Does Echo Sign have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Echo Sign compatible with WordPress 4.6.30?

According to WordPress.org data, Echo Sign 1.4.1 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is Echo Sign updated?

Echo Sign was last updated on Apr 2, 2020. Frequent updates are generally a positive security signal.

What is Echo Sign's security score?

Echo Sign has a WP-Safety security score of 84/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Echo Sign Security & Risk Analysis

wordpress.org/plugins/echosign

License: GPLv2 or later Echo Sign plugin is discontinued and no longer supported

10 active installs v1.4.1 PHP + WP + Updated Apr 2, 2020

digitallysignpdfecho-signelectronicsignaturespdfhowtoelectronicallysignhowtosignelectronically

B · Generally Safe

CVEs total2

Unpatched0

Last CVEApr 21, 2016

Plugin page Download

Safety Verdict

Is Echo Sign Safe to Use in 2026?

Mostly Safe

Score 84/100

Echo Sign is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved.

2 known CVEsLast CVE: Apr 21, 2016Updated 6yr ago

Risk Assessment

The echosign plugin version 1.4.1 presents a moderate security risk due to a combination of static analysis findings and its vulnerability history. While the plugin demonstrates good practices in its SQL query handling, ensuring all queries use prepared statements, a significant concern lies in its attack surface. Three out of four identified entry points, specifically AJAX handlers, lack proper authentication checks. This opens the door for unauthorized actions if these handlers can be triggered by unauthenticated users. Furthermore, the taint analysis reveals a high number of flows with unsanitized paths, indicating potential risks of data manipulation or injection, although no critical or high severity issues were flagged in this analysis.

The plugin's vulnerability history, with two past medium-severity Cross-Site Scripting (XSS) vulnerabilities, though none are currently unpatched, suggests a recurring pattern of input sanitization weaknesses. The fact that the last vulnerability was in 2016 might imply the codebase hasn't been actively maintained or scrutinized for newer threats. The limited output escaping (63% properly escaped) further exacerbates the risk of XSS, especially when combined with unsanitized input paths. While the absence of dangerous functions and external HTTP requests are positive, the unsecured AJAX endpoints and the history of XSS vulnerabilities are significant weaknesses that require attention for robust security.

Key Concerns

Unprotected AJAX handlers
High number of unsanitized paths in taint flows
Low output escaping percentage
Past medium severity XSS vulnerabilities

Vulnerabilities

2 published

Echo Sign Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2016-10985medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Echo Sign < 1.2 - Reflected Cross-Site Scripting

Apr 21, 2016 Patched in 1.2 (2833d)

CVE-2016-10984medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Echo Sign < 1.2 - Reflected Cross-Site Scripting

Apr 21, 2016 Patched in 1.2 (2833d)

Version History

Echo Sign Release Timeline

v1.4.1Current

v1.4

v1.3

v1.2

v1.12 CVEs

CVE-2016-10985 CVE-2016-10984

v1.02 CVEs

CVE-2016-10985 CVE-2016-10984

Code Analysis

Analyzed Mar 17, 2026

Echo Sign Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

90 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

63% escaped143 total outputs

Data Flows · Security

9 unsanitized

Data Flow Analysis

10 flows9 with unsanitized paths

echosignaddNewRow (echosign.php:498)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Echo Sign Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_echosign_return_scriptechosign.php:81

authwp_ajax_echosignaddNewRowechosign.php:524

authwp_ajax_echosignaddNewCustomRowechosign.php:546

Shortcodes 1

[echosign_template] echosign.php:494

WordPress Hooks 4

actionadmin_noticesechosign.php:65

actionadmin_menuechosign.php:76

actionadmin_initechosign.php:79

actionwp_enqueue_scriptsechosign.php:80

Maintenance & Trust

Echo Sign Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedApr 2, 2020

PHP min version

Downloads3K

Community Trust

Rating80/100

Number of ratings3

Active installs10

Alternatives

Echo Sign Alternatives

No alternatives data available yet.

Developer Profile

Echo Sign Developer Profile

Smackcoders Inc.,

23 plugins · 40K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

946 days

View full developer profile

Detection Fingerprints

How We Detect Echo Sign

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/echosign/public/css/css/font-awesome.css/wp-content/plugins/echosign/public/css/echosign-frontend.css/wp-content/plugins/echosign/public/css/bootstrap.css/wp-content/plugins/echosign/public/css/echosign-adminend.css/wp-content/plugins/echosign/public/js/echosign.js/wp-content/plugins/echosign/public/js/validator.js

Script Paths

/wp-content/plugins/echosign/public/js/echosign.js/wp-content/plugins/echosign/public/js/validator.js

Version Parameters

echosign/style.css?ver=echosign/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

alert-success

Data Attributes

data-adminurl

JS Globals

wp_echosign

FAQ