Does Comments Users Mentions have any unpatched vulnerabilities?

No. All known vulnerabilities in Comments Users Mentions have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Comments Users Mentions compatible with WordPress 3.7.41?

According to WordPress.org data, Comments Users Mentions 0.2 has been tested up to WordPress 3.7.41. Check the plugin's changelog for the latest compatibility information.

How often is Comments Users Mentions updated?

Comments Users Mentions was last updated on Feb 21, 2014. Frequent updates are generally a positive security signal.

What is Comments Users Mentions's security score?

Comments Users Mentions has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Comments Users Mentions Security & Risk Analysis

wordpress.org/plugins/comments-users-mentions

Allows to mention Wordpress users in a comment. The mentioned users will receive a notification email.

10 active installs v0.2 PHP + WP 3.1+ Updated Feb 21, 2014

commentsemailmentions

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Comments Users Mentions Safe to Use in 2026?

Generally Safe

Score 85/100

Comments Users Mentions has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago

Risk Assessment

The "comments-users-mentions" plugin version 0.2 exhibits a generally strong security posture based on the provided static analysis. It demonstrates excellent practices by exclusively using prepared statements for its single SQL query and ensuring all outputs are properly escaped. Furthermore, there are no identified file operations, external HTTP requests, or bundled libraries, which significantly reduces potential attack vectors.

However, a critical concern arises from the use of the `create_function()` PHP function. This function is deprecated and can be a source of vulnerabilities if not handled with extreme care, as it allows for dynamic code execution. While no taint flows or dangerous code interactions were identified in the analysis, the presence of `create_function()` represents an inherent risk that could be exploited if it's used in conjunction with user-supplied input without proper sanitization.

The plugin also has no recorded vulnerability history, which is a positive indicator. Coupled with the lack of identified entry points with missing authentication or permission checks, this suggests that any existing code, including the `create_function()` usage, may not be directly exposed to external manipulation. Despite this, the presence of `create_function()` alone warrants a deduction due to its inherent security implications.

Key Concerns

Use of deprecated and dangerous create_function()

Vulnerabilities

None known

Comments Users Mentions Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Comments Users Mentions Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter( 'wp_mail_content_type', create_function( '', 'return "text/html"; ' ) );comments-users-mentions.php:77

SQL Query Safety

100% prepared1 total queries

Attack Surface

Comments Users Mentions Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actioninitcomments-users-mentions.php:27

filterwp_mail_content_typecomments-users-mentions.php:77

actioncomment_postcomments-users-mentions.php:87

Maintenance & Trust

Comments Users Mentions Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41

Last updatedFeb 21, 2014

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings3

Active installs10

Alternatives

Comments Users Mentions Alternatives

Email Mentioned

email-mentioned

100

Email Mentioned is a lightweight customizable -no coding needed- plugin to send an email to each user mentioned in comments.

10 No CVEs

Disqus Comment System

disqus-comment-system

Disqus is the web's most popular comment system. Use Disqus to increase engagement, retain readers, and grow your audience.

40K 5 CVEs

Subscribe to Comments

subscribe-to-comments

Subscribe to Comments allows commenters on an entry to subscribe to e-mail notifications for subsequent comments.

20K 3 CVEs

Subscribe To Comments Reloaded

subscribe-to-comments-reloaded

Subscribe to Comments Reloaded allows commenters to sign up for e-mail notifications of subsequent replies. Don't miss any comment.

10K 4 CVEs

Comment Email Reply

comment-email-reply

Simply notifies comment-author via email if someone replies to his comment. Zero Configuration.

600 No CVEs

Developer Profile

Comments Users Mentions Developer Profile

baxeico

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Comments Users Mentions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ