Does Comment Expirator have any unpatched vulnerabilities?

No. All known vulnerabilities in Comment Expirator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Comment Expirator compatible with WordPress 4.1.42?

According to WordPress.org data, Comment Expirator 1.1.1 has been tested up to WordPress 4.1.42. Check the plugin's changelog for the latest compatibility information.

How often is Comment Expirator updated?

Comment Expirator was last updated on Jan 12, 2015. Frequent updates are generally a positive security signal.

What is Comment Expirator's security score?

Comment Expirator has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Comment Expirator Security & Risk Analysis

wordpress.org/plugins/comment-expirator

Comment Expirator let's you close comments, pingbacks and trackbacks on your posts, pages and custom post types on an individual basis.

10 active installs v1.1.1 PHP + WP 3.9+ Updated Jan 12, 2015

commentsdeactivateexpirepostsschedule

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Comment Expirator Safe to Use in 2026?

Generally Safe

Score 85/100

Comment Expirator has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The "comment-expirator" plugin version 1.1.1 exhibits a generally good security posture based on the provided static analysis and vulnerability history. The absence of any known CVEs, critical taint flows, dangerous functions, or raw SQL queries is a strong indicator of secure coding practices. Furthermore, the plugin demonstrates an awareness of security by including capability checks and utilizing prepared statements for its SQL operations.

However, a significant concern arises from the output escaping. With 19 total outputs and only 58% properly escaped, there is a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. This means that user-supplied data, if not handled correctly, could be rendered directly into the output, potentially allowing malicious scripts to be executed in the browser of other users. The lack of nonce checks is also a minor concern, especially if any of the entry points, though none are currently identified, were to become unprotected in the future.

Overall, while the plugin has a clean vulnerability history and good foundational security practices, the unescaped output represents a clear and present danger. Addressing the output escaping should be the highest priority to mitigate potential XSS risks. The limited attack surface and positive vulnerability history suggest a low overall risk if the output escaping issue is resolved.

Key Concerns

Insufficient output escaping

Vulnerabilities

None known

Comment Expirator Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Comment Expirator Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

58% escaped19 total outputs

Attack Surface

Comment Expirator Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 7

actionplugins_loadedclasses\comment.php:35

actionadd_meta_boxesclasses\comment.php:36

actionadmin_enqueue_scriptsclasses\comment.php:37

actionsave_postclasses\comment.php:38

actioncomment_expiratorclasses\comment.php:39

actionadmin_menuclasses\settings.php:29

actionadmin_initclasses\settings.php:30

Scheduled Events 1

comment_expirator

Maintenance & Trust

Comment Expirator Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.42

Last updatedJan 12, 2015

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

Comment Expirator Alternatives

Auto Post Expiry Manager

auto-post-expiry-manager

100

Automatically expire posts and custom post types at a specific date and time. Works with all public post types and uses a lightweight cron scheduler.

80 No CVEs

Depublish Posts

depublish-posts

Schedule your posts or pages to expire at a given date.

30 No CVEs

DishSoap

dishsoap

Automatically unpublish or unsticky a post on a specified date and time. Simple interface for ease of use.

10 No CVEs

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

post-expirator

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K 5 CVEs

Missed Scheduled Posts Publisher by WPBeginner

missed-scheduled-posts-publisher

Are your scheduled posts missing their publication times? Missed Scheduled Posts Publisher effectively resolves the 'missed scheduled post' …

60K No CVEs

Developer Profile

Comment Expirator Developer Profile

farne

2 plugins · 40 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Comment Expirator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/comment-expirator/css/comment-expirator.css/wp-content/plugins/comment-expirator/js/comment-expirator.js

Script Paths

/wp-content/plugins/comment-expirator/js/comment-expirator.js

Version Parameters

comment-expirator/css/comment-expirator.css?ver=comment-expirator/js/comment-expirator.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-expirator-datedata-expirator-timedata-expirator-usedata-expirator-pt

FAQ