WP-Safety

WPFront User Role Editor Security & Risk Analysis

wordpress.org/plugins/wpfront-user-role-editor

Easily allows you to manage WordPress user roles. You can create, edit, delete and manage capabilities, also copy existing roles.

30K active installs v4.2.4 PHP 7.0+ WP 5.1+ Updated Dec 2, 2025
capability-managerrole-editorsecurityuser-accessuser-permissions
94
A · Safe
CVEs total5
Unpatched0
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is WPFront User Role Editor Safe to Use in 2026?

Generally Safe

Score 94/100

WPFront User Role Editor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Sep 26, 2025Updated 5mo ago
Risk Assessment

The 'wpfront-user-role-editor' plugin v4.2.4 exhibits a generally strong security posture, with a low attack surface and a good implementation of security best practices in its static analysis. The absence of unprotected entry points, along with a high percentage of SQL queries using prepared statements, proper output escaping, and robust nonce and capability checks, are significant strengths. Furthermore, the taint analysis revealing no high-severity issues is encouraging. However, the plugin's history of five known CVEs, including one high-severity vulnerability, even though currently unpatched, suggests a pattern of past security weaknesses that warrant attention. The common types of past vulnerabilities (CSRF, information exposure, XSS) indicate areas that have historically been exploited, implying a need for ongoing vigilance and thorough testing of future updates. While the current version appears to have addressed past issues, the historical context necessitates a cautious approach.

Key Concerns

  • Past high-severity vulnerability
  • Past medium-severity vulnerabilities (4)
  • 66% proper output escaping (concern)
Vulnerabilities
5 published

WPFront User Role Editor Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-60102medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPFront User Role Editor <= 4.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 26, 2025 Patched in 4.2.4 (69d)
CVE-2025-3064high · 8.8Cross-Site Request Forgery (CSRF)

WPFront User Role Editor <= 4.2.1 - Cross-Site Request Forgery to Privilege Escalation via whitelist_options Function

Apr 7, 2025 Patched in 4.2.2 (1d)
CVE-2024-2931medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

WPFront User Role Editor <= 3.2.1.11184 - Limited Information Exposure

Apr 1, 2024 Patched in 4.1.0 (1d)
WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editormedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPFront User Role Editor < 3.2.1.11184 - Reflected Cross-Site Scripting

Nov 23, 2021 Patched in 3.2.1.11184 (791d)
CVE-2021-24984medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPFront User Role Editor <= 3.2.0 - Reflected Cross-Site Scripting

Nov 23, 2021 Patched in 3.2.1 (791d)
Version History

WPFront User Role Editor Release Timeline

v4.2.4Current
v4.2.31 CVE
CVE-2025-60102
v4.2.21 CVE
CVE-2025-60102
v4.2.12 CVEs
CVE-2025-60102 CVE-2025-3064
v4.1.12 CVEs
CVE-2025-60102 CVE-2025-3064
v4.1.02 CVEs
CVE-2025-60102 CVE-2025-3064
v3.2.14 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +1 more
v3.1.05 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v3.0.05 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.14.45 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.14.35 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.14.25 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.14.15 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.13.15 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.135 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.12.45 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.125 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.11.35 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.105 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
v2.9.15 CVEs
CVE-2024-2931 WF-6338620f-925a-4226-9557-313a7f8a6b6a-wpfront-user-role-editor CVE-2025-60102 +2 more
Code Analysis
Analyzed Mar 16, 2026

WPFront User Role Editor Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
38 prepared
Unescaped Output
205
395 escaped
Nonce Checks
23
Capability Checks
81
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

97% prepared39 total queries

Output Escaping

66% escaped600 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

13 flows
dropdown_row (includes\post-type\template-add-edit.php:944)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WPFront User Role Editor Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_wpfront_user_role_editor_restore_roleincludes\restore\class-restore.php:73
authwp_ajax_wpfront_user_role_editor_copy_capabilitiesincludes\roles\class-role-add-edit.php:100
authwp_ajax_wpfront_user_role_editor_assign_roles_user_autocompleteincludes\users\class-assign-migrate.php:114
authwp_ajax_wpfront_user_role_editor_login_page_url_autocompleteincludes\wp\class-login-page-url.php:90
WordPress Hooks 156
filtereditable_rolesincludes\add-remove-cap\class-add-remove-cap.php:107
filterwpfront_ure_bulk_edit_controllersincludes\add-remove-cap\class-add-remove-cap.php:339
filteruser_row_actionsincludes\bulk-edit\class-bulk-edit-utils.php:485
filterbulk_actions-usersincludes\bulk-edit\class-bulk-edit-utils.php:486
actionwp_loadedincludes\bulk-edit\class-bulk-edit.php:98
actionwpfront_ure_initincludes\bulk-edit\class-bulk-edit.php:192
actionwpfront_ure_initincludes\class-controller.php:145
actionadmin_menuincludes\class-controller.php:209
actionnetwork_admin_menuincludes\class-controller.php:216
filterwpfront_ure_settings_controllersincludes\class-debug.php:71
actionwpfront_ure_initincludes\class-debug.php:268
actionadmin_initincludes\class-roles-helper.php:881
filterwpfront_ure_restore_role_custom_capsincludes\class-roles-helper.php:883
filterwpfront_ure_capability_ui_help_linkincludes\class-roles-helper.php:885
actionwpfront_ure_initincludes\class-roles-helper.php:898
actionswitch_blogincludes\class-roles-helper.php:900
filterwpfront_ure_options_register_ui_fieldincludes\class-uninstall.php:114
actionwpfront_ure_options_ui_field_remove_data_on_uninstall_labelincludes\class-uninstall.php:116
actionwpfront_ure_options_ui_field_remove_data_on_uninstallincludes\class-uninstall.php:117
actionwpfront_ure_options_ui_field_remove_data_on_uninstall_updateincludes\class-uninstall.php:118
actionwpfront_ure_options_ui_field_remove_data_on_uninstall_helpincludes\class-uninstall.php:119
actionwpfront_ure_initincludes\class-uninstall.php:174
actionwp_loadedincludes\comments\class-comment-capabilities.php:92
filterwpfront_ure_restore_role_custom_capsincludes\comments\class-comment-capabilities.php:112
actionadmin_initincludes\extended-permissions\class-post-type-extended-permissions.php:79
actionwpfront_ure_initincludes\extended-permissions\class-post-type-extended-permissions.php:150
actionplugins_loadedincludes\go-pro\class-go-pro.php:123
filterbbp_get_caps_for_roleincludes\integration\plugins\bbPress\class-bbPress.php:60
filterlogin_redirectincludes\login-redirect\class-login-redirect.php:63
filterlogout_redirectincludes\login-redirect\class-login-redirect.php:64
filtershow_admin_barincludes\login-redirect\class-login-redirect.php:65
actionadmin_initincludes\login-redirect\class-login-redirect.php:73
actionadmin_initincludes\media\class-media-permissions.php:80
filterwpfront_ure_restore_role_custom_capsincludes\media\class-media-permissions.php:81
filterwpfront_ure_options_register_ui_fieldincludes\nav-menu\class-nav-menu-permissions.php:70
filterwpfront_ure_ms_options_register_ui_fieldincludes\nav-menu\class-nav-menu-permissions.php:71
filterwp_get_nav_menu_itemsincludes\nav-menu\class-nav-menu-permissions.php:78
actionwp_loadedincludes\nav-menu\class-nav-menu-permissions.php:85
actionwp_nav_menu_item_custom_fieldsincludes\nav-menu\class-nav-menu-permissions.php:88
actionwp_nav_menu_item_title_user_restriction_typeincludes\nav-menu\class-nav-menu-permissions.php:90
actionwp_nav_menu_item_custom_fields_roles_listincludes\nav-menu\class-nav-menu-permissions.php:92
actionwp_update_nav_menu_itemincludes\nav-menu\class-nav-menu-permissions.php:95
actionadmin_print_scripts-nav-menus.phpincludes\nav-menu\class-nav-menu-permissions.php:101
actionadmin_print_styles-nav-menus.phpincludes\nav-menu\class-nav-menu-permissions.php:102
filterwp_edit_nav_menu_walkerincludes\nav-menu\class-nav-menu-permissions.php:120
actionload-nav-menus.phpincludes\nav-menu\class-nav-menu-permissions.php:121
actionadmin_noticesincludes\nav-menu\class-nav-menu-permissions.php:339
actionwpfront_ure_options_ui_field_disable_navigation_menu_permissions_labelincludes\nav-menu\class-nav-menu-permissions.php:375
actionwpfront_ure_options_ui_field_disable_navigation_menu_permissionsincludes\nav-menu\class-nav-menu-permissions.php:376
actionwpfront_ure_options_ui_field_disable_navigation_menu_permissions_updateincludes\nav-menu\class-nav-menu-permissions.php:377
actionwpfront_ure_options_ui_field_disable_navigation_menu_permissions_helpincludes\nav-menu\class-nav-menu-permissions.php:378
actionwpfront_ure_options_ui_field_override_navigation_menu_permissions_labelincludes\nav-menu\class-nav-menu-permissions.php:382
actionwpfront_ure_options_ui_field_override_navigation_menu_permissionsincludes\nav-menu\class-nav-menu-permissions.php:383
actionwpfront_ure_options_ui_field_override_navigation_menu_permissions_updateincludes\nav-menu\class-nav-menu-permissions.php:384
actionwpfront_ure_options_ui_field_override_navigation_menu_permissions_helpincludes\nav-menu\class-nav-menu-permissions.php:385
filterwpfront_ure_role_group_capabilitiesincludes\post-type\class-abstract-post-type-custom-cap.php:98
filterwpfront_ure_restore_role_custom_capsincludes\post-type\class-abstract-post-type-custom-cap.php:366
actioninitincludes\post-type\class-post-type.php:80
filterregister_post_type_argsincludes\post-type\class-post-type.php:81
actionregistered_post_typeincludes\post-type\class-post-type.php:82
actionregistered_post_typeincludes\post-type\class-post-type.php:83
actionwp_loadedincludes\post-type\class-post-type.php:84
actionregistered_post_typeincludes\post-type\class-post-type.php:113
actionadmin_initincludes\restore\class-restore.php:56
filterwpfront_ure_options_register_ui_fieldincludes\restore\class-restore.php:64
filterwpfront_ure_ms_options_register_ui_fieldincludes\restore\class-restore.php:65
actionwpfront_ure_options_ui_field_remove_nonstandard_capabilities_restore_labelincludes\restore\class-restore.php:85
actionwpfront_ure_options_ui_field_remove_nonstandard_capabilities_restoreincludes\restore\class-restore.php:86
actionwpfront_ure_options_ui_field_remove_nonstandard_capabilities_restore_updateincludes\restore\class-restore.php:87
actionwpfront_ure_options_ui_field_remove_nonstandard_capabilities_restore_helpincludes\restore\class-restore.php:88
actionwp_before_admin_bar_renderincludes\roles\class-role-add-edit.php:81
actionadmin_initincludes\roles\class-role-add-edit.php:82
filterwpfront_ure_capability_edit_role_menus_functionality_enabledincludes\roles\class-role-add-edit.php:90
filterwpfront_ure_capability_edit_content_shortcodes_functionality_enabledincludes\roles\class-role-add-edit.php:91
filterwpfront_ure_capability_delete_content_shortcodes_functionality_enabledincludes\roles\class-role-add-edit.php:92
actionwpfront_ure_initincludes\roles\class-role-add-edit.php:565
filterwpfront_ure_options_register_ui_fieldincludes\roles\class-roles-list.php:76
filterwpfront_ure_ms_options_register_ui_fieldincludes\roles\class-roles-list.php:77
filtermanage_users_columnsincludes\roles\class-roles-list.php:80
filtermanage_users_custom_columnincludes\roles\class-roles-list.php:81
actionwpfront_ure_options_ui_field_override_edit_permissions_labelincludes\roles\class-roles-list.php:99
actionwpfront_ure_options_ui_field_override_edit_permissionsincludes\roles\class-roles-list.php:100
actionwpfront_ure_options_ui_field_override_edit_permissions_updateincludes\roles\class-roles-list.php:101
actionwpfront_ure_options_ui_field_override_edit_permissions_helpincludes\roles\class-roles-list.php:102
filtereditable_rolesincludes\roles\class-roles-list.php:153
actionwpfront_ure_initincludes\settings\class-options.php:323
actionwpfront_ure_initincludes\shortcodes\class-shortcodes.php:103
actioninitincludes\taxonomies\class-taxonomies.php:78
filterregister_taxonomy_argsincludes\taxonomies\class-taxonomies.php:79
actionregistered_taxonomyincludes\taxonomies\class-taxonomies.php:80
actionregistered_taxonomyincludes\taxonomies\class-taxonomies.php:81
actionregistered_taxonomyincludes\taxonomies\class-taxonomies.php:82
actionregistered_post_typeincludes\taxonomies\class-taxonomies.php:83
actionregistered_taxonomyincludes\taxonomies\class-taxonomies.php:107
actionregistered_taxonomy_for_object_typeincludes\taxonomies\class-taxonomies.php:110
actionunregistered_taxonomy_for_object_typeincludes\taxonomies\class-taxonomies.php:111
actionadmin_initincludes\users\class-assign-migrate.php:98
filteruser_row_actionsincludes\users\class-assign-migrate.php:106
actionwpfront_ure_initincludes\users\class-assign-migrate.php:519
actionadmin_initincludes\users\class-user-permissions.php:79
filterwpfront_ure_restore_role_custom_capsincludes\users\class-user-permissions.php:80
actioninitincludes\users\class-user-profile.php:71
actionwpmu_activate_userincludes\users\class-user-profile.php:73
actionadd_user_to_blogincludes\users\class-user-profile.php:77
filterwpfront_ure_options_register_ui_fieldincludes\users\class-user-profile.php:84
filterwpfront_ure_ms_options_register_ui_fieldincludes\users\class-user-profile.php:85
actionuser_new_formincludes\users\class-user-profile.php:88
actionedit_user_created_userincludes\users\class-user-profile.php:90
actionedit_user_profileincludes\users\class-user-profile.php:92
actionprofile_updateincludes\users\class-user-profile.php:94
actioninvite_userincludes\users\class-user-profile.php:97
filtersignup_user_metaincludes\users\class-user-profile.php:99
actionload-options-general.phpincludes\users\class-user-profile.php:102
filterallowed_optionsincludes\users\class-user-profile.php:106
filterwhitelist_optionsincludes\users\class-user-profile.php:108
actionwpfront_ure_options_ui_field_hide_secondary_roles_labelincludes\users\class-user-profile.php:332
actionwpfront_ure_options_ui_field_hide_secondary_rolesincludes\users\class-user-profile.php:333
actionwpfront_ure_options_ui_field_hide_secondary_roles_updateincludes\users\class-user-profile.php:334
actionwpfront_ure_options_ui_field_hide_secondary_roles_helpincludes\users\class-user-profile.php:335
actioninitincludes\users\class-user-switching.php:57
actionadmin_bar_menuincludes\users\class-user-switching.php:58
actionget_footerincludes\users\class-user-switching.php:59
actionwp_logoutincludes\users\class-user-switching.php:60
actionwp_loginincludes\users\class-user-switching.php:61
actionbbp_template_after_user_detailsincludes\users\class-user-switching.php:62
actionbp_member_header_actionsincludes\users\class-user-switching.php:63
actionbp_directory_members_actionsincludes\users\class-user-switching.php:64
filterwpfront_ure_administrator_caps_to_processincludes\users\class-user-switching.php:66
filterms_user_row_actionsincludes\users\class-user-switching.php:80
filteruser_row_actionsincludes\users\class-user-switching.php:82
actionpersonal_optionsincludes\users\class-user-switching.php:84
actionadmin_footerincludes\users\class-user-switching.php:137
actionwp_footerincludes\users\class-user-switching.php:138
filterwidget_display_callbackincludes\widget\class-widget-permissions.php:70
actionin_widget_formincludes\widget\class-widget-permissions.php:73
filterwidget_update_callbackincludes\widget\class-widget-permissions.php:75
actionwp_widget_permissions_custom_fields_roles_listincludes\widget\class-widget-permissions.php:78
filterwpfront_ure_options_register_ui_fieldincludes\widget\class-widget-permissions.php:84
filterwpfront_ure_ms_options_register_ui_fieldincludes\widget\class-widget-permissions.php:85
filtergutenberg_use_widgets_block_editorincludes\widget\class-widget-permissions.php:91
filteruse_widgets_block_editorincludes\widget\class-widget-permissions.php:92
actionadmin_print_scripts-widgets.phpincludes\widget\class-widget-permissions.php:95
actionadmin_print_styles-widgets.phpincludes\widget\class-widget-permissions.php:96
actionwpfront_ure_options_ui_field_use_old_widgets_ui_labelincludes\widget\class-widget-permissions.php:299
actionwpfront_ure_options_ui_field_use_old_widgets_uiincludes\widget\class-widget-permissions.php:300
actionwpfront_ure_options_ui_field_use_old_widgets_ui_updateincludes\widget\class-widget-permissions.php:301
actionwpfront_ure_options_ui_field_use_old_widgets_ui_helpincludes\widget\class-widget-permissions.php:302
actionadmin_initincludes\wp\class-login-page-url.php:79
filterwpfront_ure_options_register_ui_fieldincludes\wp\class-login-page-url.php:80
filterlogin_urlincludes\wp\class-login-page-url.php:82
actionwpfront_ure_options_ui_field_login_page_url_labelincludes\wp\class-login-page-url.php:102
actionwpfront_ure_options_ui_field_login_page_urlincludes\wp\class-login-page-url.php:103
actionwpfront_ure_options_ui_field_login_page_url_updateincludes\wp\class-login-page-url.php:104
actionwpfront_ure_options_ui_field_login_page_url_helpincludes\wp\class-login-page-url.php:105
actionwpfront_ure_initincludes\wp\class-login-page-url.php:272
actionadmin_enqueue_scriptswpfront-user-role-editor.php:87
Maintenance & Trust

WPFront User Role Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 2, 2025
PHP min version7.0
Downloads966K

Community Trust

Rating90/100
Number of ratings65
Active installs30K
Alternatives

WPFront User Role Editor Alternatives

🔐 Access Control – Take Full Control of WordPress User Permissions

🔐 Access Control – Take Full Control of WordPress User Permissions

access-control

A
100

Easily manage WordPress user roles and capabilities from a clean, modern interface. No coding required.

10 No CVEs
Melapress Role Editor

Melapress Role Editor

melapress-role-editor

A
97

The complete WordPress user roles plugin for everyone

70 1 CVE
Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
Hostinger Tools

Hostinger Tools

hostinger

A
99

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE
Jetpack – WP Security, Backup, Speed, & Growth

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

A
87

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs
Developer Profile

WPFront User Role Editor Developer Profile

Syam Mohan

4 plugins · 280K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
458 days
View full developer profile
Detection Fingerprints

How We Detect WPFront User Role Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpfront-user-role-editor/assets/css/style.css/wp-content/plugins/wpfront-user-role-editor/assets/css/admin-style.css/wp-content/plugins/wpfront-user-role-editor/assets/js/admin.js
Script Paths
/wp-content/plugins/wpfront-user-role-editor/assets/js/admin.js
Version Parameters
wpfront-user-role-editor/assets/css/style.css?ver=wpfront-user-role-editor/assets/css/admin-style.css?ver=wpfront-user-role-editor/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpfront-user-role-editor
JS Globals
wpfront_ure
FAQ

Frequently Asked Questions about WPFront User Role Editor