Ajax Comment Preview Security & Risk Analysis
wordpress.org/plugins/ajax-comment-previewVisitors to your site can preview their comments with a click of a button.
Is Ajax Comment Preview Safe to Use in 2026?
Generally Safe
Score 85/100Ajax Comment Preview has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "ajax-comment-preview" plugin v2.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and has no recorded vulnerability history, indicating a generally stable codebase. It also performs output escaping on a high percentage of its outputs and has a single nonce check, suggesting some attention to security fundamentals.
However, significant concerns arise from the attack surface analysis. With two AJAX handlers, both lacking authentication checks, this presents a direct pathway for unauthenticated attackers to potentially exploit the plugin. The absence of capability checks further exacerbates this risk, as any user, regardless of their role or permissions, could interact with these handlers. The taint analysis shows no critical or high severity flows, which is a positive sign, but this is overshadowed by the unprotected entry points.
In conclusion, while the plugin avoids common pitfalls like raw SQL queries or bundled vulnerable libraries, the two unprotected AJAX endpoints represent a substantial and immediate security risk. This is the primary area of concern and requires immediate attention to mitigate potential exploits. The lack of any recorded vulnerabilities in its history is a strength, but it doesn't negate the inherent risks posed by the current unprotected endpoints.
Key Concerns
- AJAX handlers without auth checks
- AJAX handlers without capability checks
- Unescaped output found
Ajax Comment Preview Security Vulnerabilities
Ajax Comment Preview Code Analysis
Output Escaping
Data Flow Analysis
Ajax Comment Preview Attack Surface
AJAX Handlers 2
WordPress Hooks 6
Maintenance & Trust
Ajax Comment Preview Maintenance & Trust
Maintenance Signals
Community Trust
Ajax Comment Preview Alternatives
Comments – wpDiscuz
wpdiscuz
AJAX powered realtime comments. Designed to extend WordPress native comments. Custom comment forms/fields. Making comments has never been so awesome!
AnyComment
anycomment
AnyComment is blazing-fast commenting plugin based on React for WordPress.
Ajaxify Comments – Ajax and Lazy Loading Comments
wp-ajaxify-comments
Ajaxify Comments hooks into native WordPress comments and allows comment posting without reloading the page.
Comment Edit Core – Simple Comment Editing
simple-comment-editing
Allow your users to edit their comments for a period of time. Adjust the comment timer and save some admin headaches.
FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments
fluent-comments
AJAX powered realtime comments. Designed to prevent spams, performance and make comments beautiful again 🚀
Ajax Comment Preview Developer Profile
7 plugins · 12K total installs
How We Detect Ajax Comment Preview
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/ajax-comment-preview/ajax-comment-preview.jsajax-comment-preview.jsajax-comment-preview/ajax-comment-preview.js?ver=HTML / DOM Fingerprints
commentlistcommenteventhread-evendepth-1comment-authorvcardfn+5 more<!-- TODO: New themes use wp_list_comments. Try to tap into those callbacks. --><!-- TODO - should probabl inject with JS -->id="comment-preview"id="div-comment-preview"name="acp-preview"id="acp-preview"id="ajax-comment-preview"name="acp[template]" class="acp-focusable widefat"AJAXCommentPreview/wp-json/ajax-comment-preview/