Does Core Settings have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Core Settings compatible with WordPress 5.4.19?

According to WordPress.org data, Core Settings 1.01 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

How often is Core Settings updated?

Core Settings was last updated on May 10, 2020. Frequent updates are generally a positive security signal.

What is Core Settings's security score?

Core Settings has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Core Settings Security & Risk Analysis

wordpress.org/plugins/core-settings

Fights against unnecessary WP core settings, removes needless metas and links from header html section.

10 active installs v1.01 PHP + WP 2.5+ Updated May 10, 2020

needless-linksremove-emojiremove-metasremove-rest-apisettings

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Core Settings Safe to Use in 2026?

Generally Safe

Score 85/100

Core Settings has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The "core-settings" v1.01 plugin exhibits a mixed security posture. On one hand, it demonstrates excellent practices by having no known vulnerabilities (CVEs) and a clean vulnerability history, suggesting diligent maintenance and a lack of past exploitable issues. Furthermore, the absence of AJAX handlers, REST API routes, shortcodes, cron events, and file operations significantly limits the plugin's attack surface. The plugin also utilizes prepared statements for all SQL queries, which is a crucial security measure against SQL injection.

However, a significant concern arises from the static analysis revealing that 100% of the 16 output operations are not properly escaped. This presents a high risk of cross-site scripting (XSS) vulnerabilities, where malicious code could be injected into the application through user-supplied data that is later displayed on the frontend. Additionally, the taint analysis indicates two flows with unsanitized paths, which, while not classified as critical or high severity in this instance, still represent potential pathways for unexpected or malicious data handling. The lack of nonce and capability checks, while not directly exploitable given the zero entry points, means that if any entry points were introduced in future versions, they would lack fundamental security protections.

Key Concerns

Unescaped output across all outputs
Taint flows with unsanitized paths
No nonce checks
No capability checks

Vulnerabilities

None known

Core Settings Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Core Settings Release Timeline

No version history available.

Code Analysis

Analyzed Mar 17, 2026

Core Settings Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped16 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

_options_page (core-settings.php:30)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Core Settings Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 5

actionadmin_menucore-settings.php:20

actioninitcore-settings.php:21

filterxmlrpc_enabledcore-settings.php:201

filtertiny_mce_pluginscore-settings.php:212

filterrest_enabledcore-settings.php:217

Maintenance & Trust

Core Settings Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedMay 10, 2020

PHP min version

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Core Settings Alternatives

One Click Demo Import

one-click-demo-import

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs

CMB2

cmb2

CMB2 is a metabox, custom fields, and forms library for WordPress that will blow your mind.

300K 1 CVE

Import / Export Customizer Settings

astra-import-export

100

Astra theme customizer offers several settings for header/footer layout, sidebar and blog designs, colors, backgrounds, typography and much more.

50K 1 CVE

OptionTree

option-tree

Theme Options UI Builder for WordPress. A simple way to create & save Theme Options and Meta Boxes for free or premium themes.

50K 5 CVEs

Astra Bulk Edit

astra-bulk-edit

An easy-to-use plugin for the Astra theme that lets you edit Page Meta Settings for multiple pages/posts at once.

30K 2 CVEs

Developer Profile

Core Settings Developer Profile

Ashraful Sarkar Naiem

46 plugins · 20K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

111 days

View full developer profile

Detection Fingerprints

How We Detect Core Settings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

wrapoptions

Data Attributes

name="action"value="save_cache_settings"

FAQ