WP-Safety

Tarot Card Oracle Security & Risk Analysis

wordpress.org/plugins/card-oracle

Create tarot, oracle, cartouche, and rune readings on your WordPress site using your own decks, spreads, and meanings.

100 active installs v1.2.1 PHP 7.4+ WP 4.6+ Updated Feb 26, 2026
cartoucheoraclerunestarottarot-reading
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Tarot Card Oracle Safe to Use in 2026?

Generally Safe

Score 100/100

Tarot Card Oracle has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "card-oracle" plugin version 1.2.1 presents a mixed security posture. On the positive side, the plugin exhibits a strong commitment to secure coding practices with a high percentage of SQL queries using prepared statements and a significant majority of output being properly escaped. The absence of any known CVEs or recorded vulnerability history suggests a stable and likely well-maintained codebase. Furthermore, the presence of a substantial number of nonce and capability checks indicates an awareness of common WordPress security vulnerabilities.

However, there are notable areas of concern that impact its overall security. The plugin exposes three AJAX handlers without authentication checks, creating a potential attack surface for unauthorized actions. While no critical or high severity taint flows were identified, the presence of three flows with unsanitized paths, even if not deemed critical, warrants careful review. The plugin also bundles Freemius v1.0, which could potentially be an outdated library depending on its release date and known vulnerabilities.

In conclusion, "card-oracle" v1.2.1 benefits from good internal coding hygiene regarding SQL and output escaping, and its clean vulnerability history is a strong indicator of security. The primary weaknesses lie in the unprotected AJAX endpoints and the potential risk associated with unsanitized path flows. Addressing these specific areas would significantly strengthen the plugin's security posture.

Key Concerns

  • AJAX handlers without authentication
  • Flows with unsanitized paths (3 total)
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
None known

Tarot Card Oracle Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Tarot Card Oracle Release Timeline

v1.2.1Current
v1.2.0
Code Analysis
Analyzed Mar 16, 2026

Tarot Card Oracle Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
10 prepared
Unescaped Output
101
660 escaped
Nonce Checks
27
Capability Checks
13
File Operations
18
External Requests
5
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

91% prepared11 total queries

Output Escaping

87% escaped761 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
display_card_oracle_demodata_page (admin\class-card-oracle-admin.php:3018)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Tarot Card Oracle Attack Surface

Entry Points10
Unprotected3

AJAX Handlers 3

authwp_ajax_card_oracle_check_reading_existsincludes\class-card-oracle.php:302
authwp_ajax_send_reading_emailincludes\class-card-oracle.php:362
noprivwp_ajax_send_reading_emailincludes\class-card-oracle.php:363

REST API Routes 1

GET/wp-json/card-oracle/v1/readingsadmin\class-card-oracle-admin.php:1406

Shortcodes 6

[card-oracle] includes\class-card-oracle.php:358
[card-oracle-daily] includes\class-card-oracle.php:359
[card-oracle-random] includes\class-card-oracle.php:360
[card-oracle] includes\class-card-oracle.php:378
[card-oracle-daily] includes\class-card-oracle.php:379
[card-oracle-random] includes\class-card-oracle.php:380
WordPress Hooks 59
actionsave_postadmin\class-card-oracle-admin.php:2608
actionadmin_noticesadmin\includes\class-card-oracle-notices.php:44
actionclean_post_cacheincludes\card-oracle-core-functions.php:961
actionshutdownincludes\card-oracle-core-functions.php:1471
actionsave_post_co_readingsincludes\card-oracle-core-functions.php:1713
actiondelete_postincludes\card-oracle-core-functions.php:1714
actionsave_post_postincludes\card-oracle-core-functions.php:1715
actionsave_post_pageincludes\card-oracle-core-functions.php:1716
actionupdate_option_card_oracle_powered_byincludes\card-oracle-core-functions.php:1736
actionupdate_option_card_oracle_affiliate_linkincludes\card-oracle-core-functions.php:1742
actionplugins_loadedincludes\class-card-oracle.php:149
actionadmin_enqueue_scriptsincludes\class-card-oracle.php:264
actionadmin_enqueue_scriptsincludes\class-card-oracle.php:265
actionenqueue_block_editor_assetsincludes\class-card-oracle.php:267
actionrest_api_initincludes\class-card-oracle.php:269
actioninitincludes\class-card-oracle.php:271
actionafter_uninstallincludes\class-card-oracle.php:273
actioninitincludes\class-card-oracle.php:275
filtermanage_edit-co_cards_columnsincludes\class-card-oracle.php:277
filtermanage_edit-co_cards_sortable_columnsincludes\class-card-oracle.php:278
filtermanage_edit-co_descriptions_columnsincludes\class-card-oracle.php:279
filtermanage_edit-co_descriptions_sortable_columnsincludes\class-card-oracle.php:280
filtermanage_edit-co_readings_columnsincludes\class-card-oracle.php:281
filtermanage_edit-co_positions_columnsincludes\class-card-oracle.php:282
filtermanage_edit-co_positions_sortable_columnsincludes\class-card-oracle.php:283
actionmanage_co_cards_posts_custom_columnincludes\class-card-oracle.php:284
actionmanage_co_descriptions_posts_custom_columnincludes\class-card-oracle.php:285
actionmanage_co_readings_posts_custom_columnincludes\class-card-oracle.php:286
actionmanage_co_positions_posts_custom_columnincludes\class-card-oracle.php:287
filterbulk_actions-edit-co_orderincludes\class-card-oracle.php:288
actionadmin_menuincludes\class-card-oracle.php:290
filterparent_fileincludes\class-card-oracle.php:291
filtersubmenu_fileincludes\class-card-oracle.php:292
filterwp_insert_post_dataincludes\class-card-oracle.php:293
actionadmin_noticesincludes\class-card-oracle.php:300
actionadmin_initincludes\class-card-oracle.php:304
actionadmin_initincludes\class-card-oracle.php:306
actionadmin_initincludes\class-card-oracle.php:308
actionadmin_initincludes\class-card-oracle.php:309
actionadd_meta_boxesincludes\class-card-oracle.php:311
actionadd_meta_boxesincludes\class-card-oracle.php:312
actionadd_meta_boxesincludes\class-card-oracle.php:313
actionadd_meta_boxesincludes\class-card-oracle.php:314
actiondo_meta_boxesincludes\class-card-oracle.php:315
actionsave_postincludes\class-card-oracle.php:316
actionbefore_delete_postincludes\class-card-oracle.php:318
actionadmin_action_demo_dataincludes\class-card-oracle.php:320
filterplugin_row_metaincludes\class-card-oracle.php:322
actionwp_enqueue_scriptsincludes\class-card-oracle.php:341
actionwp_enqueue_scriptsincludes\class-card-oracle.php:342
actionelementor/frontend/after_enqueue_scriptsincludes\class-card-oracle.php:344
actionelementor/frontend/after_enqueue_stylesincludes\class-card-oracle.php:345
actionelementor/preview/enqueue_stylesincludes\class-card-oracle.php:346
actionelementor/preview/enqueue_scriptsincludes\class-card-oracle.php:347
actioninitincludes\class-card-oracle.php:350
actionwp_mail_failedincludes\class-card-oracle.php:364
actioninitincludes\class-co-logging.php:58
actioninitincludes\class-co-logging.php:61
actionplugins_loadedincludes\class-co-logging.php:63

Scheduled Events 1

card-oracle_cron_refresh_cache
Maintenance & Trust

Tarot Card Oracle Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version7.4
Downloads12K

Community Trust

Rating68/100
Number of ratings5
Active installs100
Alternatives

Tarot Card Oracle Alternatives

Tarot, Oracle cards, Tarot readings, Tarokina

Tarot, Oracle cards, Tarot readings, Tarokina

tarokina-free

A
100

The best tarot plugin for wordpress. Intuitive and easy to use. Provides accurate tarot readings.

300 No CVEs
Norse Rune Oracle Plugin

Norse Rune Oracle Plugin

norse-runes-oracle

A
91

The Norse Runes Oracle Plugin allows you to interpret single runes or do rune castings.

60 2 CVEs
Daily Tarot

Daily Tarot

daily-tarot

A
100

Daily Tarot helps you publish, schedule, and share tarot readings on WordPress - perfect for creating a consistent Card of the Day experience.

0 No CVEs
Oracle Cards Lite – Interactive Card Deck Plugin for WordPress

Oracle Cards Lite – Interactive Card Deck Plugin for WordPress

oracle-cards

A
99

Interactive Card Deck Plugin for WordPress

300 1 CVE
EZ Horoscope Professional

EZ Horoscope Professional

ez-horoscope

A
100

Astrologically accurate horoscopes with cosmic insights, advice, birth charts, and AI voice agents for chatting about readings.

200 No CVEs
Developer Profile

Tarot Card Oracle Developer Profile

chillichalli

1 plugin · 100 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Tarot Card Oracle

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/card-oracle/admin/css/card-oracle-admin.css/wp-content/plugins/card-oracle/admin/js/card-oracle-admin.js/wp-content/plugins/card-oracle/public/css/card-oracle-public.css/wp-content/plugins/card-oracle/public/js/card-oracle-public.js
Script Paths
/wp-content/plugins/card-oracle/admin/js/card-oracle-admin.js/wp-content/plugins/card-oracle/public/js/card-oracle-public.js
Version Parameters
card-oracle/admin/css/card-oracle-admin.css?ver=card-oracle/admin/js/card-oracle-admin.js?ver=card-oracle/public/css/card-oracle-public.css?ver=card-oracle/public/js/card-oracle-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
card-oracle-admin-section-wrappercard-oracle-settings-tab-navcard-oracle-settings-tab-content
HTML Comments
<!-- Card Oracle Settings --><!-- BEGIN Card Oracle General Settings --><!-- END Card Oracle General Settings -->
Data Attributes
data-tabdata-tab-content
JS Globals
cardOracleAdmin
REST Endpoints
/wp-json/card-oracle/v1/settings/wp-json/card-oracle/v1/cards/wp-json/card-oracle/v1/spreads/wp-json/card-oracle/v1/readings
Shortcode Output
[card_oracle_reading][card_oracle_deck]
FAQ

Frequently Asked Questions about Tarot Card Oracle