WP-Safety

WPC Admin Columns Security & Risk Analysis

wordpress.org/plugins/wpc-admin-columns

WPC Admin Columns offers a listing of columns in the admin dashboards for different post-types.

1K active installs v2.2.0 PHP + WP 4.0+ Updated Mar 14, 2026
adminbackendcolumnswpwpc
98
A · Safe
CVEs total1
Unpatched0
Last CVEApr 11, 2025
Plugin page Download
Safety Verdict

Is WPC Admin Columns Safe to Use in 2026?

Generally Safe

Score 98/100

WPC Admin Columns has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 11, 2025Updated 2mo ago
Risk Assessment

The 'wpc-admin-columns' plugin v2.2.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of properly escaped outputs, robust nonce checks, and capability checks. The absence of taint vulnerabilities with unsanitized paths, raw SQL queries without prepared statements, or file operations is also a strong indicator of secure coding. However, the presence of two AJAX handlers without authentication checks represents a significant concern, creating potential entry points for unauthorized actions. The use of the `unserialize` function, though not flagged as a taint flow, inherently carries risks if the input is not strictly controlled, especially in the context of unprotected AJAX endpoints.

The vulnerability history reveals a past high-severity CVE related to Improper Privilege Management. While this vulnerability is currently unpatched, the fact that there are no active unpatched CVEs is a positive sign. However, the historical presence of a high-severity issue suggests that the plugin has had exploitable weaknesses in the past. The bundled library 'Select2' is noted, and while not explicitly flagged as outdated, it's an area that could warrant further investigation for potential vulnerabilities if not kept up-to-date.

In conclusion, while the plugin shows strengths in output escaping, nonce and capability checks, and the absence of critical taint issues, the unprotected AJAX handlers are a substantial risk. The historical vulnerability should also be considered, emphasizing the need for ongoing vigilance and prompt patching of any future issues. The overall security is adequate but requires attention to the identified attack surface weaknesses.

Key Concerns

  • AJAX handlers without auth checks
  • Dangerous function: unserialize
  • High severity vulnerability history
Vulnerabilities
1 published

WPC Admin Columns Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-3418high · 8.8Improper Privilege Management

WPC Admin Columns 2.0.6 - 2.1.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update

Apr 11, 2025 Patched in 2.1.1 (1d)
Version History

WPC Admin Columns Release Timeline

v2.2.0Current
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.01 CVE
CVE-2025-3418
v2.0.91 CVE
CVE-2025-3418
v2.0.81 CVE
CVE-2025-3418
v2.0.71 CVE
CVE-2025-3418
v2.0.61 CVE
CVE-2025-3418
v2.0.51 CVE
CVE-2025-3418
v2.0.41 CVE
CVE-2025-3418
v2.0.31 CVE
CVE-2025-3418
v2.0.21 CVE
CVE-2025-3418
v2.0.11 CVE
CVE-2025-3418
Code Analysis
Analyzed Mar 16, 2026

WPC Admin Columns Code Analysis

Dangerous Functions
3
Raw SQL Queries
2
4 prepared
Unescaped Output
35
455 escaped
Nonce Checks
15
Capability Checks
7
File Operations
0
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$plugins = unserialize( $response['body'] );includes\dashboard\wpc-dashboard.php:101
unserialize$plugins = unserialize( $response['body'] );includes\dashboard\wpc-dashboard.php:179
unserialize$plugins = unserialize( $response['body'] );includes\kit\wpc-kit.php:98

Bundled Libraries

Select2

SQL Query Safety

67% prepared6 total queries

Output Escaping

93% escaped490 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

7 flows
ajax_save_columns (includes\class-backend.php:711)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WPC Admin Columns Attack Surface

Entry Points14
Unprotected2

AJAX Handlers 14

authwp_ajax_wpcac_add_columnincludes\class-backend.php:31
authwp_ajax_wpcac_save_columnsincludes\class-backend.php:32
authwp_ajax_wpcac_reset_columnsincludes\class-backend.php:33
authwp_ajax_wpcac_edit_getincludes\class-backend.php:34
authwp_ajax_wpcac_edit_saveincludes\class-backend.php:35
authwp_ajax_wpcac_search_termsincludes\class-backend.php:36
authwp_ajax_wpcac_search_tagsincludes\class-backend.php:37
authwp_ajax_wpcac_product_variationsincludes\class-backend.php:38
authwp_ajax_wpcac_intro_doneincludes\class-backend.php:39
authwp_ajax_wpc_get_pluginsincludes\dashboard\wpc-dashboard.php:9
authwp_ajax_wpc_get_suggestionincludes\dashboard\wpc-dashboard.php:10
authwp_ajax_wpc_exportincludes\dashboard\wpc-dashboard.php:11
authwp_ajax_wpc_importincludes\dashboard\wpc-dashboard.php:12
authwp_ajax_wpc_get_essential_kitincludes\kit\wpc-kit.php:22
WordPress Hooks 27
actioninitincludes\class-backend.php:24
actionwp_loadedincludes\class-backend.php:25
actionadmin_initincludes\class-backend.php:26
actionadmin_enqueue_scriptsincludes\class-backend.php:27
actionadmin_footerincludes\class-backend.php:28
actionadmin_action_wpcac_duplicateincludes\class-backend.php:42
actionsave_postincludes\class-backend.php:45
actionwp_update_userincludes\class-backend.php:48
actionadmin_initincludes\class-backend.php:51
filterpre_update_optionincludes\class-backend.php:52
actionadmin_menuincludes\class-backend.php:53
filterplugin_action_linksincludes\class-backend.php:54
filterplugin_row_metaincludes\class-backend.php:55
filtermanage_plugins_columnsincludes\class-backend.php:116
actionmanage_plugins_custom_columnincludes\class-backend.php:117
filtermanage_edit-comments_columnsincludes\class-backend.php:120
actionmanage_comments_custom_columnincludes\class-backend.php:121
filtermanage_media_columnsincludes\class-backend.php:124
actionmanage_media_custom_columnincludes\class-backend.php:125
filterpre_get_postsincludes\class-backend.php:128
actionadmin_enqueue_scriptsincludes\dashboard\wpc-dashboard.php:7
actionadmin_menuincludes\dashboard\wpc-dashboard.php:8
actionadmin_enqueue_scriptsincludes\kit\wpc-kit.php:20
actionadmin_menuincludes\kit\wpc-kit.php:21
filterwp_kses_allowed_htmlincludes\kses.php:5
actionadmin_initincludes\log\wpc-log.php:6
actionplugins_loadedwpc-admin-columns.php:36
Maintenance & Trust

WPC Admin Columns Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version
Downloads23K

Community Trust

Rating100/100
Number of ratings4
Active installs1K
Alternatives

WPC Admin Columns Alternatives

Admin Menus Accessibility – Quickly Search Admin Menus

Admin Menus Accessibility – Quickly Search Admin Menus

admin-menus-accessibility

A
85

Admin Menus Accessibility is a WordPress plugin which adds extra accessibility feature into admin menu.

100 No CVEs
WPC Backend Product Filter for WooCommerce

WPC Backend Product Filter for WooCommerce

wpc-backend-product-filter

A
100

WPC Backend Product Filter enables filtering products by any taxonomy in the backend products list.

100 No CVEs
WPC Backend Order Filter for WooCommerce

WPC Backend Order Filter for WooCommerce

wpc-backend-order-filter

A
100

Adds additional filters, allowing you to easily and quickly find the orders you need among hundreds of others.

50 No CVEs
Protect Admin Login

Protect Admin Login

protect-admin-login

A
92

A simple plugin allows to overwrite wp-admin url to login backend.

20 No CVEs
WP Command and Control Plugin

WP Command and Control Plugin

wpcommand

A
100

WP Command and Control allows you to manage multiple WordPress installs from a single dashboard.

20 No CVEs
Developer Profile

WPC Admin Columns Developer Profile

WPClever

73 plugins · 441K total installs

87
trust score
Avg Security Score
99/100
Avg Patch Time
76 days
View full developer profile
Detection Fingerprints

How We Detect WPC Admin Columns

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpc-admin-columns/assets/css/hint.css/wp-content/plugins/wpc-admin-columns/assets/libs/intro/introjs.css/wp-content/plugins/wpc-admin-columns/assets/libs/select2/select2.min.css/wp-content/plugins/wpc-admin-columns/assets/css/wpc-backend.css/wp-content/plugins/wpc-admin-columns/assets/libs/intro/intro.js/wp-content/plugins/wpc-admin-columns/assets/libs/select2/select2.min.js/wp-content/plugins/wpc-admin-columns/assets/js/wpc-backend.js
Version Parameters
wpc-admin-columns/assets/css/hint.css?ver=wpc-admin-columns/assets/libs/intro/introjs.css?ver=wpc-admin-columns/assets/libs/select2/select2.min.css?ver=wpc-admin-columns/assets/css/wpc-backend.css?ver=wpc-admin-columns/assets/libs/intro/intro.js?ver=wpc-admin-columns/assets/libs/select2/select2.min.js?ver=wpc-admin-columns/assets/js/wpc-backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpcac-backend
Data Attributes
data-wpcac
JS Globals
wpc_backend_params
FAQ

Frequently Asked Questions about WPC Admin Columns