TinyMCE Recover Security & Risk Analysis
wordpress.org/plugins/da-tinymce-restoreRestores two buttons removed in TinyMCE with WordPress 4.7: Underline and Justify.
Is TinyMCE Recover Safe to Use in 2026?
Generally Safe
Score 85/100TinyMCE Recover has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The da-tinymce-restore plugin version 1.2 presents a generally strong security posture based on the provided static analysis. The absence of any identified attack surface (AJAX handlers, REST API routes, shortcodes, cron events) is a significant positive, as it drastically reduces the potential entry points for attackers. Furthermore, the code analysis reveals commendable security practices, including the complete use of prepared statements for SQL queries, proper output escaping for all outputs, and a lack of dangerous functions, file operations, external HTTP requests, and unhandled nonce or capability checks. The taint analysis also shows no concerning flows with unsanitized paths.
The vulnerability history for this plugin is also completely clean, with no recorded CVEs of any severity. This lack of past vulnerabilities, coupled with the robust static analysis findings, suggests a well-developed and securely coded plugin. However, it's important to note that the analysis indicates 0 nonce checks and 0 capability checks. While this might be acceptable if there are truly no entry points, it represents a potential weakness if the plugin were to evolve and gain entry points without implementing these fundamental security measures. Bundled libraries can also be a concern; in this case, TinyMCE v1.2 is bundled, and while no specific vulnerability is mentioned for this version, keeping bundled libraries up-to-date is a general security best practice.
In conclusion, the da-tinymce-restore v1.2 plugin demonstrates a high level of security due to its minimal attack surface and adherence to secure coding practices like prepared statements and output escaping. The absence of past vulnerabilities further reinforces this positive assessment. The primary area for vigilance is the lack of explicit nonce and capability checks, which, while not an immediate issue given the current analysis, represents a potential blind spot for future development. The bundled TinyMCE library also warrants a minor consideration for potential future updates.
Key Concerns
- Bundled library TinyMCE v1.2 potentially outdated
- 0 Nonce checks present
- 0 Capability checks present
TinyMCE Recover Security Vulnerabilities
TinyMCE Recover Code Analysis
Bundled Libraries
TinyMCE Recover Attack Surface
WordPress Hooks 1
Maintenance & Trust
TinyMCE Recover Maintenance & Trust
Maintenance Signals
Community Trust
TinyMCE Recover Alternatives
Who Stole the Text Justify Button ?!
who-stole-the-text-justify-button
OMG! WordPress 4.7 stole my text justify button! Please bring it back :)
Re-add text underline and justify
re-add-underline-justify
This tiny plugin re-adds the Editor text underline & text justify buttons in the WYSIWYG removed in WordPress 4.7.0
Black Studio TinyMCE Widget
black-studio-tinymce-widget
The visual editor widget for WordPress.
AddQuicktag
addquicktag
This plugin makes it easy to add Quicktags to the html - and visual-editor.
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
post-and-page-builder
Post and Page Builder is a standalone plugin which adds functionality to the existing TinyMCE Editor.
TinyMCE Recover Developer Profile
3 plugins · 1K total installs
How We Detect TinyMCE Recover
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.