Does WP Command and Control Plugin have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Command and Control Plugin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Command and Control Plugin compatible with WordPress 6.8.5?

According to WordPress.org data, WP Command and Control Plugin 2.3.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is WP Command and Control Plugin updated?

WP Command and Control Plugin was last updated on Aug 1, 2025. Frequent updates are generally a positive security signal.

What is WP Command and Control Plugin's security score?

WP Command and Control Plugin has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Command and Control Plugin Security & Risk Analysis

wordpress.org/plugins/wpcommand

WP Command and Control allows you to manage multiple WordPress installs from a single dashboard.

20 active installs v2.3.6 PHP + WP 5.0+ Updated Aug 1, 2025

multiple-wordpressremote-administrationwpcommandwpcontrol

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WP Command and Control Plugin Safe to Use in 2026?

Generally Safe

Score 100/100

WP Command and Control Plugin has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago

Risk Assessment

The "wpcommand" v2.3.6 plugin presents a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling by exclusively using prepared statements and has a clean vulnerability history with zero recorded CVEs. The plugin also implements a reasonable number of nonce and capability checks, indicating some awareness of WordPress security mechanisms. However, significant concerns arise from the static analysis. The presence of one AJAX handler without any authentication checks creates a direct, unprotected entry point into the plugin's functionality. Furthermore, the analysis identified two taint flows with unsanitized paths, even though they were not categorized as critical or high severity. The plugin also utilizes the dangerous `shell_exec` function nine times, which, if combined with an unprotected entry point or unsanitized input, could lead to severe command injection vulnerabilities. The output escaping is also only moderately effective at 54%, suggesting a risk of cross-site scripting (XSS) if user-supplied data is not handled carefully before being outputted.

Key Concerns

Unprotected AJAX handler
Taint flows with unsanitized paths
Dangerous function: shell_exec used
Output escaping is only 54% proper

Vulnerabilities

None known

WP Command and Control Plugin Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP Command and Control Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

71 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

shell_execif ( ! @shell_exec( 'echo backupwordpress' ) )wpcac.hm.backup.php:175

shell_execif ( is_null( shell_exec( 'hash mysqldump 2>&1' ) ) ) {wpcac.hm.backup.php:484

shell_execif ( is_null( shell_exec( 'hash zip 2>&1' ) ) ) {wpcac.hm.backup.php:559

shell_exec$stderr = shell_exec( $cmd );wpcac.hm.backup.php:709

shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_root() ) . ' && ' . escapeshellcmd( $this->wpcac.hm.backup.php:832

shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_root() ) . ' && ' . escapeshellcmd( $this->wpcac.hm.backup.php:836

shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_path() ) . ' && ' . escapeshellcmd( $this->wpcac.hm.backup.php:840

shell_exec$stderr = shell_exec( 'cd ' . escapeshellarg( $this->get_path() ) . ' && ' . escapeshellcmd( $this->wpcac.hm.backup.php:859

shell_exec$verify = shell_exec( escapeshellcmd( $this->get_zip_command_path() ) . ' -T ' . escapeshellarg( $thwpcac.hm.backup.php:1019

SQL Query Safety

100% prepared8 total queries

Output Escaping

54% escaped132 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

___addArchiveItem (library\utility\zip\AdminPageFramework_Zip.php:83)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP Command and Control Plugin Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

noprivwp_ajax_wpcac_calculate_backup_sizewpcac.backups.php:571

WordPress Hooks 92

actionwp_loadedlibrary\factory\admin_page\AdminPageFramework_Router.php:20

filteradmin_titlelibrary\factory\admin_page\AdminPageFramework_Router.php:75

actionadmin_headlibrary\factory\admin_page\_controller\AdminPageFramework_HelpPane_admin_page.php:17

filterplugin_row_metalibrary\factory\admin_page\_controller\AdminPageFramework_Link_admin_page.php:25

filterwp_mail_content_typelibrary\factory\admin_page\_model\AdminPageFramework_FormEmail.php:30

filterwp_mail_fromlibrary\factory\admin_page\_model\AdminPageFramework_FormEmail.php:33

filterwp_mail_from_namelibrary\factory\admin_page\_model\AdminPageFramework_FormEmail.php:36

actioncurrent_screenlibrary\factory\admin_page\_model\delegate\AdminPageFramework_Model_Menu__RegisterMenu.php:119

filterupdate_footerlibrary\factory\admin_page\_view\AdminPageFramework_PageLoadInfo_admin_page.php:24

actionadmin_headlibrary\factory\admin_page\_view\AdminPageFramework_View__PageMetaboxEnabler.php:14

filterwp_insert_attachment_datalibrary\factory\meta_box\AdminPageFramework_MetaBox_Model.php:23

filterwp_insert_post_datalibrary\factory\meta_box\AdminPageFramework_MetaBox_Model.php:25

filterredirect_post_locationlibrary\factory\meta_box\AdminPageFramework_MetaBox_Model.php:66

actionin_admin_footerlibrary\factory\network_admin_page\_view\AdminPageFramework_PageLoadInfo_network_admin_page.php:15

filterupdate_footerlibrary\factory\network_admin_page\_view\AdminPageFramework_PageLoadInfo_network_admin_page.php:34

actioninitlibrary\factory\post_type\AdminPageFramework_PostType_Controller.php:59

actionadmin_enqueue_scriptslibrary\factory\post_type\AdminPageFramework_PostType_Model.php:26

actionadmin_menulibrary\factory\post_type\AdminPageFramework_PostType_View.php:15

actionthe_contentlibrary\factory\post_type\AdminPageFramework_PostType_View.php:17

actionrestrict_manage_postslibrary\factory\post_type\AdminPageFramework_PostType_View.php:21

actionrestrict_manage_postslibrary\factory\post_type\AdminPageFramework_PostType_View.php:22

filterparse_querylibrary\factory\post_type\AdminPageFramework_PostType_View.php:23

filterpost_row_actionslibrary\factory\post_type\AdminPageFramework_PostType_View.php:24

actionadmin_headlibrary\factory\post_type\AdminPageFramework_PostType_View.php:25

actionget_edit_post_linklibrary\factory\post_type\_controller\AdminPageFramework_Link_post_type.php:14

actionregistered_post_typelibrary\factory\post_type\_model\AdminPageFramework_PostType_Model__FlushRewriteRules.php:18

actionshutdownlibrary\factory\post_type\_model\AdminPageFramework_PostType_Model__FlushRewriteRules.php:40

actionadmin_menulibrary\factory\post_type\_model\AdminPageFramework_PostType_Model__SubMenuOrder.php:17

actionadmin_menulibrary\factory\post_type\_model\AdminPageFramework_PostType_Model__SubMenuOrder.php:18

filterupdate_footerlibrary\factory\post_type\_view\AdminPageFramework_PageLoadInfo_post_type.php:27

actionshow_user_profilelibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:38

actionedit_user_profilelibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:39

actionuser_new_formlibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:40

actionpersonal_options_updatelibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:41

actionedit_user_profile_updatelibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:42

actionuser_registerlibrary\factory\user_meta\AdminPageFramework_UserMeta_Router.php:43

actionshutdownlibrary\factory\_common\form\error\AdminPageFramework_Form___FieldError.php:32

actionshutdownlibrary\factory\_common\form\error\AdminPageFramework_Form___FieldError.php:54

filterupload_mimeslibrary\factory\_common\form\field_type\image\AdminPageFramework_FieldType_image.php:17

filtermedia_upload_tabslibrary\factory\_common\form\field_type\_common\_abstract\AdminPageFramework_FieldType_Base.php:101

filtergettextlibrary\factory\_common\form\field_type\_common\_abstract\AdminPageFramework_FieldType_Base.php:111

actionshutdownlibrary\factory\_common\form\notice\AdminPageFramework_Form___SubmitNotice.php:36

actionshutdownlibrary\factory\_common\form\_model\AdminPageFramework_Form_Model___LastInput.php:29

actionshutdownlibrary\factory\_common\form\_model\AdminPageFramework_Form_Model___LastInput.php:57

actionwp_enqueue_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:28

actionwp_enqueue_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:29

actionwp_footerlibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:31

actionwp_footerlibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:32

actionwp_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:33

actionwp_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:34

actionadmin_enqueue_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:39

actionadmin_enqueue_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:40

actioncustomize_controls_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:42

actioncustomize_controls_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:43

actionadmin_footerlibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:44

actionadmin_footerlibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:45

actionadmin_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:46

actionadmin_print_footer_scriptslibrary\factory\_common\form\_view\resource\AdminPageFramework_Form_View__Resource.php:47

filternonce_lifelibrary\factory\_common\utility\wp_utility\AdminPageFramework_WPUtility.php:14

actionadmin_headlibrary\factory\_common\_abstract\_controller\AdminPageFramework_HelpPane_Base.php:15

actionin_admin_footerlibrary\factory\_common\_abstract\_controller\AdminPageFramework_Link_Base.php:19

filteradmin_footer_textlibrary\factory\_common\_abstract\_controller\AdminPageFramework_Link_Base.php:76

filterupdate_footerlibrary\factory\_common\_abstract\_controller\AdminPageFramework_Link_Base.php:77

actionadmin_enqueue_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:30

actionadmin_enqueue_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:31

actionadmin_enqueue_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:32

actioncustomize_controls_print_footer_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:35

actioncustomize_controls_print_footer_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:36

actionadmin_footerlibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:37

actionadmin_footerlibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:38

actionadmin_print_footer_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:39

actionadmin_print_footer_scriptslibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:40

filterscript_loader_srclibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:41

filterstyle_loader_srclibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:42

filterclean_urllibrary\factory\_common\_abstract\_controller\AdminPageFramework_Resource_Base.php:52

actionwp_enqueue_scriptslibrary\factory\_common\_abstract\_view\AdminPageFramework_Factory___Script_Base.php:21

actionin_admin_footerlibrary\factory\_common\_abstract\_view\AdminPageFramework_PageLoadInfo_Base.php:21

actioninitlibrary\utility\plugin_bootstrap\AdminPageFramework_PluginBootstrap.php:39

actionadmin_enqueue_scriptslibrary\utility\pointer_tool_tip\AdminPageFramework_PointerToolTip.php:36

actionadmin_print_footer_scriptslibrary\utility\pointer_tool_tip\AdminPageFramework_PointerToolTip.php:110

actionadmin_noticeslibrary\utility\requirement\AdminPageFramework_Requirement.php:88

actionadmin_noticeslibrary\utility\requirement\AdminPageFramework_Requirement.php:109

actioninitplugin.php:318

actionadmin_initplugin.php:332

filterrequest_filesystem_credentialsplugin.php:476

actionadmin_menuwpcac.admin.php:13

actionadmin_noticeswpcac.admin.php:98

actionadmin_noticeswpcac.admin.php:115

actionadmin_noticeswpcac.compatability.php:62

actioninitwpcac.compatability.php:81

filterpre_set_site_transient_update_pluginswpcac.plugins.php:271

filterpre_set_site_transient_update_themeswpcac.themes.php:151

Maintenance & Trust

WP Command and Control Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 1, 2025

PHP min version

Downloads13K

Community Trust

Rating0/100

Number of ratings0

Active installs20

Alternatives

WP Command and Control Plugin Alternatives

MainWP Dashboard: Self-hosted WordPress Management for Agencies

mainwp

Run updates, backups, security and reporting across all client sites from your own server. Keep data private and prove your value with branded reports …

20K 6 CVEs

SEOPress for MainWP

seopress-for-mainwp

SEOPress for MainWP extension, is an-addon for MainWP and SEOPress plugins. Edit your SEOPress global settings directly from MainWP dashboard site.

900 1 CVE

WP Site Monitor

wp-site-monitor

100

Extends official WP REST API to provide extra endpoints to help manage sites remotely.

10 No CVEs

Developer Profile

WP Command and Control Plugin Developer Profile

supersoju

2 plugins · 620 total installs

trust score

Avg Security Score

93/100

Avg Patch Time

259 days

View full developer profile

Detection Fingerprints

How We Detect WP Command and Control Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpcommand/css/bootstrap.css/wp-content/plugins/wpcommand/images/spinner.gif

HTML / DOM Fingerprints

CSS Classes

wpcac-resultswpcac-malware-messageswpcac-malwarewpcac-backupswpcac-pingtimewpcac-sucuriwpcac-service-messages

Data Attributes

id="wpcac-service-messages"id="wpcac-malware-messages"id="wpcac-malware"id="wpcac-backups"id="wpcac-pingtime"id="wpcac-sucuri"+1 more

REST Endpoints

/client/api/json

FAQ