Does CM FAQ – Simplify support with an intuitive FAQ management tool have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is CM FAQ – Simplify support with an intuitive FAQ management tool compatible with WordPress 6.9.4?

According to WordPress.org data, CM FAQ – Simplify support with an intuitive FAQ management tool 1.3.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is CM FAQ – Simplify support with an intuitive FAQ management tool compatible with PHP 5.2.4+?

CM FAQ – Simplify support with an intuitive FAQ management tool requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

CM FAQ – Simplify support with an intuitive FAQ management tool Security & Risk Analysis

wordpress.org/plugins/cm-faq

Create and manage a user-friendly FAQ section on your site with this FAQ plugin. Answer common questions and improve user experience.

10 active installs v1.3.2 PHP 5.2.4+ WP 5.4.0+ Updated Jan 29, 2026

accordionaccordionsfaqfaq-widgetfaqs

A · Safe

CVEs total1

Unpatched0

Last CVEMar 13, 2025

Plugin page Download

Safety Verdict

Is CM FAQ – Simplify support with an intuitive FAQ management tool Safe to Use in 2026?

Generally Safe

Score 99/100

CM FAQ – Simplify support with an intuitive FAQ management tool has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Mar 13, 2025Updated 3mo ago

Risk Assessment

The "cm-faq" plugin version 1.3.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices in its handling of SQL queries, with all queries utilizing prepared statements, and it includes a decent number of nonce checks and capability checks. However, several concerns detract from its overall security. The presence of three AJAX handlers without authentication checks presents a significant attack surface, potentially allowing unauthorized users to trigger functionalities. The taint analysis also revealed one flow with an unsanitized path, which, while not classified as critical or high severity in this specific analysis, could indicate potential for vulnerabilities if not properly handled in context.

The vulnerability history shows a single medium-severity CVE related to Cross-Site Scripting (XSS), which was last disclosed in March 2025. While this vulnerability is currently patched, the pattern suggests that XSS remains a potential concern for this plugin. The static analysis also indicates a concerningly low rate of proper output escaping (49%), which directly correlates with XSS vulnerabilities, as it means a substantial portion of user-generated or dynamic content might be rendered without adequate sanitization, leaving the application vulnerable to malicious script injection.

In conclusion, while the plugin has some strong security fundamentals like prepared SQL statements, the unprotected AJAX endpoints, the identified unsanitized path flow, and the high proportion of improperly escaped output create notable risks. The past XSS vulnerability further underscores the need for vigilance in output sanitization. Users should be aware of these potential weaknesses and ensure the plugin is kept up-to-date.

Key Concerns

AJAX handlers without auth checks
Low output escaping percentage
Taint flow with unsanitized path
Medium severity CVE history

Vulnerabilities

1 published

CM FAQ – Simplify support with an intuitive FAQ management tool Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-2166medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CM FAQ – Simplify support with an intuitive FAQ management tool <= 1.2.5 - Reflected Cross-Site Scripting

Mar 13, 2025 Patched in 1.2.6 (1d)

Version History

CM FAQ – Simplify support with an intuitive FAQ management tool Release Timeline

v1.3.0

v1.2.10

v1.2.9

v1.2.8

v1.2.7

v1.2.6

v1.2.51 CVE

CVE-2025-2166

v1.2.41 CVE

CVE-2025-2166

Code Analysis

Analyzed Mar 17, 2026

CM FAQ – Simplify support with an intuitive FAQ management tool Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

191

184 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

100% prepared1 total queries

Output Escaping

49% escaped375 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

cminds_system_info_content (package\cminds-free.php:2723)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

CM FAQ – Simplify support with an intuitive FAQ management tool Attack Surface

Entry Points10

Unprotected3

AJAX Handlers 5

authwp_ajax_cmfaq_save_wizard_optionsclasses\Wizard.php:204

authwp_ajax_cm-submit-uninstall-reasonpackage\cminds-free.php:147

authwp_ajax_cm-submit-registration-emailpackage\cminds-free.php:148

authwp_ajax_cm-submit-deregistrationpackage\cminds-free.php:149

authwp_ajax_cm-submit-registration-skippackage\cminds-free.php:150

Shortcodes 5

[cm_faq] classes\Base.php:267

[cminds_free_registration] package\cminds-free.php:54

[cminds_free_guide] package\cminds-free.php:55

[cminds_upgrade_box] package\cminds-free.php:56

[cminds_free_activation] package\cminds-free.php:57

WordPress Hooks 51

actionadmin_menuclasses\Admin.php:9

filterparent_fileclasses\Admin.php:11

actionsave_postclasses\Admin.php:16

actionsave_postclasses\Admin.php:17

actionbefore_delete_postclasses\Admin.php:19

actionadmin_enqueue_scriptsclasses\Admin.php:21

actionadd_meta_boxesclasses\Admin.php:23

actioncmfaq_category_add_form_fieldsclasses\Admin.php:25

actioncmfaq_category_edit_formclasses\Admin.php:26

actioncreate_cmfaq_categoryclasses\Admin.php:28

actionedited_cmfaq_categoryclasses\Admin.php:29

actiondelete_cmfaq_categoryclasses\Admin.php:30

actionadmin_noticesclasses\Admin.php:32

actionadmin_print_stylesclasses\Admin.php:33

filterposts_whereclasses\Base.php:14

filterposts_whereclasses\Base.php:15

filterthe_contentclasses\Base.php:16

filterthe_titleclasses\Base.php:17

actioninitclasses\Base.php:19

actioninitclasses\Base.php:20

actionparse_queryclasses\Base.php:21

actiontemplate_redirectclasses\Base.php:24

filtertemplate_includeclasses\Base.php:25

actionwp_headclasses\Base.php:26

filtermanage_edit-cmfaq_category_columnsclasses\Base.php:28

actionmanage_cmfaq_category_custom_columnclasses\Base.php:29

actionadmin_menuclasses\Wizard.php:203

actionadmin_enqueue_scriptsclasses\Wizard.php:205

actionwp_loadedcm-faq.php:76

actionadmin_headcm-faq.php:82

actionactivated_pluginpackage\cminds-free.php:31

actionadmin_initpackage\cminds-free.php:33

actionadmin_menupackage\cminds-free.php:34

actionadmin_enqueue_scriptspackage\cminds-free.php:35

actionadmin_enqueue_scriptspackage\cminds-free.php:36

actioncminds_download_sysinfopackage\cminds-free.php:48

actioninitpackage\cminds-free.php:50

actioninitpackage\cminds-free.php:51

filterplugin_row_metapackage\cminds-free.php:59

actionwp_dashboard_setuppackage\cminds-free.php:62

actionadmin_footerpackage\cminds-free.php:157

filterwp_mail_content_typepackage\cminds-free.php:311

filterwp_mail_content_typepackage\cminds-free.php:2073

filterwp_mail_content_typepackage\cminds-free.php:2164

actionadmin_enqueue_scriptssettings\CMFAQ_Settings.php:14

actionadmin_menusettings\CMFAQ_Settings.php:16

filtercm_settings_getsettings\CMFAQ_Settings.php:19

actionadmin_initsettings\CMFAQ_Settings.php:22

filtercmfaq-custom-settings-tab-content-0settings\CMFAQ_Settings.php:24

filtercmfaq-custom-settings-tab-content-7settings\CMFAQ_Settings.php:25

filtercmfaq-custom-settings-tab-content-8settings\CMFAQ_Settings.php:26

Maintenance & Trust

CM FAQ – Simplify support with an intuitive FAQ management tool Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 29, 2026

PHP min version5.2.4

Downloads7K

Community Trust

Rating100/100

Number of ratings2

Active installs10

Alternatives

CM FAQ – Simplify support with an intuitive FAQ management tool Alternatives

Squelch Tabs and Accordions Shortcodes

squelch-tabs-and-accordions-shortcodes

Shortcodes for creating accordions, horizontal accordions and tabs.

1K 3 CVEs

Display FAQ – Responsive Accordion and Product FAQ For WooCommerce

wp-display-faq

100

Create and display responsive Accordions, FAQs in a webpage. Also create Product FAQ for WooCommerce and display them in a single product page.

20 No CVEs

Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs

advanced-accordion-block

Create stunning FAQ & accordion blocks. SEO-optimized, fully accessible, zero performance impact. No coding needed.

10K 1 CVE

Iks Menu – WordPress Category Accordion Menu & FAQs

iks-menu

100

Super customizable WordPress plugin for displaying custom menus, taxonomy/category terms and FAQs as accordion menu (with images support).

10K No CVEs

Quick and Easy FAQs

quick-and-easy-faqs

100

Truly a quick and easy way to add FAQs to your site.

10K No CVEs

Developer Profile

CM FAQ – Simplify support with an intuitive FAQ management tool Developer Profile

CreativeMindsSolutions

19 plugins · 22K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

535 days

View full developer profile

Detection Fingerprints

How We Detect CM FAQ – Simplify support with an intuitive FAQ management tool

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cm-faq/assets/backend/css/backend.css/wp-content/plugins/cm-faq/assets/backend/js/backend.js/wp-content/plugins/cm-faq/assets/frontend/css/frontend.css/wp-content/plugins/cm-faq/assets/frontend/js/frontend.js

Script Paths

/wp-content/plugins/cm-faq/assets/backend/js/backend.js/wp-content/plugins/cm-faq/assets/frontend/js/frontend.js

Version Parameters

cm-faq/assets/backend/css/backend.css?ver=cm-faq/assets/backend/js/backend.js?ver=cm-faq/assets/frontend/css/frontend.css?ver=cm-faq/assets/frontend/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

cmfaq-question-wrappercmfaq-title-wrappercmfaq-question-titlecmfaq-answer-wrappercmfaq-toggle-iconcmfaq-question-listcmfaq-category-listcmfaq-faq-search+6 more

HTML Comments

+3 more

Data Attributes

data-cmfaq-iddata-cmfaq-categorydata-cmfaq-search-urldata-cmfaq-voting-url

JS Globals

CMFAQFrontend

REST Endpoints

/wp-json/cmfaq/v1/vote

Shortcode Output

[cm_faq]

FAQ