin.js
Script Paths
/wp-content/plugins/wpalerts/js/wpalerts-admin.js
Version Parameters
wpalerts/css/wpalerts-admin.css?ver=wpalerts/js/wpalerts-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpalerts-api-key-description
Data Attributes
data-wp-alert-id
JS Globals
wpalerts_admin_obj
FAQ

Frequently Asked Questions about WPAlerts