Custom Comment Security & Risk Analysis
wordpress.org/plugins/customcommentThis plugin lets you define more fields for comment to let your visitors include their facebook, twitter and ... in their comments
Is Custom Comment Safe to Use in 2026?
High Risk
Score 42/100Custom Comment carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.
The "customcomment" plugin v2.1.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks on its single AJAX handler. This suggests an awareness of common security pitfalls related to database interactions and access control.
However, significant concerns arise from the static analysis. The most critical finding is that 0% of output escaping is properly implemented, meaning any data displayed back to users could be vulnerable to Cross-Site Scripting (XSS) attacks. The taint analysis also revealed one flow with an unsanitized path, which could potentially be exploited if an attacker can control the input leading to that path. The vulnerability history further compounds these concerns, with two unpatched medium severity CVEs, both related to Cross-Site Scripting. This pattern indicates a recurring issue with input sanitization and output escaping within the plugin.
In conclusion, while the plugin has some strengths in areas like database security and access control, the critical lack of output escaping and the persistent XSS vulnerabilities in its history present a substantial risk. Attackers could leverage these weaknesses to inject malicious scripts, potentially leading to session hijacking, defacement, or other malicious activities. Immediate attention is required to address the output escaping deficiencies and the unpatched vulnerabilities.
Key Concerns
- Unpatched CVEs (2 medium)
- Output escaping: 0% properly escaped
- Taint flow with unsanitized paths
Custom Comment Security Vulnerabilities
CVEs by Year
Severity Breakdown
2 total CVEs
Custom Comment <= 2.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Custom Comment <= 2.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Custom Comment Code Analysis
Output Escaping
Data Flow Analysis
Custom Comment Attack Surface
AJAX Handlers 1
WordPress Hooks 7
Maintenance & Trust
Custom Comment Maintenance & Trust
Maintenance Signals
Community Trust
Custom Comment Alternatives
Comment Form WP – Customize Default Comment Form
comment-form-wp
Comment Form WP is a Default comment form customize/modify WordPress Plugin. You can add/change/remove your website comment form fields, texts.
Comments – wpDiscuz
wpdiscuz
AJAX powered realtime comments. Designed to extend WordPress native comments. Custom comment forms/fields. Making comments has never been so awesome!
Comments Extra Fields For Post,Pages and CPT
wp-comment-fields
This plugin allow admin to add extra fields in comment area. These fields are saved as comment meta and is displayed under comment text.
CW Comment Elementor Addon
cw-comment-elementor-addon
Comment Elementor Addon is a plugin designed to provide simple custom comment widgets for Elementor.
Custom Comment Links
custom-comment-links
Customize comment links on your site. Control comment author's URL, remove links from comments. Disable these options for privileged users.
Custom Comment Developer Profile
2 plugins · 60 total installs
How We Detect Custom Comment
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/customcomment/js/CComment.js/wp-content/plugins/customcomment/js/CComment.jsHTML / DOM Fingerprints
requiredname="CuCo_"id="CuCo_"CComment_ajax_var