Does DX Unanswered Comments have any unpatched vulnerabilities?

Yes — DX Unanswered Comments currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is DX Unanswered Comments compatible with WordPress 6.0.11?

According to WordPress.org data, DX Unanswered Comments 1.7 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

How often is DX Unanswered Comments updated?

DX Unanswered Comments was last updated on Jul 26, 2022. Frequent updates are generally a positive security signal.

What is DX Unanswered Comments's security score?

DX Unanswered Comments has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

DX Unanswered Comments Security & Risk Analysis

wordpress.org/plugins/dx-unanswered-comments

Filter your admin comments that have not received a reply by internal user yet.

20 active installs v1.7 PHP + WP 3.2+ Updated Jul 26, 2022

admincommentsrepliesunanswered

C · Use Caution

CVEs total1

Unpatched1

Last CVEApr 21, 2026

Download

Safety Verdict

Is DX Unanswered Comments Safe to Use in 2026?

Use With Caution

Score 63/100

DX Unanswered Comments has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 21, 2026Updated 3yr ago

Risk Assessment

The 'dx-unanswered-comments' plugin version 1.7 presents a significant security risk primarily due to its unprotected AJAX handlers. While the plugin has no known historical vulnerabilities and avoids dangerous functions, file operations, and external HTTP requests, the complete absence of authentication and capability checks on all four identified AJAX entry points creates a wide attack surface. This means any unauthenticated user could potentially trigger these functions, leading to unintended actions or information disclosure if these handlers are not inherently benign. The taint analysis did find one flow with unsanitized paths, though it was not classified as critical or high severity, it still warrants attention. The lack of proper output escaping on a portion of outputs also adds to the risk of cross-site scripting (XSS) vulnerabilities. Overall, while the plugin demonstrates good practices in some areas like SQL query preparation, the lack of fundamental security checks on its AJAX endpoints is a major concern.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths (taint analysis)
Unescaped output
Missing nonce checks on AJAX
Missing capability checks on AJAX

Vulnerabilities

1 published

DX Unanswered Comments Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-4138medium · 4.3Cross-Site Request Forgery (CSRF)

DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

Apr 21, 2026Unpatched

Version History

DX Unanswered Comments Release Timeline

v1.7Current1 CVE

CVE-2026-4138

v1.61 CVE

CVE-2026-4138

v1.51 CVE

CVE-2026-4138

Code Analysis

Analyzed Mar 16, 2026

DX Unanswered Comments Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

75% prepared4 total queries

Output Escaping

71% escaped7 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<dxuc-unanswered-comments-admin-page> (dxuc-unanswered-comments-admin-page.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

DX Unanswered Comments Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_mark_comment_as_replieddxuc-unanswered-comments.php:35

noprivwp_ajax_mark_comment_as_replieddxuc-unanswered-comments.php:36

authwp_ajax_mark_comment_as_non_replieddxuc-unanswered-comments.php:37

noprivwp_ajax_mark_comment_as_non_replieddxuc-unanswered-comments.php:38

WordPress Hooks 11

actionadmin_enqueue_scriptsdxuc-unanswered-comments.php:28

actionadmin_menudxuc-unanswered-comments.php:29

filterviews_edit-commentsdxuc-unanswered-comments.php:30

filtercomments_clausesdxuc-unanswered-comments.php:31

filterinitdxuc-unanswered-comments.php:32

filtermanage_edit-comments_columnsdxuc-unanswered-comments.php:33

filtermanage_comments_custom_columndxuc-unanswered-comments.php:34

filterbulk_actions-edit-commentsdxuc-unanswered-comments.php:39

filterhandle_bulk_actions-edit-commentsdxuc-unanswered-comments.php:40

filterdxuc_non_replied_textinc\dxuc-add-comment-count-top.php:9

filterdxuc_non_replied_top_levelinc\dxuc-add-comment-count-top.php:10

Maintenance & Trust

DX Unanswered Comments Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedJul 26, 2022

PHP min version

Downloads4K

Community Trust

Rating68/100

Number of ratings5

Active installs20

Alternatives

DX Unanswered Comments Alternatives

One Click Close Comments

one-click-close-comments

Conveniently close or open comments for a post or page with one click from the admin listing of posts.

6K 1 CVE

Relative URL

relative-url

Relative URL applies wp_make_link_relative function to links to convert them to relative URLs.

3K No CVEs

Quotmarks Replacer

quotmarks-replacer

Quotmarks Replacer disables wptexturize function that keeps all quotation marks and suspension points in half-width form.

300 No CVEs

Nofollow Case by Case

nofollow-case-by-case

"Dofollow" but Nofollow Case by Case allows you to selectively apply nofollow to your comments as well.

200 No CVEs

PowerUp – Admin Tools (Login/Logout Redirects, Scripts & Comments Control)

powerup

100

Simplify site management with Login/Logout Redirect, Hide Admin Bar, Disable Comments, Header Footer Scripts and Remove Footer Credit.

200 No CVEs

Developer Profile

DX Unanswered Comments Developer Profile

Mario Peshev

13 plugins · 5K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

164 days

View full developer profile

Detection Fingerprints

How We Detect DX Unanswered Comments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/dx-unanswered-comments/js/dxuc-script.js/wp-content/plugins/dx-unanswered-comments/js/dxuc-comments.js/wp-content/plugins/dx-unanswered-comments/css/dxuc-style.css

Script Paths

/wp-content/plugins/dx-unanswered-comments/js/dxuc-script.js/wp-content/plugins/dx-unanswered-comments/js/dxuc-comments.js

Version Parameters

dxuc-script.js?ver=dxuc-comments.js?ver=dxuc-style.css?ver=

HTML / DOM Fingerprints

CSS Classes

mark_as_non_repliedmark_as_replied

Data Attributes

data-value

FAQ

DX Unanswered Comments Security & Risk Analysis

Is DX Unanswered Comments Safe to Use in 2026?

Use With Caution

Key Concerns

DX Unanswered Comments Security Vulnerabilities

CVEs by Year

Severity Breakdown

DX Unanswered Comments Release Timeline

DX Unanswered Comments Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

DX Unanswered Comments Attack Surface

AJAX Handlers 4

DX Unanswered Comments Maintenance & Trust

Maintenance Signals

Community Trust

DX Unanswered Comments Alternatives

One Click Close Comments

Relative URL

Quotmarks Replacer

Nofollow Case by Case

PowerUp – Admin Tools (Login/Logout Redirects, Scripts & Comments Control)

DX Unanswered Comments Developer Profile

How We Detect DX Unanswered Comments

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about DX Unanswered Comments