Does Ar PHP have any unpatched vulnerabilities?

No. All known vulnerabilities in Ar PHP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Ar PHP compatible with WordPress 3.1.4?

According to WordPress.org data, Ar PHP 0.7 has been tested up to WordPress 3.1.4. Check the plugin's changelog for the latest compatibility information.

How often is Ar PHP updated?

Ar PHP was last updated on Feb 5, 2011. Frequent updates are generally a positive security signal.

What is Ar PHP's security score?

Ar PHP has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ar PHP Security & Risk Analysis

wordpress.org/plugins/ar-php

Adds Ar-PHP project functionality in TinyMCE editor.

10 active installs v0.7 PHP + WP 2.7+ Updated Feb 5, 2011

ar-phparabicrtltinymcewysiwyg

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Ar PHP Safe to Use in 2026?

Generally Safe

Score 85/100

Ar PHP has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago

Risk Assessment

The 'ar-php' plugin v0.7 exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs), and its static analysis shows a remarkably small attack surface with no AJAX handlers, REST API routes, shortcodes, or cron events. All SQL queries utilize prepared statements, which is a strong security practice. However, several concerns emerge from the code analysis. The presence of a dangerous function, `preg_replace(/e)`, is a significant red flag, as this can lead to remote code execution if not handled with extreme care and proper sanitization. Furthermore, only 18% of output is properly escaped, indicating a high risk of cross-site scripting (XSS) vulnerabilities. Taint analysis reveals two flows with unsanitized paths, which, while not reaching critical or high severity, still represent potential avenues for attackers to introduce malicious data into the application. The lack of nonce checks on any entry points, though the attack surface is zero, means that if any were introduced in future versions, they would be unprotected. The presence of capability checks is positive, but their limited number and the absence of nonce checks suggest an incomplete approach to securing potential entry points.

Key Concerns

Dangerous function preg_replace(/e) used
Low percentage of output properly escaped
Unsanitized paths in taint analysis
No nonce checks on entry points

Vulnerabilities

None known

Ar PHP Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Ar PHP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

preg_replace(/e)preg_replace('/&(#x?)?([A-Za-z0-9]+);/e'sub\ArGlyphs.class.php:508

Output Escaping

18% escaped11 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

arphpSettings (ar-php.php:92)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Ar PHP Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actionadmin_menuar-php.php:18

actioninitar-php.php:21

actioninitar-php.php:25

actionadmin_noticesar-php.php:29

filtermce_external_pluginsar-php.php:86

filtermce_buttonsar-php.php:87

Maintenance & Trust

Ar PHP Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4

Last updatedFeb 5, 2011

PHP min version

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Ar PHP Alternatives

WP-RTL

wp-rtl

Adds two buttons to the TinyMCE editor to enable writing text in Left to Right (LTR) and Right to Left (RTL) directions.

2K No CVEs

WP-SARAHSPELL

wp-sarahspell

100

Enables Arabic Spell Checking in the TinyMCE editor.

0 No CVEs

Black Studio TinyMCE Widget

black-studio-tinymce-widget

100

The visual editor widget for WordPress.

200K No CVEs

Visual Term Description Editor

visual-term-description-editor

Replaces the plain-text category and tag description editor with a visual editor.

20K No CVEs

Advanced TinyMCE Configuration

advanced-tinymce-configuration

Set advanced TinyMCE options for the classic block and classic editor.

10K No CVEs

Developer Profile

Ar PHP Developer Profile

holooli

3 plugins · 30 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Ar PHP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ar-php/css/style.css/wp-content/plugins/ar-php/img/a_calendar.gif/wp-content/plugins/ar-php/img/h_calendar.gif/wp-content/plugins/ar-php/img/numbers.gif/wp-content/plugins/ar-php/img/keyboard.gif/wp-content/plugins/ar-php/img/terms.gif

Script Paths

/ar-php/editor_plugin.js

HTML / DOM Fingerprints

CSS Classes

arphp-warning

Data Attributes

name="arphp_date"name="arphp_hijri_date"name="arphp_spell_numbers"name="arphp_convert_layout"name="arphp_transliterate"name="action"+1 more

FAQ