WP-Safety

Carbon Copy Security & Risk Analysis

wordpress.org/plugins/carbon-copy

Copy pages, posts, menus quickly and conveniently.

3K active installs v1.3.6 PHP + WP 5.4+ Updated Jan 5, 2026
copy-menucopy-pagecopy-postduplicate-pageduplicate-post
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Carbon Copy Safe to Use in 2026?

Generally Safe

Score 100/100

Carbon Copy has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "carbon-copy" plugin v1.3.6 exhibits a strong security posture based on the provided static analysis. There are no identified dangerous functions, all SQL queries utilize prepared statements, and a high percentage (75%) of output is properly escaped, indicating good development practices. The absence of known CVEs and a clean vulnerability history further suggests a mature and secure plugin. The limited attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without proper authorization checks is a significant strength. However, the presence of file operations and nonce checks, while not inherently problematic, would warrant closer inspection in a more in-depth audit to ensure they are implemented securely and without potential for abuse. The limited number of static analysis flows analyzed and the overall lack of recorded vulnerabilities in its history might also suggest a less extensive testing or auditing process in the past, though this is speculative.

Key Concerns

  • 25% of outputs are not properly escaped
  • File operations present
  • Nonce checks present
Vulnerabilities
None known

Carbon Copy Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Carbon Copy Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
9
27 escaped
Nonce Checks
2
Capability Checks
9
File Operations
2
External Requests
0
Bundled Libraries
0

Output Escaping

75% escaped36 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
carbon_copy_add_carbon_copy_button (carbon-copy-admin.php:404)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Carbon Copy Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 36
actionadmin_initcarbon-copy-admin.php:20
filterpost_row_actionscarbon-copy-admin.php:26
filterpage_row_actionscarbon-copy-admin.php:27
actionpost_submitbox_startcarbon-copy-admin.php:31
filterdisplay_post_statescarbon-copy-admin.php:39
actionadd_meta_boxescarbon-copy-admin.php:43
actionsave_postcarbon-copy-admin.php:44
actionadmin_action_carbon_copy_save_as_new_postcarbon-copy-admin.php:48
actionadmin_action_carbon_copy_save_as_new_post_draftcarbon-copy-admin.php:49
filterremovable_query_argscarbon-copy-admin.php:50
actioncc_carbon_copycarbon-copy-admin.php:53
actioncc_duplicate_pagecarbon-copy-admin.php:54
actioncc_carbon_copycarbon-copy-admin.php:58
actioncc_duplicate_pagecarbon-copy-admin.php:59
actioncc_carbon_copycarbon-copy-admin.php:64
actioncc_duplicate_pagecarbon-copy-admin.php:65
actioncc_carbon_copycarbon-copy-admin.php:70
actioncc_duplicate_pagecarbon-copy-admin.php:71
actioncc_carbon_copycarbon-copy-admin.php:74
actioncc_duplicate_pagecarbon-copy-admin.php:75
actionadmin_noticescarbon-copy-admin.php:76
filterplugin_row_metacarbon-copy-admin.php:78
actionquick_edit_custom_boxcarbon-copy-admin.php:224
actionsave_postcarbon-copy-admin.php:225
actionadmin_enqueue_scriptscarbon-copy-admin.php:226
actionadmin_initcarbon-copy-admin.php:897
filtergutenberg_use_widgets_block_editorcarbon-copy-admin.php:970
filteruse_widgets_block_editorcarbon-copy-admin.php:972
filteradmin_headcarbon-copy-admin.php:983
actionadmin_menucarbon-copy-admin.php:1090
actioninitcarbon-copy-common.php:242
actionwp_before_admin_bar_rendercarbon-copy-common.php:247
actionwp_enqueue_scriptscarbon-copy-common.php:248
actionadmin_enqueue_scriptscarbon-copy-common.php:249
actionadmin_menucarbon-copy-options.php:11
actionadmin_initcarbon-copy-options.php:12
Maintenance & Trust

Carbon Copy Maintenance & Trust

Maintenance Signals

WordPress version tested6.10
Last updatedJan 5, 2026
PHP min version
Downloads26K

Community Trust

Rating100/100
Number of ratings2
Active installs3K
Alternatives

Carbon Copy Alternatives

Duplicate Post

Duplicate Post

copy-delete-posts

A
99

Duplicate post

300K 2 CVEs
Duplicate Post – duplicate pages, copy content, clone posts

Duplicate Post – duplicate pages, copy content, clone posts

duplicate-post-rb

A
100

Duplicate Post RB makes it easy to duplicate posts, pages and custom post types. Create duplicate posts, clone content, automate duplication

2K No CVEs
Quick Copy – Duplicate Posts & Pages

Quick Copy – Duplicate Posts & Pages

duplicator-post-page

A
100

Easily duplicate any post or page, including all metadata and taxonomies, with just one click.

1K No CVEs
Duplicate Post and Clone Page

Duplicate Post and Clone Page

duplicate-post-and-clone-page

A
100

One click duplicate post and page. The best solution for easy copy page and post. It just works!

10 No CVEs
WP Duplicate Page

WP Duplicate Page

wp-duplicate-page

A
96

Clone WordPress page, post, custom post types

60K 3 CVEs
Developer Profile

Carbon Copy Developer Profile

Manny Rodrigues

4 plugins · 5K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
368 days
View full developer profile
Detection Fingerprints

How We Detect Carbon Copy

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/carbon-copy/carbon-copy.css/wp-content/plugins/carbon-copy/carbon-copy.js
Script Paths
/wp-content/plugins/carbon-copy/carbon-copy.js
Version Parameters
carbon-copy.css?ver=carbon-copy.js?ver=

HTML / DOM Fingerprints

CSS Classes
carbon-copy-column-titlecarbon-copy-column-content
Data Attributes
data-carbon-copy-post-id
FAQ

Frequently Asked Questions about Carbon Copy