Does WPChef have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WPChef compatible with WordPress 4.9.29?

According to WordPress.org data, WPChef 2.1.2 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is WPChef updated?

WPChef was last updated on Apr 17, 2018. Frequent updates are generally a positive security signal.

What is WPChef's security score?

WPChef has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPChef Security & Risk Analysis

wordpress.org/plugins/wpchef

Quickly set up a preconfigured WordPress site or expand an existing one using a recipe which is a set of plugins, options, themes and content pieces.

30 active installs v2.1.2 PHP + WP 4.2+ Updated Apr 17, 2018

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WPChef Safe to Use in 2026?

Generally Safe

Score 85/100

WPChef has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago

Risk Assessment

The wpchef v2.1.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates excellent practices regarding SQL query sanitation, utilizing prepared statements exclusively, and has no recorded vulnerability history, which is a strong indicator of responsible development and maintenance. However, a significant concern arises from the large attack surface, particularly the 12 unprotected AJAX handlers, presenting a substantial risk of unauthorized actions if these entry points are not adequately secured.

The static analysis reveals potential risks related to these unprotected AJAX endpoints. While no critical or high severity taint flows were identified, the presence of 17 flows with unsanitized paths indicates a possibility of subtle vulnerabilities that might not have been flagged as critical by automated analysis but still warrant careful review. The use of dangerous functions like `set_time_limit` also adds a layer of caution, as its misuse can lead to denial-of-service conditions. The relatively low percentage of properly escaped output (71%) is another area of concern, suggesting a potential for cross-site scripting (XSS) vulnerabilities.

Despite the lack of past CVEs, the current findings necessitate attention. The significant number of unprotected AJAX endpoints is the most immediate and substantial risk. The plugin's strengths in SQL sanitation and its clean vulnerability history are commendable, but these are overshadowed by the potential for exploitation through exposed functionality. A balanced conclusion is that while the core data handling appears robust, the plugin's exterior, specifically its AJAX interfaces, needs immediate hardening.

Key Concerns

12 unprotected AJAX handlers
71% output properly escaped
17 flows with unsanitized paths
5 dangerous functions (set_time_limit)

Vulnerabilities

None known

WPChef Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

WPChef Release Timeline

v2.1.2Current

v2.0.1

Code Analysis

Analyzed Apr 16, 2026

WPChef Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

163

392 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

set_time_limitset_time_limit( 200 );wpchef.php:2972

set_time_limitset_time_limit( 200 );wpchef.php:3010

set_time_limitset_time_limit( 300 );wpchef.php:3337

set_time_limitset_time_limit( 200 );wpchef.php:3432

set_time_limitset_time_limit( 200 );wpchef.php:3490

SQL Query Safety

100% prepared6 total queries

Output Escaping

71% escaped555 total outputs

Data Flows · Security

17 unsanitized

Data Flow Analysis

22 flows17 with unsanitized paths

ajax_list_item (inc/editor.php:848)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

12 unprotected

WPChef Attack Surface

Entry Points20

Unprotected12

AJAX Handlers 20

authwp_ajax_wpchef_search_packagesinc/editor.php:27

authwp_ajax_wpchef_add_ingredientinc/editor.php:29

authwp_ajax_wpchef_ingredientinc/editor.php:30

authwp_ajax_wpchef_check_userinc/editor.php:40

authwp_ajax_wpchef_get_statsinc/stats.php:14

noprivwp_ajax_wpchef_get_statsinc/stats.php:15

authwp_ajax_wpchef_check_clientwpchef.php:124

noprivwp_ajax_wpchef_check_clientwpchef.php:125

noprivwp_ajax_recipe_stepswpchef.php:130

authwp_ajax_recipe_stepswpchef.php:141

authwp_ajax_wpchef_snapshotwpchef.php:144

authwp_ajax_wpchef_recent_optionswpchef.php:145

authwp_ajax_wpchef_fs_credentialswpchef.php:146

authwp_ajax_wpchef_recipe_deletewpchef.php:147

authwp_ajax_wpchef_activatewpchef.php:148

authwp_ajax_wpchef_clean_tokenwpchef.php:153

authwp_ajax_wpchef_autoupdatewpchef.php:154

authwp_ajax_wpchef_refresh_recipeswpchef.php:155

authwp_ajax_wpchef_recipe_installwpchef.php:157

authwp_ajax_wpchef_inline_buy_childwpchef.php:158

WordPress Hooks 26

actionadmin_initinc/editor.php:14

actionadmin_noticesinc/editor.php:25

filterwpchef_new_ingredient_themeinc/editor.php:32

filterwpchef_new_ingredient_plugininc/editor.php:33

filterwpchef_new_ingredient_recipeinc/editor.php:34

filterwpchef_new_ingredient_actioninc/editor.php:35

filterwpchef_new_ingredient_optioninc/editor.php:36

actionwpchef_add_ingredient_tabsinc/editor.php:38

filterwpchef_hidden_fieldsinc/editor.php:42

actionwpchef_add_ingredient_tabs_contentinc/editor.php:882

filterredirect_post_locationinc/ingredient.php:554

actionadmin_initinc/stats.php:8

actionwpchef_settings_bottominc/stats.php:13

actioninitwpchef.php:48

filtercron_scheduleswpchef.php:113

actionwpchef_autoupdate_stepwpchef.php:114

actionwpchef_updates_cronwpchef.php:115

filterwpchef_the_recipewpchef.php:128

actionadmin_initwpchef.php:135

actionadmin_menuwpchef.php:136

actionadmin_enqueue_scriptswpchef.php:142

actionadmin_print_scriptswpchef.php:143

filterwpchef_search_recipeswpchef.php:156

actionadmin_noticeswpchef.php:161

actionadmin_print_footer_scriptswpchef.php:241

filterrequest_filesystem_credentialswpchef.php:3464

Scheduled Events 3

wpchef_updates_cron

wpchef_autoupdate_step

Maintenance & Trust

WPChef Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedApr 17, 2018

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs30

Alternatives

WPChef Alternatives

No alternatives data available yet.

Developer Profile

WPChef Developer Profile

WPChef

4 plugins · 2.0M total installs

trust score

Avg Security Score

88/100

Avg Patch Time

643 days

View full developer profile

Detection Fingerprints

How We Detect WPChef

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpchef/css/admin.css/wp-content/plugins/wpchef/css/bootstrap.min.css/wp-content/plugins/wpchef/css/fontawesome.min.css/wp-content/plugins/wpchef/css/owl.carousel.min.css/wp-content/plugins/wpchef/css/owl.theme.min.css/wp-content/plugins/wpchef/css/style.css/wp-content/plugins/wpchef/js/admin.js/wp-content/plugins/wpchef/js/bootstrap.min.js+3 more

Script Paths

/wp-content/plugins/wpchef/js/admin.js/wp-content/plugins/wpchef/js/bootstrap.min.js/wp-content/plugins/wpchef/js/jquery.js/wp-content/plugins/wpchef/js/owl.carousel.min.js/wp-content/plugins/wpchef/js/script.js

Version Parameters

wpchef/css/admin.css?ver=wpchef/css/bootstrap.min.css?ver=wpchef/css/fontawesome.min.css?ver=wpchef/css/owl.carousel.min.css?ver=wpchef/css/owl.theme.min.css?ver=wpchef/css/style.css?ver=wpchef/js/admin.js?ver=wpchef/js/bootstrap.min.js?ver=wpchef/js/jquery.js?ver=wpchef/js/owl.carousel.min.js?ver=wpchef/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpchef-admin-wrapwpchef-admin-sidebarwpchef-admin-contentwpchef-recipe-itemwpchef-add-recipe-formwpchef-settings-form

HTML Comments

+1 more

Data Attributes

data-wpchef-recipe-iddata-wpchef-actiondata-wpchef-nonce

JS Globals

window.wpchef

REST Endpoints

/wp-json/wpchef/v1/recipes/wp-json/wpchef/v1/settings

Shortcode Output

[wpchef_recipe][wpchef_installer]

FAQ