WP-Safety

Zone Manager (Zoninator) Security & Risk Analysis

wordpress.org/plugins/zoninator

Content curation made easy! Create "zones" then add and order your content!

2K active installs v0.10.2 PHP 7.4+ WP 5.9+ Updated Oct 2, 2025
orderpost-listpost-orderpostszones
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Zone Manager (Zoninator) Safe to Use in 2026?

Generally Safe

Score 100/100

Zone Manager (Zoninator) has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6mo ago
Risk Assessment

The "zoninator" plugin, version 0.10.2, presents a significant security risk primarily due to its unprotected AJAX handlers. While the plugin demonstrates good practices by utilizing prepared statements for SQL queries and properly escaping most output, the presence of six AJAX handlers without any authentication or authorization checks creates a wide attack surface. This means any unauthenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure if these handlers perform sensitive operations. The absence of any recorded vulnerabilities in its history is a positive sign, suggesting the developers may be diligent or that the plugin hasn't been extensively targeted. However, this lack of past issues should not be considered a guarantee of current security, especially given the identified entry points. The plugin's security posture is mixed: strengths lie in its SQL and output handling, but the unprotected AJAX endpoints are a critical weakness that needs immediate attention.

Key Concerns

  • Unprotected AJAX handlers (6)
  • No nonce checks on AJAX handlers
  • Unprotected AJAX handlers contribute to large attack surface
Vulnerabilities
None known

Zone Manager (Zoninator) Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Zone Manager (Zoninator) Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
125 escaped
Nonce Checks
1
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

96% escaped130 total outputs
Attack Surface
6 unprotected

Zone Manager (Zoninator) Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_zoninator_reorder_postssrc\class-zoninator.php:136
authwp_ajax_zoninator_add_postsrc\class-zoninator.php:137
authwp_ajax_zoninator_remove_postsrc\class-zoninator.php:138
authwp_ajax_zoninator_search_postssrc\class-zoninator.php:139
authwp_ajax_zoninator_update_locksrc\class-zoninator.php:140
authwp_ajax_zoninator_update_recentsrc\class-zoninator.php:141
WordPress Hooks 17
actionrest_api_initsrc\class-zoninator-api.php:25
actionsave_postsrc\class-zoninator-zoneposts-widget.php:16
actiondeleted_postsrc\class-zoninator-zoneposts-widget.php:17
actionswitch_themesrc\class-zoninator-zoneposts-widget.php:18
actioninitsrc\class-zoninator.php:51
actionwidgets_initsrc\class-zoninator.php:53
actioninitsrc\class-zoninator.php:55
actiontemplate_redirectsrc\class-zoninator.php:57
actionsplit_shared_termsrc\class-zoninator.php:59
actionadmin_initsrc\class-zoninator.php:118
actionadmin_initsrc\class-zoninator.php:119
actionadmin_menusrc\class-zoninator.php:121
actionzoninator_advanced_search_fieldssrc\class-zoninator.php:124
actionzoninator_advanced_search_fieldssrc\class-zoninator.php:125
actionadmin_enqueue_scriptssrc\class-zoninator.php:149
actionadmin_enqueue_scriptssrc\class-zoninator.php:150
actionrest_api_initsrc\zoninator_rest\class-zoninator-rest-environment.php:290
Maintenance & Trust

Zone Manager (Zoninator) Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 2, 2025
PHP min version7.4
Downloads113K

Community Trust

Rating100/100
Number of ratings3
Active installs2K
Alternatives

Zone Manager (Zoninator) Alternatives

Post Types Order

Post Types Order

post-types-order

A
100

Sort posts and custom post type objects using a drag-and-drop, sortable JavaScript AJAX interface, or through the default WordPress dashboard

600K No CVEs
Intuitive Custom Post Order

Intuitive Custom Post Order

intuitive-custom-post-order

A
99

Intuitively reorder Posts, Pages, Custom Post Types, Taxonomies, and Sites with a simple drag-and-drop interface.

400K 4 CVEs
Simple Custom Post Order

Simple Custom Post Order

simple-custom-post-order

A
99

Easily reorder posts, pages, custom post types, and taxonomies with intuitive drag-and-drop sorting in the WordPress admin.

300K 1 CVE
Posts Order

Posts Order

category-custom-post-order

A
85

Order posts separately for each terms and taxonomies

1K No CVEs
Custom Category Post Order

Custom Category Post Order

custom-post-order-category

A
99

Order your post by category or custom post type by drag & drop interface.

500 1 CVE
Developer Profile

Zone Manager (Zoninator) Developer Profile

Automattic

213 plugins · 19.2M total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
1384 days
View full developer profile
Detection Fingerprints

How We Detect Zone Manager (Zoninator)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/zoninator/js/zoninator.js/wp-content/plugins/zoninator/css/zoninator.css
Script Paths
js/zoninator.js
Version Parameters
zoninator/js/zoninator.js?ver=zoninator/css/zoninator.css?ver=

HTML / DOM Fingerprints

CSS Classes
zoninator-zone-wrapzoninator-zone-postszoninator-zone-editorzoninator-zone-titlezoninator-zone-descriptionzoninator-post-selectorzoninator-post-searchzoninator-post-results+2 more
Data Attributes
data-zoninator-zone-iddata-zoninator-post-iddata-zoninator-nonce
JS Globals
zoninatorOptions
REST Endpoints
/wp-json/zoninator/v1/zones/wp-json/zoninator/v1/posts/wp-json/zoninator/v1/lock
FAQ

Frequently Asked Questions about Zone Manager (Zoninator)