Does DirectEdit have any unpatched vulnerabilities?

No. All known vulnerabilities in DirectEdit have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is DirectEdit compatible with WordPress 3.9.40?

According to WordPress.org data, DirectEdit 1.0.4 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is DirectEdit updated?

DirectEdit was last updated on Aug 12, 2014. Frequent updates are generally a positive security signal.

What is DirectEdit's security score?

DirectEdit has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

DirectEdit Security & Risk Analysis

wordpress.org/plugins/directedit

Edit your website directly in the frontend.

10 active installs v1.0.4 PHP + WP 3.7+ Updated Aug 12, 2014

edit-in-placeeditorfront-endpublishwysiwyg

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is DirectEdit Safe to Use in 2026?

Generally Safe

Score 85/100

DirectEdit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The "directedit" plugin v1.0.4 exhibits a concerning security posture primarily due to its extensive unprotected attack surface and the presence of dangerous functions without apparent safeguards. With 11 out of 12 AJAX handlers lacking authentication checks, a significant portion of the plugin's functionality is exposed to unauthenticated users, presenting a high risk of unauthorized actions. The inclusion of the `unserialize` function, a known vector for remote code execution when handling untrusted input, is particularly alarming, especially in conjunction with the unprotected AJAX endpoints. While the static analysis did not reveal any specific taint flows or raw SQL queries without prepared statements, the lack of basic security measures like nonce checks on AJAX endpoints and proper output escaping for over half of the outputs raises further red flags.

The plugin's vulnerability history is a blank slate, showing zero recorded CVEs. While this might seem positive, it could also indicate a lack of rigorous security auditing or that vulnerabilities, if present, have simply gone undiscovered or unpatched. The absence of any recorded vulnerabilities, coupled with the identified code signals like the use of `unserialize` and the large unprotected attack surface, suggests that the plugin might be relying on obscurity for its security rather than robust implementation. This makes it a potential target for attackers who can exploit these weaknesses.

In conclusion, the "directedit" plugin v1.0.4 has significant security weaknesses that outweigh its apparent lack of historical vulnerabilities. The large number of unprotected AJAX endpoints, the use of `unserialize`, and the insufficient output escaping create a considerable risk profile. Developers should prioritize implementing proper authentication and authorization checks for all AJAX handlers, secure the usage of `unserialize`, and ensure all output is properly escaped to mitigate potential exploits.

Key Concerns

11 unprotected AJAX handlers
Dangerous function 'unserialize' used
0 nonce checks on AJAX handlers
42% properly escaped outputs (58% unescaped)

Vulnerabilities

None known

DirectEdit Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

DirectEdit Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

26 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn unserialize( $_SESSION[ 'de' ][ 'items' ][ $reference ] );core\classes\de-items.php:19

unserialize$item->list = unserialize( $content );core\classes\de-store.php:189

unserialize$de_wp_hooks = unserialize( base64_decode( get_post_meta( $postId, 'de_wp_hooks', true ) ) );direct-admin.php:18

unserialize$options_wp_hooks = unserialize( base64_decode( get_option( 'de_options_wp_hooks' ) ) );direct-admin.php:154

unserialize$options = unserialize( base64_decode( get_option( 'de_options_custom_page_types' ) ) );direct-edit.php:216

unserialize$options_wp_hooks = unserialize( base64_decode( get_option( 'de_options_wp_hooks' ) ) );direct-edit.php:257

unserialize$de_wp_hooks = unserialize( base64_decode( get_post_meta( $direct_queried_object->ID, 'de_wp_hooks',direct-edit.php:262

SQL Query Safety

67% prepared3 total queries

Output Escaping

58% escaped45 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

<de-store> (core\classes\de-store.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

DirectEdit Attack Surface

Entry Points12

Unprotected11

AJAX Handlers 12

authwp_ajax_direct-addcore\handler.php:15

authwp_ajax_direct-deletecore\handler.php:16

authwp_ajax_direct-delete-postcore\handler.php:17

authwp_ajax_direct-edit-imagecore\handler.php:18

authwp_ajax_direct-hide-postcore\handler.php:19

authwp_ajax_direct-move-leftcore\handler.php:20

authwp_ajax_direct-move-rightcore\handler.php:21

authwp_ajax_direct-save-pagecore\handler.php:22

authwp_ajax_direct-show-postcore\handler.php:23

authwp_ajax_direct-upload-imagecore\handler.php:24

authwp_ajax_direct-upload-filecore\handler.php:25

authwp_ajax_direct-save-menucore\handler.php:26

WordPress Hooks 25

filterpage_linkcore\classes\de-url.php:84

filterpost_linkcore\classes\de-url.php:85

filterpost_type_linkcore\classes\de-url.php:86

filterthe_titlecore\service-functions.php:97

actionadd_meta_boxesdirect-admin.php:2

actionadmin_menudirect-admin.php:3

actionsave_postdirect-admin.php:4

actionadmin_bar_menudirect-edit.php:47

actionde_crondirect-edit.php:48

actioninitdirect-edit.php:49

actioninitdirect-edit.php:50

actioninitdirect-edit.php:51

actioninitdirect-edit.php:52

actionswitch_themedirect-edit.php:53

actiontemplate_includedirect-edit.php:54

actiontemplate_redirectdirect-edit.php:55

actiontemplate_redirectdirect-edit.php:56

actionwp_headdirect-edit.php:57

actionwp_enqueue_scriptsdirect-edit.php:58

actionwp_print_footer_scriptsdirect-edit.php:59

filtersanitize_titledirect-edit.php:61

filterthe_titledirect-edit.php:268

filterthe_contentdirect-edit.php:276

filterget_the_excerptdirect-edit.php:279

filterthe_excerptdirect-edit.php:280

Scheduled Events 1

de_cron

Maintenance & Trust

DirectEdit Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedAug 12, 2014

PHP min version

Downloads5K

Community Trust

Rating80/100

Number of ratings7

Active installs10

Alternatives

DirectEdit Alternatives

Front-end Editor

front-end-editor

Edit content inline, without going to the admin area.

600 1 CVE

LoftBuilder

loftbuilder

Create stunning and responsive pages with LoftBuilder. An intuitive front-end looking, drag & drop page builder.

10 No CVEs

Black Studio TinyMCE Widget

black-studio-tinymce-widget

100

The visual editor widget for WordPress.

200K No CVEs

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 31 CVEs

Re-add text underline and justify

re-add-underline-justify

100

This tiny plugin re-adds the Editor text underline & text justify buttons in the WYSIWYG removed in WordPress 4.7.0

50K No CVEs

Developer Profile

DirectEdit Developer Profile

Carlo Roosen

5 plugins · 140 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect DirectEdit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ