Citrus Security & Risk Analysis
wordpress.org/plugins/citrusDisplay research publications from Pure API or manually provided BibTeX data beautifully.
Is Citrus Safe to Use in 2026?
Generally Safe
Score 100/100Citrus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The Citrus plugin version 1.2.1 exhibits a generally strong security posture with several good practices in place. The extensive use of prepared statements for SQL queries and proper output escaping (99%) are significant strengths. The absence of any known vulnerabilities (CVEs) or critical taint flows is also a positive indicator. However, there are notable concerns regarding the attack surface. The plugin exposes several entry points, including 4 AJAX handlers and 4 REST API routes, that lack permission checks. This could potentially allow unauthorized users to interact with plugin functionalities that were intended to be protected. The presence of a dangerous function, 'preg_replace(/e)', while not explicitly shown to be exploited in taint analysis, warrants careful consideration due to its historical association with remote code execution vulnerabilities.
Key Concerns
- REST API routes without permission callbacks
- AJAX handlers without authentication checks
- Use of dangerous function preg_replace(/e)
Citrus Security Vulnerabilities
Citrus Release Timeline
Citrus Code Analysis
Dangerous Functions Found
Output Escaping
Data Flow Analysis
Citrus Attack Surface
AJAX Handlers 4
REST API Routes 5
Shortcodes 1
WordPress Hooks 16
Scheduled Events 3
Maintenance & Trust
Citrus Maintenance & Trust
Maintenance Signals
Community Trust
Citrus Alternatives
Pure Feed Widget
pure-feed-widget
A widget for listing academic publications from Elsevier Pure in WordPress.
teachPress
teachpress
Manage your publications with teachPress
Zotpress
zotpress
Zotpress displays your Zotero citations on WordPress.
CM Footnotes – Boost your content’s credibility with footnotes, citations, and bibliography
cm-footnotes
Add and manage footnotes, citations, and bibliography with this footnotes Plugin. Improve clarity and provide references.
Scholar Publications Fetcher
scholar-publications-fetcher
A lightweight and high-performance plugin to fetch, cache, and display your Google Scholar publications in a clean, modern, and responsive card layout …
Citrus Developer Profile
1 plugin · 0 total installs
How We Detect Citrus
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/citrus/assets/css/citrus.css/wp-content/plugins/citrus/assets/js/citrus.js/wp-content/plugins/citrus/assets/js/vendor/lodash.min.js/wp-content/plugins/citrus/assets/js/vendor/moment.min.js/wp-content/plugins/citrus/assets/js/vendor/vue.min.js/wp-content/plugins/citrus/assets/js/vendor/vue-moment.min.js/wp-content/plugins/citrus/assets/js/vendor/marked.min.js/wp-content/plugins/citrus/assets/js/vendor/axios.min.js+2 more/wp-content/plugins/citrus/assets/js/citrus.js/wp-content/plugins/citrus/assets/js/vendor/lodash.min.js/wp-content/plugins/citrus/assets/js/vendor/moment.min.js/wp-content/plugins/citrus/assets/js/vendor/vue.min.js/wp-content/plugins/citrus/assets/js/vendor/vue-moment.min.js/wp-content/plugins/citrus/assets/js/vendor/marked.min.js+1 morecitrus/style.css?ver=citrus/script.js?ver=HTML / DOM Fingerprints
citrus-publications-listcitrus-publication-item<!-- Citrus Publications Shortcode Output --><!-- Citrus Admin Page --><!-- Citrus Settings Form -->data-citrus-api-urldata-citrus-org-iddata-citrus-publication-urldata-citrus-cache-durationwindow.citrusConfigvar citrusApiUrlvar citrusOrgIdvar citrusPublicationUrlvar citrusCacheDuration/wp-json/citrus/v1/publications/wp-json/citrus/v1/sync/wp-json/citrus/v1/settings<div id="citrus-app"></div>