Does Content Mask have any unpatched vulnerabilities?

Yes — Content Mask currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Content Mask compatible with WordPress 6.8.5?

According to WordPress.org data, Content Mask 1.8.5.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Content Mask compatible with PHP 5.4+?

Content Mask requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Content Mask updated?

Content Mask was last updated on Oct 16, 2025. Frequent updates are generally a positive security signal.

What is Content Mask's security score?

Content Mask has a WP-Safety security score of 73/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Content Mask Security & Risk Analysis

wordpress.org/plugins/content-mask

Embed any external content on a Page, Post, or Custom Post Type without the need to use complicated domain forwarding or domain masks.

1K active installs v1.8.5.3 PHP 5.4+ WP 4.7+ Updated Oct 16, 2025

domain-maskembedlinkmaskredirect

B · Generally Safe

CVEs total3

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Content Mask Safe to Use in 2026?

Mostly Safe

Score 73/100

Content Mask is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 5mo ago

Risk Assessment

The "content-mask" plugin v1.8.5.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL query handling, with 100% using prepared statements, and a high percentage (93%) of output being properly escaped. The static analysis also reveals no identified dangerous functions, file operations, or significant attack surface exposed without authentication. However, the presence of 5 external HTTP requests warrants further investigation, as these can be a vector for SSRF or other network-based attacks if not handled with extreme care. The taint analysis indicates 2 flows with unsanitized paths, which could potentially lead to vulnerabilities if these paths are reachable and not properly validated at runtime.

The vulnerability history for this plugin is a significant concern. With 3 known CVEs and 1 currently unpatched, particularly a high-severity one related to Authorization Bypass Through User-Controlled Key, Server-Side Request Forgery (SSRF), and Missing Authorization, the plugin has a demonstrated history of critical security flaws. The pattern of these past vulnerabilities suggests a recurring issue with input validation and authorization mechanisms. While the current version might have addressed some of these, the persistent history indicates a need for rigorous and ongoing security auditing.

In conclusion, while "content-mask" v1.8.5.3 shows some positive security developments in its static analysis, particularly in SQL handling and output escaping, the significant vulnerability history, including an unpatched high-severity issue and the taint analysis findings, present substantial risks. Users should exercise extreme caution and prioritize updating to a version that has demonstrably addressed all historical vulnerabilities.

Key Concerns

Unpatched High Severity Vulnerability
Taint flow with unsanitized path
Taint flow with unsanitized path
External HTTP requests
Medium severity vulnerability history (x2)

Vulnerabilities

Content Mask Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-58012medium · 4.3Authorization Bypass Through User-Controlled Key

Content Mask <= 1.8.5.2 - Authenticated (Author+) Insecure Direct Object Reference

Sep 22, 2025Unpatched

CVE-2025-58011medium · 6.4Server-Side Request Forgery (SSRF)

Content Mask <= 1.8.5.2 - Authenticated (Contributor+) Server-Side Request Forgery

Sep 22, 2025 Patched in 1.8.5.3 (158d)

CVE-2022-1203high · 8.8Missing Authorization

Content Mask <= 1.8.4 - Authenticated (Subscriber+) Arbitrary Options Update

May 3, 2022 Patched in 1.8.4.1 (630d)

Code Analysis

Analyzed Mar 16, 2026

Content Mask Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

285 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

93% escaped308 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

get_page_iframe (content-mask.php:1745)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Content Mask Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actiontemplate_redirectcontent-mask.php:233

actionsave_postcontent-mask.php:236

actionadd_meta_boxescontent-mask.php:237

actionadmin_menucontent-mask.php:238

actionadmin_headcontent-mask.php:239

actionadmin_noticescontent-mask.php:240

actionadmin_enqueue_scriptscontent-mask.php:241

actionadmin_enqueue_scriptscontent-mask.php:242

actionmanage_posts_custom_columncontent-mask.php:243

actionmanage_pages_custom_columncontent-mask.php:244

filteradmin_body_classcontent-mask.php:249

filtermanage_posts_columnscontent-mask.php:250

filtermanage_pages_columnscontent-mask.php:251

actionwpcontent-mask.php:258

actionwp_headcontent-mask.php:1696

actionwp_footercontent-mask.php:1973

actionplugins_loadedcontent-mask.php:2319

Maintenance & Trust

Content Mask Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 16, 2025

PHP min version5.4

Downloads45K

Community Trust

Rating100/100

Number of ratings9

Active installs1K

Alternatives

Content Mask Alternatives

Affiliate Links – Link Cloaking and Management

affiliate-links

Create any redirect links to any website from your WordPress Admin. Perfect for the affiliate links masking.

3K 3 CVEs

Cloak Affiliate Links for WooCommerce

woocommerce-cloak-affiliate-links

Cloak your WooCommerce external & affiliate links.

2K 2 CVEs

Go Redirects URL Forwarder

go-redirects

A URL forwarder for WordPress.

900 No CVEs

Link Hopper

link-hopper

Link Hopper lets you set up tidy link redirection to other websites.

100 1 unpatched

Custom Permalinks

custom-permalinks

A powerful WordPress plugin for full URL control. Set custom permalinks, auto-redirects, and use dynamic tags for ideal site structure and SEO.

100K 3 CVEs

Developer Profile

Content Mask Developer Profile

Alex

6 plugins · 1K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

394 days

View full developer profile

Detection Fingerprints

How We Detect Content Mask

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/content-mask/admin/css/admin-styles.css/wp-content/plugins/content-mask/admin/js/admin-scripts.js/wp-content/plugins/content-mask/public/css/content-mask-public.css

Script Paths

/wp-content/plugins/content-mask/admin/js/admin-scripts.js

Version Parameters

content-mask/admin/css/admin-styles.css?ver=content-mask/admin/js/admin-scripts.js?ver=content-mask/public/css/content-mask-public.css?ver=

HTML / DOM Fingerprints

CSS Classes

content-mask-admin-wrapcontent-mask-form-fieldcontent-mask-enabled-indicatorcontent-mask-disabled-indicator

HTML Comments

Data Attributes

data-content-mask-iddata-content-mask-urldata-content-mask-enable

JS Globals

contentMaskAdmincontentMaskAjax

REST Endpoints

/wp-json/content-mask/v1/masks

FAQ