WP-Safety

WPComplete Security & Risk Analysis

wordpress.org/plugins/wpcomplete

A WordPress plugin that helps your students keep track of their progress through your course.

1K active installs v2.9.5.4 PHP + WP 4.5.3+ Updated Oct 14, 2025
completecoursesmarkreadteaching
95
A · Safe
CVEs total4
Unpatched0
Last CVEOct 24, 2025
Download
Safety Verdict

Is WPComplete Safe to Use in 2026?

Generally Safe

Score 95/100

WPComplete has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 24, 2025Updated 5mo ago
Risk Assessment

The wpcomplete v2.9.5.4 plugin exhibits a mixed security posture. While it demonstrates strong practices in SQL query handling and avoids dangerous functions and file operations, several areas present significant concerns. The static analysis highlights 17 unprotected AJAX handlers, which represent a substantial attack surface that could be exploited without proper authentication. Additionally, the taint analysis indicates 6 flows with unsanitized paths, though thankfully none reached critical or high severity in this analysis. The plugin's vulnerability history is a notable weakness, with 4 known medium severity CVEs, primarily related to missing authorization and Cross-Site Scripting. The fact that the last vulnerability was so recent (2025-10-24) suggests a recurring pattern of security issues that, while currently patched, points to potential systemic weaknesses in input validation and authorization enforcement. Overall, the plugin has strengths in its code execution and data handling but requires attention to its exposed AJAX endpoints and the historical pattern of security flaws.

Key Concerns

  • 17 unprotected AJAX handlers
  • 6 flows with unsanitized paths
  • 4 medium severity CVEs in history
  • 57% output properly escaped
Vulnerabilities
4

WPComplete Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-49906medium · 5.3Missing Authorization

WPComplete <= 2.9.5.3 - Missing Authorization

Oct 24, 2025 Patched in 2.9.5.4 (6d)
CVE-2025-58974medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPComplete <= 2.9.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 2.9.5.3 (5d)
CVE-2025-50046medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPComplete <= 2.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2025 Patched in 2.9.5.1 (9d)
CVE-2022-45825medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPComplete <= 2.9.4 - Reflected Cross-Site Scripting

Jan 27, 2023 Patched in 2.9.5 (361d)
Code Analysis
Analyzed Mar 16, 2026

WPComplete Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
13 prepared
Unescaped Output
181
238 escaped
Nonce Checks
17
Capability Checks
16
File Operations
0
External Requests
7
Bundled Libraries
0

SQL Query Safety

100% prepared13 total queries

Output Escaping

57% escaped419 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

13 flows6 with unsanitized paths
nopriv_mark_completed (public\class-wpcomplete-public.php:760)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

WPComplete Attack Surface

Entry Points69
Unprotected17

AJAX Handlers 17

authwp_ajax_wpc_post_lookupincludes\class-wpcomplete.php:192
authwp_ajax_wpc_delete_buttonincludes\class-wpcomplete.php:200
authwp_ajax_wpc_reset_buttonincludes\class-wpcomplete.php:202
authwp_ajax_mark_completedincludes\class-wpcomplete.php:228
noprivwp_ajax_mark_completedincludes\class-wpcomplete.php:229
authwp_ajax_mark_uncompletedincludes\class-wpcomplete.php:231
noprivwp_ajax_mark_uncompletedincludes\class-wpcomplete.php:232
authwp_ajax_get_buttonincludes\class-wpcomplete.php:233
noprivwp_ajax_get_buttonincludes\class-wpcomplete.php:234
authwp_ajax_get_graphsincludes\class-wpcomplete.php:235
noprivwp_ajax_get_graphsincludes\class-wpcomplete.php:236
authwp_ajax_get_contentincludes\class-wpcomplete.php:237
noprivwp_ajax_get_contentincludes\class-wpcomplete.php:238
authwp_ajax_get_completable_listincludes\class-wpcomplete.php:286
noprivwp_ajax_get_completable_listincludes\class-wpcomplete.php:287
authwp_ajax_resetincludes\class-wpcomplete.php:296
noprivwp_ajax_resetincludes\class-wpcomplete.php:297

Shortcodes 52

[complete_button] includes\class-wpcomplete.php:241
[wpc_complete_button] includes\class-wpcomplete.php:242
[wpc_button] includes\class-wpcomplete.php:243
[wpcomplete_button] includes\class-wpcomplete.php:244
[progress_percentage] includes\class-wpcomplete.php:248
[progress_in_percentage] includes\class-wpcomplete.php:249
[progress_ratio] includes\class-wpcomplete.php:250
[progress_in_ratio] includes\class-wpcomplete.php:251
[progress_graph] includes\class-wpcomplete.php:252
[progress_bar] includes\class-wpcomplete.php:253
[wpc_progress_percentage] includes\class-wpcomplete.php:254
[wpc_progress_in_percentage] includes\class-wpcomplete.php:255
[wpc_progress_ratio] includes\class-wpcomplete.php:256
[wpc_progress_in_ratio] includes\class-wpcomplete.php:257
[wpc_progress_graph] includes\class-wpcomplete.php:258
[wpc_progress_bar] includes\class-wpcomplete.php:259
[wpcomplete_progress_percentage] includes\class-wpcomplete.php:260
[wpcomplete_progress_in_percentage] includes\class-wpcomplete.php:261
[wpcomplete_progress_ratio] includes\class-wpcomplete.php:262
[wpcomplete_progress_in_ratio] includes\class-wpcomplete.php:263
[wpcomplete_progress_graph] includes\class-wpcomplete.php:264
[wpcomplete_progress_bar] includes\class-wpcomplete.php:265
[wpc_completed_content] includes\class-wpcomplete.php:270
[wpc_incomplete_content] includes\class-wpcomplete.php:271
[wpcomplete_completed_content] includes\class-wpcomplete.php:272
[wpcomplete_incomplete_content] includes\class-wpcomplete.php:273
[wpc_if_completed] includes\class-wpcomplete.php:274
[wpc_if_incomplete] includes\class-wpcomplete.php:275
[wpc_if_button_completed] includes\class-wpcomplete.php:276
[wpc_if_button_incomplete] includes\class-wpcomplete.php:277
[wpc_if_post_completed] includes\class-wpcomplete.php:278
[wpc_if_post_incomplete] includes\class-wpcomplete.php:279
[wpc_if_page_completed] includes\class-wpcomplete.php:280
[wpc_if_page_incomplete] includes\class-wpcomplete.php:281
[wpc_if_course_completed] includes\class-wpcomplete.php:282
[wpc_if_course_incomplete] includes\class-wpcomplete.php:283
[wpc_peer_pressure] includes\class-wpcomplete.php:290
[wpc_reset] includes\class-wpcomplete.php:293
[wpc_list_completable] includes\class-wpcomplete.php:305
[wpc_list_pages] includes\class-wpcomplete.php:306
[wpc_next_to_complete] includes\class-wpcomplete.php:310
[wpc_has_next_to_complete] includes\class-wpcomplete.php:311
[wpc_has_no_next_to_complete] includes\class-wpcomplete.php:312
[wpc_last_completed] includes\class-wpcomplete.php:314
[wpc_has_last_completed] includes\class-wpcomplete.php:315
[wpc_has_no_last_completed] includes\class-wpcomplete.php:316
[wpc_next_page] includes\class-wpcomplete.php:318
[wpc_has_next_page] includes\class-wpcomplete.php:319
[wpc_has_no_next_page] includes\class-wpcomplete.php:320
[wpc_previous_page] includes\class-wpcomplete.php:322
[wpc_has_previous_page] includes\class-wpcomplete.php:323
[wpc_has_no_previous_page] includes\class-wpcomplete.php:324
WordPress Hooks 65
actionplugins_loadedincludes\class-wpcomplete.php:142
actionadmin_enqueue_scriptsincludes\class-wpcomplete.php:157
actionadmin_enqueue_scriptsincludes\class-wpcomplete.php:158
actionadmin_menuincludes\class-wpcomplete.php:160
actionadmin_initincludes\class-wpcomplete.php:161
actionadd_meta_boxesincludes\class-wpcomplete.php:162
actionsave_postincludes\class-wpcomplete.php:163
actionadmin_footer-edit.phpincludes\class-wpcomplete.php:165
actionload-edit.phpincludes\class-wpcomplete.php:166
actionadmin_noticesincludes\class-wpcomplete.php:167
actionmanage_pages_columnsincludes\class-wpcomplete.php:169
actionmanage_posts_columnsincludes\class-wpcomplete.php:170
actionmanage_pages_custom_columnincludes\class-wpcomplete.php:171
actionmanage_posts_custom_columnincludes\class-wpcomplete.php:172
actionquick_edit_custom_boxincludes\class-wpcomplete.php:173
actionmanage_users_columnsincludes\class-wpcomplete.php:175
actionmanage_users_custom_columnincludes\class-wpcomplete.php:176
actionadmin_post_delete_user_dataincludes\class-wpcomplete.php:177
actionadmin_post_user_completionincludes\class-wpcomplete.php:178
actionadmin_menuincludes\class-wpcomplete.php:183
actionadmin_menuincludes\class-wpcomplete.php:184
actionadmin_menuincludes\class-wpcomplete.php:185
actionadmin_menuincludes\class-wpcomplete.php:186
actionwp_dashboard_setupincludes\class-wpcomplete.php:189
actionadmin_initincludes\class-wpcomplete.php:195
actionadmin_initincludes\class-wpcomplete.php:196
actionadmin_initincludes\class-wpcomplete.php:197
filtermanage_knowledgebase_posts_columnsincludes\class-wpcomplete.php:205
actionwp_enqueue_scriptsincludes\class-wpcomplete.php:220
actionwp_enqueue_scriptsincludes\class-wpcomplete.php:221
filterscript_loader_tagincludes\class-wpcomplete.php:222
filterthe_contentincludes\class-wpcomplete.php:224
actionadmin_post_mark_completedincludes\class-wpcomplete.php:227
actionadmin_post_mark_uncompletedincludes\class-wpcomplete.php:230
filterwidget_textincludes\class-wpcomplete.php:267
actionadmin_post_resetincludes\class-wpcomplete.php:294
actionadmin_post_nopriv_resetincludes\class-wpcomplete.php:295
filterwpcomplete_button_is_completedincludes\class-wpcomplete.php:300
filterwpcomplete_page_is_completedincludes\class-wpcomplete.php:301
filterwpcomplete_course_is_completedincludes\class-wpcomplete.php:302
filterwpcomplete_list_pagesincludes\class-wpcomplete.php:308
actionwp_headincludes\class-wpcomplete.php:326
filterplugins_apiincludes\plugin-update-checker-3.1.php:101
filtersite_transient_update_pluginsincludes\plugin-update-checker-3.1.php:104
filtertransient_update_pluginsincludes\plugin-update-checker-3.1.php:105
filtersite_transient_update_pluginsincludes\plugin-update-checker-3.1.php:106
filterplugin_row_metaincludes\plugin-update-checker-3.1.php:108
actionadmin_initincludes\plugin-update-checker-3.1.php:109
actionall_admin_noticesincludes\plugin-update-checker-3.1.php:110
filterupgrader_post_installincludes\plugin-update-checker-3.1.php:113
actiondelete_site_transient_update_pluginsincludes\plugin-update-checker-3.1.php:114
actiondelete_site_transient_update_pluginsincludes\plugin-update-checker-3.1.php:118
actionplugins_loadedincludes\plugin-update-checker-3.1.php:123
filterupgrader_source_selectionincludes\plugin-update-checker-3.1.php:127
filterhttp_request_host_is_externalincludes\plugin-update-checker-3.1.php:134
filtercron_schedulesincludes\plugin-update-checker-3.1.php:1269
actionadmin_initincludes\plugin-update-checker-3.1.php:1281
actionload-update-core.phpincludes\plugin-update-checker-3.1.php:1285
actionload-plugins.phpincludes\plugin-update-checker-3.1.php:1286
actionload-update.phpincludes\plugin-update-checker-3.1.php:1287
actionupgrader_process_completeincludes\plugin-update-checker-3.1.php:1289
filterupgrader_pre_installincludes\plugin-update-checker-3.1.php:1415
filterupgrader_package_optionsincludes\plugin-update-checker-3.1.php:1416
filterupgrader_post_installincludes\plugin-update-checker-3.1.php:1417
actionupgrader_process_completeincludes\plugin-update-checker-3.1.php:1418
Maintenance & Trust

WPComplete Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 14, 2025
PHP min version
Downloads24K

Community Trust

Rating82/100
Number of ratings43
Active installs1K
Alternatives

WPComplete Alternatives

Semrush SEO Writing Assistant

Semrush SEO Writing Assistant

semrush-seo-writing-assistant

A
100

The Semrush SEO Writing Assistant provides instant recommendations for content optimization based on the best-performing articles in Google's top 10.

10K No CVEs
Email Marketing Plugin – WP Email Capture

Email Marketing Plugin – WP Email Capture

wp-email-capture

A
95

Double opt-in form for building your email list. Define landing pages to distribute your ebooks & software.

1K 5 CVEs
WP eBay Product Feeds

WP eBay Product Feeds

ebay-feeds-for-wordpress

A
95

Display feeds of eBay Products from eBay Partner Network on your site.

800 4 CVEs
Inline Tweet Sharer – Twitter Sharing Plugin

Inline Tweet Sharer – Twitter Sharing Plugin

inline-tweet-sharer

A
100

Inline Tweet Sharer is a plugin that allows you to easily and simply create links to share your content on twitter. These links share whatever the anc &hellip;

300 1 CVE
Manual Completions TutorLMS

Manual Completions TutorLMS

manual-completions-tutorlms

A
100

Manual Completions for Tutor LMS lets you check completion as well as manually mark courses, lessons and quizzes as complete.

300 No CVEs
Developer Profile

WPComplete Developer Profile

StellarWP

26 plugins · 3.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
455 days
View full developer profile
Detection Fingerprints

How We Detect WPComplete

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpcomplete/css/wpcomplete-admin.css/wp-content/plugins/wpcomplete/js/wpcomplete-admin.js
Script Paths
/wp-content/plugins/wpcomplete/js/wpcomplete-admin.js
Version Parameters
wpcomplete/css/wpcomplete-admin.css?ver=wpcomplete/js/wpcomplete-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpcomplete-course-statistics
HTML Comments
<!-- WPComplete Course Statistics -->
Data Attributes
data-wpcomplete-id
JS Globals
WPCOMPLETE_PRODUCT_NAME
FAQ

Frequently Asked Questions about WPComplete