WP-Safety

Average WYSIWYG Helper Security & Risk Analysis

wordpress.org/plugins/average-wysiwyg-helper

Highlights prominent HTML elements in the WYSIWYG editor, to help Editors see what they're editing. Sort of a WYSIWYM (the M is for mean).

20 active installs v2.2.1 PHP + WP 3.0.1+ Updated Feb 18, 2015
element-highlightertinymcewysiwygwysiwym
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Average WYSIWYG Helper Safe to Use in 2026?

Generally Safe

Score 85/100

Average WYSIWYG Helper has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The "average-wysiwyg-helper" plugin v2.2.1 demonstrates a strong security posture in several key areas. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events significantly limits its attack surface. Furthermore, the code does not exhibit any dangerous functions or file operations, and there are no external HTTP requests, which are positive indicators of secure coding practices. The presence of capability checks, albeit only two, is also a good sign, suggesting some level of authorization awareness in the code.

However, a significant concern arises from the complete lack of output escaping. With three total outputs and zero percent properly escaped, there is a high likelihood of cross-site scripting (XSS) vulnerabilities. This is a critical oversight that could allow attackers to inject malicious scripts into the WordPress site. The fact that taint analysis shows zero flows is likely due to the limited entry points and lack of data processing that would trigger such analysis, rather than an indication of inherent security in data handling.

The plugin's vulnerability history is spotless, with no recorded CVEs. This, combined with the positive static analysis signals, suggests that the developers have likely focused on keeping the codebase clean and free of known vulnerabilities. However, the lack of output escaping is a serious deficiency that overshadows these strengths and represents a tangible risk to users.

Key Concerns

  • Outputs are not properly escaped
  • No capability checks on some entry points
Vulnerabilities
None known

Average WYSIWYG Helper Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Average WYSIWYG Helper Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
0 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped3 total outputs
Attack Surface

Average WYSIWYG Helper Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 5
actionadmin_initaverage-wysiwyg-helper.php:88
actionadmin_menuaverage-wysiwyg-helper.php:89
actionadmin_noticesaverage-wysiwyg-helper.php:90
filtermce_cssaverage-wysiwyg-helper.php:92
actionload-post.phpaverage-wysiwyg-helper.php:130
Maintenance & Trust

Average WYSIWYG Helper Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedFeb 18, 2015
PHP min version
Downloads4K

Community Trust

Rating100/100
Number of ratings3
Active installs20
Alternatives

Average WYSIWYG Helper Alternatives

AddFunc WYSIWYG Helper

AddFunc WYSIWYG Helper

addfunc-wysiwyg-helper

A
85

Highlights prominent HTML elements in the WYSIWYG editor, to help Editors see what they're editing. Sort of a WYSIWYM (the M is for mean).

100 No CVEs
tinyWYM Editor

tinyWYM Editor

tinywym-editor

A
85

Convert WordPress's WYSIWYG editor into a WYSIWYM editor. Add and edit any HTML tag and attribute from the visual editor.

1K No CVEs
RDFaCE

RDFaCE

rdface

A
85

Enables semantic content authoring based on RDFa and Microdata (Schema.org).

10 No CVEs
Black Studio TinyMCE Widget

Black Studio TinyMCE Widget

black-studio-tinymce-widget

A
100

The visual editor widget for WordPress.

200K No CVEs
Visual Term Description Editor

Visual Term Description Editor

visual-term-description-editor

A
92

Replaces the plain-text category and tag description editor with a visual editor.

20K No CVEs
Developer Profile

Average WYSIWYG Helper Developer Profile

Joe Rhoney

4 plugins · 140 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Average WYSIWYG Helper

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/average-wysiwyg-helper/wysiwym.css/wp-content/plugins/average-wysiwyg-helper/overrides.css

HTML / DOM Fingerprints

CSS Classes
noyesswitchnoyesswitch-checkboxnoyesswitch-labelnoyesswitch-innernoyesswitch-switch
HTML Comments
<!-- Plugin Name: Average WYSIWYG Helper Plugin URI: Description: Reveals the prominent HTML elements in the default WYSIWYG editor (TinyMCE) comprehensively, while maintaining edibility as well as any theme styles (in most cases). In effect, you have a WYSIWYG and a WYSIWYM (What You See Is What You Mean) combined. Can also cancel out certain default WordPress styling in the WYSIWYG such as the captions box/border. Version: 2.2.1 Author: Average Author URI: http://profiles.wordpress.org/averagetechnology/ @since 3.8 ___ / |_ _____ _________ _____ ____ / /| | | / / _ / ___/ __ `/ __ `/ _ \ / ___ | |/ / __/ / / /_/ / /_/ / __/ /_/ |_|___/\___/_/ \__,_/\__, /\___/ /____/ ™ by Joe Rhoney --><!-- W Y S I W Y G H E L P E R C L A S S ======================================= --><!-- H E L P T A B =============== -->
Data Attributes
id="avrgwysiwyg_options_form"name="avrgwysiwyg_options_form"
FAQ

Frequently Asked Questions about Average WYSIWYG Helper