Does Comment Reply Email have any unpatched vulnerabilities?

No. All known vulnerabilities in Comment Reply Email have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Comment Reply Email compatible with WordPress 6.8.5?

According to WordPress.org data, Comment Reply Email 1.6.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Comment Reply Email updated?

Comment Reply Email was last updated on Jun 27, 2025. Frequent updates are generally a positive security signal.

What is Comment Reply Email's security score?

Comment Reply Email has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Comment Reply Email Security & Risk Analysis

wordpress.org/plugins/comment-reply-email

Commenters can receive email notifications of replies to their comments.

500 active installs v1.6.0 PHP + WP 4.0+ Updated Jun 27, 2025

commentemailnotificationreply

A · Safe

CVEs total2

Unpatched0

Last CVEJul 5, 2024

Plugin page Download

Safety Verdict

Is Comment Reply Email Safe to Use in 2026?

Generally Safe

Score 99/100

Comment Reply Email has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jul 5, 2024Updated 9mo ago

Risk Assessment

The "comment-reply-email" plugin v1.6.0 exhibits a mixed security posture. While it demonstrates good practices by having a zero-attack surface for unprotected entry points, no dangerous functions, and a high percentage of properly escaped output, there are notable areas of concern. The static analysis revealed one flow with unsanitized paths and a high severity taint, indicating a potential risk for data manipulation or execution if that specific path is triggered by user input.

The plugin's vulnerability history shows a past pattern of medium-severity Cross-Site Scripting (XSS) vulnerabilities. The fact that there are no currently unpatched CVEs is a positive sign, suggesting that the developers are responsive to security issues. However, the existence of past XSS vulnerabilities, coupled with the high severity taint flow identified in the static analysis, warrants caution. The plugin's strengths lie in its limited attack surface and generally good output sanitization, but the identified taint flow and historical XSS issues are weaknesses that require attention.

Key Concerns

High severity taint flow found
Unsanitized path flow
Medium severity CVEs in history (2)
SQL queries not fully prepared (40% not prepared)
Limited capability checks

Vulnerabilities

Comment Reply Email Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-35773medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Comment Reply Email <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Jul 5, 2024 Patched in 1.5 (6d)

CVE-2023-45008medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Comment Reply Email <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 3, 2023 Patched in 1.0.4 (112d)

Code Analysis

Analyzed Mar 16, 2026

Comment Reply Email Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

40% prepared5 total queries

Output Escaping

92% escaped12 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

<comment-reply-email> (comment-reply-email.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Comment Reply Email Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actioninitcomment-reply-email.php:97

actioncomment_postcomment-reply-email.php:98

actionwp_set_comment_statuscomment-reply-email.php:99

actioncomment_postcomment-reply-email.php:100

filtercomment_form_field_commentcomment-reply-email.php:102

actionadmin_menucomment-reply-email.php:103

Maintenance & Trust

Comment Reply Email Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 27, 2025

PHP min version

Downloads16K

Community Trust

Rating94/100

Number of ratings15

Active installs500

Alternatives

Comment Reply Email Alternatives

Comment Reply Email Notification

comment-reply-email-notification

100

This plugin allows visitors to subscribe to get answers to their comments via e-mail.

3K No CVEs

Comment Email Reply

comment-email-reply

Simply notifies comment-author via email if someone replies to his comment. Zero Configuration.

600 No CVEs

Comment Approved Notifier Extended

comment-approved-notifier-extended

Zero bloat, single purpose plugin that automatically sends email notifications when comments are approved. Lightweight and focused.

500 1 CVE

WP Comment Notification

wp-comment-notification

Send email notification to predefined email ids when someone comments on your blog.

500 No CVEs

Subscribe To Comments Checkbox

comments-subscribe-checkbox

100

This plugin will allow you to add subscribe notification checkbox to comments on your site.

100 No CVEs

Developer Profile

Comment Reply Email Developer Profile

treeflips

6 plugins · 3K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

59 days

View full developer profile

Detection Fingerprints

How We Detect Comment Reply Email

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/comment-reply-email/css/style.css

Version Parameters

comment-reply-email/css/style.css?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

data-comment-id

JS Globals

commentReplyEmail

Shortcode Output

[year]

FAQ