WP-Safety

AddToAny Share Buttons Security & Risk Analysis

wordpress.org/plugins/add-to-any

Share buttons for WordPress including the AddToAny button, Facebook, Bluesky, Mastodon, WhatsApp, Pinterest, Reddit, many more, and follow icons too.

300K active installs v1.8.16 PHP 5.6+ WP 4.5+ Updated Jan 9, 2026
shareshare-buttonsshare-iconssocialsocial-media
99
A · Safe
CVEs total3
Unpatched0
Last CVEAug 10, 2021
Plugin page Download
Safety Verdict

Is AddToAny Share Buttons Safe to Use in 2026?

Generally Safe

Score 99/100

AddToAny Share Buttons has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Aug 10, 2021Updated 2mo ago
Risk Assessment

The Add-to-Any plugin version 1.8.16 exhibits a generally good security posture based on the static analysis. It has a small attack surface with no unprotected entry points, uses prepared statements for all SQL queries, and has a high percentage of properly escaped output. The presence of nonce and capability checks further strengthens its defensive mechanisms. The absence of dangerous functions, file operations, and critical/high severity taint flows are also positive indicators.

However, the plugin's vulnerability history is a notable concern. With three known medium severity CVEs, particularly related to Cross-site Scripting and Improper Input Validation, it suggests a recurring pattern of input sanitization weaknesses. Although all historical vulnerabilities are currently patched, the nature of these past issues warrants continued vigilance and a proactive approach to security testing. The single external HTTP request, while not inherently dangerous, could potentially be a vector if the external resource is compromised.

In conclusion, while Add-to-Any version 1.8.16 has implemented several sound security practices, its past vulnerability history, specifically around input handling and cross-site scripting, necessitates careful monitoring and a cautious approach. The strengths in code sanitization and access control are undermined by these historical patterns, suggesting that while the current code might be clean, the underlying architecture may have recurring challenges.

Key Concerns

  • Multiple medium CVEs related to XSS and input validation
  • One external HTTP request
Vulnerabilities
3

AddToAny Share Buttons Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
2 CVEs in 2021
2021
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2021-24616medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AddToAny Share Buttons <= 1.7.47 - Authenticated Stored Cross-Site Scripting

Aug 10, 2021 Patched in 1.7.48 (896d)
CVE-2021-24568medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AddToAny Share Buttons <= 1.7.45 - Authenticated Stored Cross-Site Scripting

Aug 9, 2021 Patched in 1.7.46 (897d)
WF-7cc86970-7e63-47d0-9971-ddd0fc992a5a-add-to-anymedium · 4.7Improper Input Validation

AddToAny Share Buttons <= 1.7.14 - HTTP Host Header Injection

Aug 16, 2017 Patched in 1.7.15 (2351d)
Code Analysis
Analyzed Mar 16, 2026

AddToAny Share Buttons Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
12
176 escaped
Nonce Checks
2
Capability Checks
7
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

94% escaped188 total outputs
Attack Surface

AddToAny Share Buttons Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[addtoany] add-to-any.php:920
WordPress Hooks 30
filterinitadd-to-any.php:50
actionwp_footeradd-to-any.php:774
filterthe_contentadd-to-any.php:891
filterthe_excerptadd-to-any.php:892
actionpre_get_postsadd-to-any.php:896
actionwp_enqueue_scriptsadd-to-any.php:1007
filterscript_loader_tagadd-to-any.php:1141
actionwp_enqueue_scriptsadd-to-any.php:1151
actionaddtoany_refresh_cacheadd-to-any.php:1190
filteradmin_menuadd-to-any.php:1268
actionwidgets_initadd-to-any.php:1278
filterplugin_action_linksadd-to-any.php:1297
actionadmin_initaddtoany.admin.php:76
actionsave_postaddtoany.admin.php:77
actionedit_attachmentaddtoany.admin.php:78
actionadmin_print_footer_scriptsaddtoany.admin.php:104
actionadmin_enqueue_scriptsaddtoany.admin.php:108
filteradmin_headaddtoany.admin.php:1308
actionadmin_enqueue_scriptsaddtoany.admin.php:1370
filtersafe_style_cssaddtoany.compat.php:14
filtersafecss_filter_attr_allow_cssaddtoany.compat.php:20
actionloop_startaddtoany.compat.php:70
actionafter_setup_themeaddtoany.compat.php:73
actionwp_loadedaddtoany.compat.php:93
filteraddtoany_content_priorityaddtoany.compat.php:100
actionwoocommerce_shareaddtoany.compat.php:107
filterrocket_minify_excluded_external_jsaddtoany.compat.php:143
actioninitaddtoany.compat.php:164
actionwp_enqueue_scriptsaddtoany.widgets.php:25
actionwp_enqueue_scriptsaddtoany.widgets.php:113

Scheduled Events 1

addtoany_refresh_cache
Maintenance & Trust

AddToAny Share Buttons Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 9, 2026
PHP min version5.6
Downloads18.5M

Community Trust

Rating94/100
Number of ratings1,111
Active installs300K
Alternatives

AddToAny Share Buttons Alternatives

WPUpper Share Buttons

WPUpper Share Buttons

wpupper-share-buttons

A
90

Free social share buttons, share to Facebook, WhatsApp, Messenger, Twitter, Reddit and much more.

4K 3 CVEs
Social Linkz – Lightweight and fast social media sharing plugin

Social Linkz – Lightweight and fast social media sharing plugin

social-linkz

A
100

Social Linkz plugin helps you easily share your content to social media.

90 No CVEs
Super Simple Social Share Icons

Super Simple Social Share Icons

super-simple-social-share-icons

A
100

A lightweight and powerful solution for adding beautiful social sharing buttons to your WordPress site.

60 No CVEs
DR!M Share

DR!M Share

drim-share

A
85

A simple light-weight and mobile-friendly social sharing plugin for WordPress.

10 No CVEs
Super Easy Social Share

Super Easy Social Share

super-easy-social-share

A
85

The plugin adds social share links to your website. Includes content buttons and desktop and mobile floating bar.

10 No CVEs
Developer Profile

AddToAny Share Buttons Developer Profile

micropat

2 plugins · 301K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
1381 days
View full developer profile
Detection Fingerprints

How We Detect AddToAny Share Buttons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/add-to-any/addtoany.css/wp-content/plugins/add-to-any/addtoany.js
Generator Patterns
AddToAny Share Buttons
Script Paths
/wp-content/plugins/add-to-any/addtoany.js
Version Parameters
add-to-any/addtoany.css?ver=add-to-any/addtoany.js?ver=

HTML / DOM Fingerprints

CSS Classes
a2a_kita2a_kit_size_32addtoany_lista2a_vertical_style
Data Attributes
data-a2a-urldata-a2a-titledata-a2a-mediadata-a2a-scroll-show
JS Globals
A2A_SHARE_SAVE_plugin_urlADDTOANY_SHARE_SAVE_BUTTONADDTOANY_SHARE_SAVE_ICONSADDTOANY_SHARE_SAVE_KITA2A_SHARE_SAVE_optionsA2A_SHARE_SAVE_services+1 more
Shortcode Output
[addtoany]
FAQ

Frequently Asked Questions about AddToAny Share Buttons