Does WPGet API – Connect to any external REST API have any unpatched vulnerabilities?

No. All known vulnerabilities in WPGet API – Connect to any external REST API have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPGet API – Connect to any external REST API compatible with WordPress 6.9.4?

According to WordPress.org data, WPGet API – Connect to any external REST API 2.25.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPGet API – Connect to any external REST API compatible with PHP 7.2+?

WPGet API – Connect to any external REST API requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPGet API – Connect to any external REST API updated?

WPGet API – Connect to any external REST API was last updated on Nov 12, 2025. Frequent updates are generally a positive security signal.

What is WPGet API – Connect to any external REST API's security score?

WPGet API – Connect to any external REST API has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPGet API – Connect to any external REST API Security & Risk Analysis

wordpress.org/plugins/wpgetapi

Connect any REST API to WordPress. WPGet API enables easy API integration, allowing you to display API data without any code.

10K active installs v2.25.4 PHP 7.2+ WP 5.6+ Updated Nov 12, 2025

apiendpointexternal-apijsonrest

A · Safe

CVEs total2

Unpatched0

Last CVEMar 6, 2025

Plugin page Download

Safety Verdict

Is WPGet API – Connect to any external REST API Safe to Use in 2026?

Generally Safe

Score 99/100

WPGet API – Connect to any external REST API has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 6, 2025Updated 4mo ago

Risk Assessment

The "wpgetapi" v2.25.4 plugin exhibits a generally strong security posture based on the provided static analysis. The complete absence of directly dangerous functions, 100% prepared SQL statements, and a high percentage of properly escaped output are commendable. Furthermore, the presence of nonce and capability checks on the identified entry points suggests an effort to protect against common WordPress vulnerabilities. The lack of any taint analysis findings with unsanitized paths or critical/high severity issues is also a positive indicator.

However, a review of the vulnerability history reveals a pattern of past medium-severity vulnerabilities, specifically SSRF and Missing Authorization. While there are currently no unpatched CVEs, the existence of two historical medium-severity issues in these categories warrants attention. The plugin's past struggles with authorization are particularly concerning, as they can lead to privilege escalation or unauthorized data access. The plugin's attack surface, while small in terms of entry points, relies on robust authentication and authorization mechanisms which have historically been a point of concern.

In conclusion, "wpgetapi" v2.25.4 has made significant strides in its security practices, evident in its static analysis. The team appears to be implementing good coding standards. The primary area for continued vigilance is addressing the historical patterns of medium-severity vulnerabilities, particularly those related to authorization, to ensure future releases maintain the current positive trend and prevent recurrence.

Key Concerns

Past medium-severity vulnerabilities (2 total)
Historical focus on SSRF vulnerabilities
Historical focus on Missing Authorization

Vulnerabilities

WPGet API – Connect to any external REST API Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-13857medium · 5.5Server-Side Request Forgery (SSRF)

WPGet API <= 2.2.10 - Authenticated (Administrator+) Server-Side Request Forgery

Mar 6, 2025 Patched in 2.25.1 (1d)

WF-39003835-80df-49c7-982a-346bf328565c-wpgetapimedium · 6.3Missing Authorization

WPGetAPI 2.1.0 - 2.2.1 - Authenticated (Subscriber+) Arbitrary Options Update

Oct 2, 2023 Patched in 2.2.2 (113d)

Code Analysis

Analyzed Mar 16, 2026

WPGet API – Connect to any external REST API Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

179 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

90% escaped198 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

export_endpoints (includes\class-wpgetapi-admin-options.php:672)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPGet API – Connect to any external REST API Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 4

authwp_ajax_wpgetapi_test_endpointincludes\class-wpgetapi-admin-options.php:97

authwp_ajax_wpgetapi_export_endpointsincludes\class-wpgetapi-admin-options.php:99

authwp_ajax_wpgetapi_import_endpointsincludes\class-wpgetapi-admin-options.php:100

authwp_ajax_wpgetapi_notice_dismissincludes\class-wpgetapi-admin-options.php:105

Shortcodes 1

[wpgetapi_endpoint] frontend\functions.php:174

WordPress Hooks 22

actionwp_footerfrontend\functions.php:105

actioninitincludes\block-editor\block-editor.php:71

actionenqueue_block_editor_assetsincludes\block-editor\block-editor.php:169

actionadmin_initincludes\class-wpgetapi-admin-options.php:88

actionadmin_menuincludes\class-wpgetapi-admin-options.php:89

actioncmb2_admin_initincludes\class-wpgetapi-admin-options.php:91

actioncmb2_save_options-page_fieldsincludes\class-wpgetapi-admin-options.php:93

actionadmin_footerincludes\class-wpgetapi-admin-options.php:95

actionplugins_loadedincludes\class-wpgetapi-admin-options.php:102

actionall_admin_noticesincludes\class-wpgetapi-admin-options.php:103

actioncmb2_options-page_process_fields_wpgetapi_setupincludes\class-wpgetapi-admin-options.php:107

actionadmin_enqueue_scriptsincludes\class-wpgetapi-api-enqueues.php:24

filterwpgetapi_raw_error_dataincludes\class-wpgetapi-api.php:79

filterwpgetapi_raw_dataincludes\class-wpgetapi-api.php:80

actionadmin_menuincludes\class-wpgetapi-license-handler.php:25

actionadmin_noticesincludes\class-wpgetapi-license-handler.php:26

filtercmb2_render_class_parameterincludes\class-wpgetapi-parameter-field.php:15

filtercmb2_sanitize_parameterincludes\class-wpgetapi-parameter-field.php:16

filtercmb2_sanitize_parameterincludes\class-wpgetapi-parameter-field.php:21

filtercmb2_types_esc_parameterincludes\class-wpgetapi-parameter-field.php:22

filterplugin_row_metawpgetapi.php:95

actionplugins_loadedwpgetapi.php:98

Maintenance & Trust

WPGet API – Connect to any external REST API Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 12, 2025

PHP min version7.2

Downloads246K

Community Trust

Rating100/100

Number of ratings32

Active installs10K

Alternatives

WPGet API – Connect to any external REST API Alternatives

Custom API for WP

custom-api-for-wp

Connect WordPress with External APIs and create no-code custom WordPress REST API endpoints to interact with the WordPress database to perform SQL ope …

1K 2 CVEs

Better Rest Endpoints

better-rest-endpoints

A WordPress plugin that serves up slimmer WP Rest API endpoints.

200 No CVEs

Kinetise API

kinetise

100

Kinetise WordPress plugin allows seamless communication with Mobile apps created in Kinetise.

10 No CVEs

Disable REST API

disable-json-api

Disable the use of the REST API on your website to site users. Now with User Role support!

90K No CVEs

JWT Authentication for WP REST API

jwt-authentication-for-wp-rest-api

100

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

60K No CVEs

Developer Profile

WPGet API – Connect to any external REST API Developer Profile

David Anderson / Team Updraft

16 plugins · 6.4M total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1197 days

View full developer profile

Detection Fingerprints

How We Detect WPGet API – Connect to any external REST API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpgetapi/includes/block-editor/block-editor.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-admin-options.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-api.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-api-enqueues.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-encryption.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-license-handler.php/wp-content/plugins/wpgetapi/includes/class-wpgetapi-notices.php/wp-content/plugins/wpgetapi/includes/functions.php+2 more

Script Paths

/wp-content/plugins/wpgetapi/includes/block-editor/block-editor.js/wp-content/plugins/wpgetapi/includes/class-wpgetapi-api-enqueues.js

Version Parameters

wpgetapi/style.css?ver=wpgetapi/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpgetapi-ajax-outputwpgetapi_endpoint_container

HTML Comments

WPGetAPI Plugin Core

Data Attributes

data-api-iddata-endpoint-iddata-api-setup-modaldata-api-call-nonce

JS Globals

wpgetapi_localized_data

Shortcode Output

[wpgetapi_endpoint[wpgetapi_display_api_data

FAQ