WP-Safety

Daily Tarot Security & Risk Analysis

wordpress.org/plugins/daily-tarot

Daily Tarot helps you publish, schedule, and share tarot readings on WordPress - perfect for creating a consistent Card of the Day experience.

0 active installs v1.1.13 PHP 8.1+ WP 6.0+ Updated Feb 21, 2026
card-of-the-daydaily-tarottarottarot-readingtarot-spreads
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Daily Tarot Safe to Use in 2026?

Generally Safe

Score 100/100

Daily Tarot has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "daily-tarot" plugin version 1.1.13 exhibits a mixed security posture. While it shows strengths in using prepared statements for the vast majority of SQL queries and proper output escaping, significant concerns arise from its attack surface. A substantial number of AJAX handlers (23 out of 27) and REST API routes (2 out of 2) lack authentication checks, creating a broad entry point for potential unauthorized actions.

The taint analysis reveals 4 flows with unsanitized paths, although thankfully none are flagged as critical or high severity in this analysis. This indicates a potential for vulnerabilities related to file operations or external requests if these paths are exposed to user input without proper sanitization. The absence of any recorded vulnerability history is a positive sign, suggesting a proactive approach to security or a lack of past exploitable issues. However, the large number of unprotected entry points still poses a latent risk.

In conclusion, the plugin demonstrates good practices in core coding areas like SQL and output handling. Nevertheless, the significant exposure of its AJAX and REST API endpoints without proper authorization is a critical weakness that could be exploited. The presence of unsanitized paths in the taint analysis, even at lower severities, warrants attention. This plugin's security can be significantly improved by implementing robust authorization checks on all its entry points.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Flows with unsanitized paths (4 total)
  • Bundled Freemius v1.0 library
Vulnerabilities
None known

Daily Tarot Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Daily Tarot Release Timeline

v1.1.13Current
v1.1.12
v1.1.11
v1.1.10
v1.1.9
v1.1.8
v1.1.7
Code Analysis
Analyzed Mar 17, 2026

Daily Tarot Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
24 prepared
Unescaped Output
125
1643 escaped
Nonce Checks
33
Capability Checks
50
File Operations
8
External Requests
5
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

86% prepared28 total queries

Output Escaping

93% escaped1768 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

15 flows4 with unsanitized paths
render (includes\Admin\MeaningPackMeta.php:388)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
25 unprotected

Daily Tarot Attack Surface

Entry Points42
Unprotected25

AJAX Handlers 27

authwp_ajax_dtarot_save_card_imageincludes\Admin\Ajax.php:28
authwp_ajax_dtarot_get_card_imageincludes\Admin\Ajax.php:29
authwp_ajax_dtarot_optimize_attachmentincludes\Admin\Ajax.php:30
authwp_ajax_dtarot_get_content_panelincludes\Admin\Ajax.php:31
authwp_ajax_dtarot_get_settings_panelincludes\Admin\Ajax.php:32
authwp_ajax_dtarot_get_dayincludes\Admin\Ajax.php:33
authwp_ajax_dtarot_save_dayincludes\Admin\Ajax.php:34
authwp_ajax_dtarot_reuse_old_textincludes\Admin\Ajax.php:35
authwp_ajax_dtarot_save_ui_settingincludes\Admin\Ajax.php:36
authwp_ajax_dtarot_ai_generateincludes\Admin\Ajax.php:37
authwp_ajax_dtarot_ai_saveincludes\Admin\Ajax.php:38
authwp_ajax_dtarot_ai_add_creditsincludes\Admin\Ajax.php:39
authwp_ajax_dtarot_ai_provider_testincludes\Admin\Ajax.php:40
authwp_ajax_dtarot_spread_previewincludes\Admin\Ajax.php:41
authwp_ajax_dtarot_onboard_dismissincludes\Admin\Ajax.php:42
authwp_ajax_dtarot_onboard_doneincludes\Admin\Ajax.php:43
authwp_ajax_dtarot_uninstall_feedbackincludes\Admin\Ajax.php:45
authwp_ajax_dtarot_related_link_getincludes\Admin\Ajax.php:47
authwp_ajax_dtarot_related_link_suggestincludes\Admin\Ajax.php:48
authwp_ajax_dtarot_related_link_suggest_from_textincludes\Admin\Ajax.php:49
authwp_ajax_dtarot_related_link_searchincludes\Admin\Ajax.php:50
authwp_ajax_dtarot_related_link_setincludes\Admin\Ajax.php:51
authwp_ajax_dtarot_related_link_clearincludes\Admin\Ajax.php:52
authwp_ajax_dtarot_booking_slotsincludes\Frontend\Booking.php:21
noprivwp_ajax_dtarot_booking_slotsincludes\Frontend\Booking.php:22
authwp_ajax_dtarot_share_trackincludes\Frontend\ShareTracking.php:15
noprivwp_ajax_dtarot_share_trackincludes\Frontend\ShareTracking.php:16

REST API Routes 2

GET/wp-json/dtarot/v1/readings/(?P<date>\d{4}-\d{2}-\d{2})includes\Rest\ReadingsController.php:40
GET/wp-json/dtarot/v1/readings/latestincludes\Rest\ReadingsController.php:51

Shortcodes 13

[daily_tarot] includes\Frontend\Shortcodes.php:479
[dtarot_decks] includes\Frontend\Shortcodes.php:480
[dtarot_deck] includes\Frontend\Shortcodes.php:481
[dtarot_majors] includes\Frontend\Shortcodes.php:482
[dtarot_minors] includes\Frontend\Shortcodes.php:483
[dtarot_email_cta] includes\Frontend\Shortcodes.php:484
[dtarot_card] includes\Frontend\Shortcodes.php:485
[dtarot_spread] includes\Frontend\Shortcodes.php:486
[dtarot_month] includes\Frontend\Shortcodes.php:487
[dtarot_booking] includes\Frontend\Shortcodes.php:488
[dtarot_booking_button] includes\Frontend\Shortcodes.php:489
[dtarot_booking_teaser] includes\Frontend\Shortcodes.php:490
[daily_tarot] includes\Plugin.php:191
WordPress Hooks 117
actionplugins_loadeddaily-tarot.php:57
actionadmin_post_dtarot_exportincludes\Admin\Backup.php:114
actionadmin_post_dtarot_importincludes\Admin\Backup.php:115
actionadmin_post_dtarot_export_deck_zipincludes\Admin\Backup.php:118
actionadmin_post_dtarot_export_pack_zipincludes\Admin\Backup.php:119
actionadmin_post_dtarot_import_deck_zipincludes\Admin\Backup.php:122
actionadmin_post_dtarot_import_pack_zipincludes\Admin\Backup.php:123
actionadmin_post_dtarot_import_deck_zip_urlincludes\Admin\Backup.php:126
actionadmin_post_dtarot_import_pack_zip_urlincludes\Admin\Backup.php:127
actionadmin_post_dtarot_installed_pack_update_urlincludes\Admin\Backup.php:130
actionadmin_post_dtarot_installed_pack_reinstall_urlincludes\Admin\Backup.php:131
filterpost_row_actionsincludes\Admin\BookingActions.php:17
actionadmin_post_dtarot_booking_actionincludes\Admin\BookingActions.php:18
actionadmin_post_dtarot_booking_resendincludes\Admin\BookingActions.php:19
actionadmin_post_dtarot_booking_eraseincludes\Admin\BookingActions.php:20
actionedit_form_after_titleincludes\Admin\MeaningPackMeta.php:35
filterredirect_post_locationincludes\Admin\MeaningPackMeta.php:38
actionadmin_menuincludes\Admin\Menu.php:19
actionadmin_enqueue_scriptsincludes\Admin\Menu.php:20
filterparent_fileincludes\Admin\Menu.php:21
filtersubmenu_fileincludes\Admin\Menu.php:22
filterplugin_row_metaincludes\Admin\PluginsPage.php:15
actionadmin_enqueue_scriptsincludes\Admin\PluginsPage.php:23
actionadmin_post_dtarot_starter_decks_dismissincludes\Admin\StarterDecksPrompt.php:14
actioninitincludes\Blocks\Blocks.php:19
filterblock_categories_allincludes\Blocks\Blocks.php:20
actioninitincludes\CPT\Booking.php:14
actioninitincludes\CPT\Deck.php:15
actioninitincludes\CPT\MeaningPack.php:20
actioninitincludes\CPT\ReadingType.php:14
actionadmin_post_dtarot_booking_submitincludes\Frontend\Booking.php:23
actionadmin_post_nopriv_dtarot_booking_submitincludes\Frontend\Booking.php:24
actioninitincludes\Frontend\ReadableRoutes.php:167
filterquery_varsincludes\Frontend\ReadableRoutes.php:168
filterredirect_canonicalincludes\Frontend\ReadableRoutes.php:169
filterpre_get_document_titleincludes\Frontend\ReadableRoutes.php:170
actiontemplate_redirectincludes\Frontend\ReadableRoutes.php:171
actiontemplate_redirectincludes\Frontend\ReadableRoutes.php:172
actiontemplate_redirectincludes\Frontend\ReadableRoutes.php:173
actionwp_headincludes\Frontend\ReadableRoutes.php:174
actioninitincludes\Plugin.php:142
actioninitincludes\Plugin.php:145
actionupdated_optionincludes\Plugin.php:156
filterrobots_txtincludes\Plugin.php:159
actionpre_pingincludes\Plugin.php:162
actionadmin_initincludes\Plugin.php:300
actionadmin_noticesincludes\Plugin.php:301
actionadmin_post_dtarot_review_promptincludes\Plugin.php:305
actionadmin_post_dtarot_automation_saveincludes\Plugin.php:328
actionadmin_post_dtarot_automation_run_nowincludes\Plugin.php:329
actionadmin_post_dtarot_automation_rescheduleincludes\Plugin.php:330
actionadmin_post_dtarot_automation_email_previewincludes\Plugin.php:331
actionadmin_post_dtarot_automation_test_emailincludes\Plugin.php:332
actionadmin_post_dtarot_automation_publish_for_dateincludes\Plugin.php:333
actionadmin_post_dtarot_ai_prefill_saveincludes\Plugin.php:338
actionadmin_post_dtarot_calendar_migrate_tableincludes\Plugin.php:342
actionadmin_post_dtarot_diagnostics_fetch_publicincludes\Plugin.php:343
actionadmin_post_dtarot_log_exportincludes\Plugin.php:344
actionadmin_post_dtarot_log_clearincludes\Plugin.php:345
actionadmin_post_dtarot_calendar_publish_times_saveincludes\Plugin.php:349
actionadmin_post_dtarot_ui_saveincludes\Plugin.php:353
actionadmin_post_dtarot_ai_provider_saveincludes\Plugin.php:357
actionadmin_post_dtarot_email_cta_saveincludes\Plugin.php:361
actionadmin_post_dtarot_shortcode_saveincludes\Plugin.php:364
actionadmin_post_dtarot_share_image_saveincludes\Plugin.php:365
actionadmin_post_dtarot_related_links_saveincludes\Plugin.php:369
actionadmin_post_dtarot_booking_settings_saveincludes\Plugin.php:373
actionadmin_post_dtarot_spreads_scanincludes\Plugin.php:376
actionadmin_post_dtarot_spread_mapping_saveincludes\Plugin.php:377
actionadmin_post_dtarot_spread_options_saveincludes\Plugin.php:378
actionadmin_post_dtarot_spread_pack_importincludes\Plugin.php:379
actionadmin_post_dtarot_spread_pack_saveincludes\Plugin.php:380
actionadmin_post_dtarot_spread_pack_createincludes\Plugin.php:381
actionadmin_post_dtarot_analytics_exportincludes\Plugin.php:385
actionadmin_post_dtarot_set_default_deckincludes\Plugin.php:389
actionadmin_post_dtarot_set_default_packincludes\Plugin.php:392
actionadmin_post_dtarot_license_syncincludes\Plugin.php:395
actionadmin_post_dtarot_feedback_submitincludes\Plugin.php:396
actionadmin_post_dtarot_flush_rewritesincludes\Plugin.php:399
filterwpseo_sitemap_indexincludes\Plugin.php:404
filterrank_math/sitemap/indexincludes\Plugin.php:405
actionadmin_post_dtarot_email_cta_submitincludes\Plugin.php:408
actionadmin_post_nopriv_dtarot_email_cta_submitincludes\Plugin.php:409
actionadmin_post_dtarot_email_cta_exportincludes\Plugin.php:412
actionenqueue_block_editor_assetsincludes\Plugin.php:420
actionrest_api_initincludes\Rest\ReadingsController.php:36
filterrank_math/frontend/titleincludes\Seo\RankMath.php:20
filterrank_math/frontend/descriptionincludes\Seo\RankMath.php:21
filterrank_math/frontend/canonicalincludes\Seo\RankMath.php:22
filterrank_math/opengraph/facebook/titleincludes\Seo\RankMath.php:25
filterrank_math/opengraph/facebook/descriptionincludes\Seo\RankMath.php:26
filterrank_math/opengraph/facebook/urlincludes\Seo\RankMath.php:27
filterrank_math/opengraph/facebook/imageincludes\Seo\RankMath.php:28
filterrank_math/opengraph/twitter/titleincludes\Seo\RankMath.php:31
filterrank_math/opengraph/twitter/descriptionincludes\Seo\RankMath.php:32
filterrank_math/opengraph/twitter/imageincludes\Seo\RankMath.php:33
actionwp_headincludes\Seo\Schema.php:16
actioninitincludes\Seo\Sitemap.php:20
filterquery_varsincludes\Seo\Sitemap.php:21
actiontemplate_redirectincludes\Seo\Sitemap.php:22
filterwpseo_titleincludes\Seo\Yoast.php:20
filterwpseo_metadescincludes\Seo\Yoast.php:21
filterwpseo_canonicalincludes\Seo\Yoast.php:24
filterwpseo_opengraph_titleincludes\Seo\Yoast.php:27
filterwpseo_opengraph_descincludes\Seo\Yoast.php:28
filterwpseo_opengraph_urlincludes\Seo\Yoast.php:29
filterwpseo_opengraph_imageincludes\Seo\Yoast.php:30
filterwpseo_opengraph_image_urlincludes\Seo\Yoast.php:31
filterwpseo_twitter_titleincludes\Seo\Yoast.php:34
filterwpseo_twitter_descriptionincludes\Seo\Yoast.php:35
filterwpseo_twitter_imageincludes\Seo\Yoast.php:36
actionsave_postincludes\Support\CachePurge.php:21
actiondeleted_postincludes\Support\CachePurge.php:22
actiontrashed_postincludes\Support\CachePurge.php:23
actionuntrashed_postincludes\Support\CachePurge.php:24
actionadmin_noticesincludes\Support\ReviewPrompt.php:14
actionsave_postincludes\Support\SpreadScanner.php:14
Maintenance & Trust

Daily Tarot Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 21, 2026
PHP min version8.1
Downloads347

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Daily Tarot Alternatives

Tarot, Oracle cards, Tarot readings, Tarokina

Tarot, Oracle cards, Tarot readings, Tarokina

tarokina-free

A
100

The best tarot plugin for wordpress. Intuitive and easy to use. Provides accurate tarot readings.

300 No CVEs
Tarot Card Oracle

Tarot Card Oracle

card-oracle

A
100

Create tarot, oracle, cartouche, and rune readings on your WordPress site using your own decks, spreads, and meanings.

100 No CVEs
Divine Astro

Divine Astro

horoscope-and-tarot

A
91

Divineapi.com is a leading API platform for services like Daily Horoscope, Tarot reading, Kundali, Panchang, Natal Chart, Fortune Cookie, Coffee Cup r &hellip;

100 1 CVE
Tarot Online

Tarot Online

tarot-online

A
92

This plugin allows you to use Tarot Online app on your WordPress website and read Tarot Online for free. Join to affiliate program and start earning m &hellip;

10 No CVEs
EZ Horoscope Professional

EZ Horoscope Professional

ez-horoscope

A
100

Astrologically accurate horoscopes with cosmic insights, advice, birth charts, and AI voice agents for chatting about readings.

200 No CVEs
Developer Profile

Daily Tarot Developer Profile

dar8mar

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Daily Tarot

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/daily-tarot/build/admin.css/wp-content/plugins/daily-tarot/build/admin.js/wp-content/plugins/daily-tarot/build/frontend.css/wp-content/plugins/daily-tarot/build/frontend.js
Version Parameters
daily-tarot/build/admin.css?ver=daily-tarot/build/admin.js?ver=daily-tarot/build/frontend.css?ver=daily-tarot/build/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
dtarot-dashboarddtarot-calendardtarot-contentdtarot-spreadsdtarot-bookingsdtarot-sidebardtarot-main-contentdtarot-tarot-card+4 more
HTML Comments
<!-- Daily Tarot Admin Menu --><!-- Daily Tarot Dashboard Widget --><!-- Daily Tarot Frontend Rendering -->
Data Attributes
data-dtarot-carddata-dtarot-spreaddata-dtarot-meaning
JS Globals
window.dtarotConfigwindow.dtarotFrontend
REST Endpoints
/wp-json/daily-tarot/v1/cards/wp-json/daily-tarot/v1/spreads/wp-json/daily-tarot/v1/readings
Shortcode Output
[daily_tarot_card][daily_tarot_reading][daily_tarot_spread]
FAQ

Frequently Asked Questions about Daily Tarot