Does AnyComment have any unpatched vulnerabilities?

Yes — AnyComment currently has 3 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is AnyComment compatible with WordPress 5.9.13?

According to WordPress.org data, AnyComment 0.3.6 has been tested up to WordPress 5.9.13. Check the plugin's changelog for the latest compatibility information.

Is AnyComment compatible with PHP 5.4+?

AnyComment requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is AnyComment updated?

AnyComment was last updated on May 14, 2022. Frequent updates are generally a positive security signal.

What is AnyComment's security score?

AnyComment has a WP-Safety security score of 17/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AnyComment Security & Risk Analysis

wordpress.org/plugins/anycomment

AnyComment is blazing-fast commenting plugin based on React for WordPress.

3K active installs v0.3.6 PHP 5.4+ WP 4.7+ Updated May 14, 2022

ajax-commentscommentcomment-moderationcommentscomments-seo

F · Critical Risk

CVEs total7

Unpatched3

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is AnyComment Safe to Use in 2026?

Critical Risk — Avoid

Score 17/100

AnyComment is critically unsafe with 7 known CVEs, 3 still unpatched. Avoid in production.

7 known CVEs 3 unpatched Last CVE: Dec 31, 2025Updated 3yr ago

Risk Assessment

The "anycomment" plugin v0.3.6 exhibits a mixed security posture. While the static analysis indicates a relatively small attack surface with no directly unprotected entry points, several concerning patterns emerge from the code signals and vulnerability history. The high percentage of SQL queries using prepared statements (91%) and a decent proportion of properly escaped output (74%) are positive indicators of some security awareness in development. However, the presence of unsanitized paths in taint analysis (3 flows) is a significant red flag, suggesting potential vulnerabilities related to file operations or external requests where input is not properly validated. The extensive vulnerability history, with 7 known CVEs and 3 currently unpatched, is particularly alarming. The variety of past vulnerability types, including SQL Injection, PHP Remote File Inclusion, and Cross-Site Scripting, highlights a history of critical security flaws. The recent vulnerability in 2025 further underscores that this is not a static issue but an ongoing concern. The combination of unpatched vulnerabilities and potential taint analysis issues suggests a high risk for systems running this plugin.

Key Concerns

3 unpatched CVEs
3 flows with unsanitized paths
Bundled library: Guzzle
Only 2 nonce checks for 2 shortcodes
74% output escaping (26% not properly escaped)

Vulnerabilities

AnyComment Security Vulnerabilities

CVEs by Year

1 CVE in 2018

2018

1 CVE in 2021

2021

2 CVEs in 2022

2022

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

7 total CVEs

CVE-2025-62874medium · 4.3Missing Authorization

AnyComment <= 0.3.6 - Missing Authorization

Dec 31, 2025Unpatched

CVE-2025-48091medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

AnyComment <= 0.3.6 - Authenticated (Subscriber+) SQL Injection

Oct 8, 2025Unpatched

CVE-2025-60240high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

AnyComment <= 0.3.6 - Unauthenticated Local File Inclusion

Jul 12, 2025Unpatched

CVE-2022-0279medium · 5.3Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

AnyComment <= 0.2.17 - Race Condition

Jan 19, 2022 Patched in 0.2.18 (734d)

CVE-2022-0134high · 8.8Cross-Site Request Forgery (CSRF)

AnyComment <= 0.2.17 - Cross-Site Request Forgery

Jan 19, 2022 Patched in 0.2.18 (734d)

CVE-2021-24838medium · 5.4URL Redirection to Untrusted Site ('Open Redirect')

AnyComment <= 0.3.4 - Open Redirect via redirect parameter

Dec 20, 2021 Patched in 0.3.5 (764d)

CVE-2018-21001medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AnyComment <= 0.0.32 - Cross-Site Scripting

Jul 17, 2018 Patched in 0.0.33 (2016d)

Code Analysis

Analyzed Mar 16, 2026

AnyComment Code Analysis

Dangerous Functions

Raw SQL Queries

103 prepared

Unescaped Output

117

332 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

91% prepared113 total queries

Output Escaping

74% escaped449 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

5 flows3 with unsanitized paths

social_list (includes\Hooks\AnyCommentNativeLoginForm.php:48)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

AnyComment Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[anycomment] includes\AnyCommentRender.php:42

[anycomment_socials] includes\Hooks\AnyCommentNativeLoginForm.php:27

WordPress Hooks 54

actionadmin_menuincludes\Admin\AnyCommentAdminPages.php:47

actionadmin_headincludes\Admin\AnyCommentAdminPages.php:48

actionadmin_enqueue_scriptsincludes\Admin\AnyCommentAdminPages.php:49

actionadmin_menuincludes\Admin\AnyCommentEmailQueuePage.php:25

actionadmin_menuincludes\Admin\AnyCommentFilesPage.php:25

actionadmin_initincludes\Admin\AnyCommentGenericSettings.php:345

actionadmin_initincludes\Admin\AnyCommentIntegrationSettings.php:162

actionadmin_menuincludes\Admin\AnyCommentRatingPage.php:17

actionadmin_initincludes\Admin\AnyCommentSocialSettings.php:152

actionadmin_menuincludes\Admin\AnyCommentSubscriptionsPage.php:25

filtermanage_edit-comments_columnsincludes\Admin\AnyCommentWPComments.php:22

actionmanage_comments_custom_columnincludes\Admin\AnyCommentWPComments.php:23

actionmanage_users_columnsincludes\Admin\AnyCommentWPComments.php:25

actionmanage_users_custom_columnincludes\Admin\AnyCommentWPComments.php:26

filterget_avatarincludes\AnyCommentAvatars.php:33

actioninitincludes\AnyCommentCore.php:100

actioninitincludes\AnyCommentCore.php:157

actionwidgets_initincludes\AnyCommentLoader.php:77

filtercomments_templateincludes\AnyCommentRender.php:40

filterlogout_urlincludes\AnyCommentRender.php:44

actionwp_enqueue_scriptsincludes\AnyCommentRender.php:47

filterscript_loader_tagincludes\AnyCommentRender.php:50

actionwp_headincludes\AnyCommentRender.php:52

filtercron_schedulesincludes\Cron\AnyCommentEmailQueueCron.php:25

actionanycomment_email_queue_send_cronincludes\Cron\AnyCommentEmailQueueCron.php:31

filterwp_mail_from_nameincludes\Cron\AnyCommentEmailQueueCron.php:83

filtercron_schedulesincludes\Cron\AnyCommentServiceSyncCron.php:26

actionanycomment_service_sync_cronincludes\Cron\AnyCommentServiceSyncCron.php:32

actionanycomment_tools_cronincludes\Cron\AnyCommentToolsCron.php:27

filterquery_varsincludes\EmailEndpoints.php:26

actiontemplate_includeincludes\EmailEndpoints.php:33

actiondelete_commentincludes\Hooks\AnyCommentCommentHooks.php:33

actionedit_commentincludes\Hooks\AnyCommentCommentHooks.php:36

actionwp_insert_commentincludes\Hooks\AnyCommentCommentHooks.php:39

filterpre_comment_contentincludes\Hooks\AnyCommentCommentHooks.php:45

actioninitincludes\Hooks\AnyCommentCommonHooks.php:23

actiontemplate_redirectincludes\Hooks\AnyCommentCommonHooks.php:24

filtershow_admin_barincludes\Hooks\AnyCommentCommonHooks.php:34

actionlogin_formincludes\Hooks\AnyCommentNativeLoginForm.php:24

actionanycomment/user/logged_inincludes\Hooks\AnyCommentUserHooks.php:26

actionanycomment/admin/options/updateincludes\Hooks\AnyCommentUserHooks.php:27

actionbp_initincludes\Integrations\AnyCommentBuddyPress.php:33

filterwoocommerce_product_tabsincludes\Integrations\AnyCommentWooCommerce.php:22

actioninitincludes\Libraries\AnyCommentUserTour.php:33

actioninitincludes\Options\AnyCommentOptionManager.php:64

actionadmin_noticesincludes\Options\AnyCommentOptionManager.php:79

actionrest_api_initincludes\Rest\AnyCommentRestComment.php:48

filterpost_password_requiredincludes\Rest\AnyCommentRestComment.php:1542

actionrest_api_initincludes\Rest\AnyCommentRestDocuments.php:24

actionrest_api_initincludes\Rest\AnyCommentRestLikes.php:25

actionrest_api_initincludes\Rest\AnyCommentRestRate.php:26

actionrest_api_initincludes\Rest\AnyCommentRestServiceSync.php:39

actionrest_api_initincludes\Rest\AnyCommentRestSubscriptions.php:25

actionrest_api_initincludes\Rest\AnyCommentSocialAuth.php:142

Scheduled Events 3

anycomment_email_queue_send_cron

anycomment_service_sync_cron

anycomment_tools_cron

Maintenance & Trust

AnyComment Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13

Last updatedMay 14, 2022

PHP min version5.4

Downloads97K

Community Trust

Rating96/100

Number of ratings156

Active installs3K

Alternatives

AnyComment Alternatives

Comment Edit Core – Simple Comment Editing

simple-comment-editing

Allow your users to edit their comments for a period of time. Adjust the comment timer and save some admin headaches.

2K 2 CVEs

Comments – wpDiscuz

wpdiscuz

AJAX powered realtime comments. Designed to extend WordPress native comments. Custom comment forms/fields. Making comments has never been so awesome!

80K 24 CVEs

Comment Moderation/Notification Recipients

comment-moderation-e-mail-to-post-author

100

Control who will receive new comment and moderation notifications. Light weight, simple, safe and effective.

1K No CVEs

FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments

fluent-comments

100

AJAX powered realtime comments. Designed to prevent spams, performance and make comments beautiful again 🚀

700 No CVEs

Comment Moderation Role by WPBeginner

comment-moderation-role

Add a new comment moderator user role to your site.

200 No CVEs

Developer Profile

AnyComment Developer Profile

Alexander

2 plugins · 3K total installs

trust score

Avg Security Score

51/100

Avg Patch Time

1062 days

View full developer profile

Detection Fingerprints

How We Detect AnyComment

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/anycomment/assets/css/admin.min.css/wp-content/plugins/anycomment/assets/js/admin.min.js/wp-content/plugins/anycomment/assets/js/Chart.min.js

Script Paths

/wp-content/plugins/anycomment/assets/js/Chart.min.js/wp-content/plugins/anycomment/assets/js/admin.min.js

Version Parameters

anycomment/assets/css/admin.min.css?ver=anycomment/assets/js/admin.min.js?ver=anycomment/assets/js/Chart.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

anycomment-dashboard

Data Attributes

data-anycomment-admin-locale

JS Globals

anycomment

Shortcode Output

[anycomment]

FAQ