Does FastComments have any unpatched vulnerabilities?

No. All known vulnerabilities in FastComments have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is FastComments compatible with WordPress 6.9.4?

According to WordPress.org data, FastComments 3.18.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is FastComments compatible with PHP 5.2.5+?

FastComments requires PHP 5.2.5 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is FastComments updated?

FastComments was last updated on Feb 28, 2026. Frequent updates are generally a positive security signal.

What is FastComments's security score?

FastComments has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FastComments Security & Risk Analysis

wordpress.org/plugins/fastcomments

A live, fast, privacy-focused commenting system with advanced spam prevention capabilities. FastComments prioritizes speed and user experience above a …

40 active installs v3.18.0 PHP 5.2.5+ WP 4.6+ Updated Feb 28, 2026

commenting-systemcommentsdisquslive-commentinglive-comments

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is FastComments Safe to Use in 2026?

Generally Safe

Score 100/100

FastComments has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The plugin "fastcomments" v3.18.0 exhibits a generally good security posture, with no known historical vulnerabilities and a strong emphasis on implementing capability checks. The static analysis reveals a controlled attack surface, with all identified entry points (REST API routes and cron events) having permission callbacks or checks. The absence of dangerous functions, file operations, and external HTTP requests further contributes to a positive security profile.

However, there are areas for improvement. A significant concern is the low percentage of SQL queries utilizing prepared statements (29%), suggesting a potential for SQL injection vulnerabilities if not handled meticulously elsewhere. Additionally, the low rate of proper output escaping (9%) is a considerable risk, as unescaped output can lead to cross-site scripting (XSS) vulnerabilities. The single taint flow with an unsanitized path, while not classified as critical or high, warrants investigation to ensure it does not pose a practical risk.

The complete lack of historical vulnerabilities is a positive indicator, suggesting a development team that prioritizes security or has been fortunate. However, this should not lead to complacency. The identified code-level weaknesses, particularly concerning SQL queries and output escaping, represent inherent risks that could be exploited in the absence of other mitigating factors or if the plugin's usage context exposes these weaknesses. Overall, the plugin is relatively secure due to its limited attack surface and capability checks, but the unescaped output and raw SQL queries are significant concerns that require attention.

Key Concerns

Low percentage of SQL queries using prepared statements
Low percentage of properly escaped output
Taint flow with unsanitized path
No nonce checks on entry points

Vulnerabilities

None known

FastComments Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

FastComments Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

29% prepared7 total queries

Output Escaping

9% escaped57 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<fastcomments-admin-advanced-settings-view> (admin\fastcomments-admin-advanced-settings-view.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

FastComments Attack Surface

Entry Points5

Unprotected0

REST API Routes 5

GET/wp-json/fastcomments/v1/api/get-config-statuspublic\fastcomments-public.php:7

GET/wp-json/fastcomments/v1/api/tickpublic\fastcomments-public.php:14

PUT/wp-json/fastcomments/v1/api/set-sso-enabledpublic\fastcomments-public.php:21

PUT/wp-json/fastcomments/v1/api/sync-to-wppublic\fastcomments-public.php:28

PUT/wp-json/fastcomments/v1/api/sync-to-fcpublic\fastcomments-public.php:35

WordPress Hooks 14

filterplugin_action_linksadmin\fastcomments-admin.php:207

actionadmin_menuadmin\fastcomments-admin.php:208

actionadmin_bar_menuadmin\fastcomments-admin.php:209

actionadmin_noticesadmin\fastcomments-admin.php:210

filtercomments_templatefastcomments-wordpress-plugin.php:78

filterpre_render_blockfastcomments-wordpress-plugin.php:90

filtercomments_numberfastcomments-wordpress-plugin.php:91

filterwp_enqueue_scriptsfastcomments-wordpress-plugin.php:92

filterwp_footerfastcomments-wordpress-plugin.php:93

actionpre_comment_on_postfastcomments-wordpress-plugin.php:96

filterrest_pre_insert_commentfastcomments-wordpress-plugin.php:97

actionfastcomments_cron_hookfastcomments-wordpress-plugin.php:134

actionplugins_loadedfastcomments-wordpress-plugin.php:159

actionrest_api_initpublic\fastcomments-public.php:6

Scheduled Events 1

fastcomments_cron_hook

Maintenance & Trust

FastComments Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 28, 2026

PHP min version5.2.5

Downloads6K

Community Trust

Rating100/100

Number of ratings5

Active installs40

Alternatives

FastComments Alternatives

Disqus Comment System

disqus-comment-system

Disqus is the web's most popular comment system. Use Disqus to increase engagement, retain readers, and grow your audience.

40K 5 CVEs

Disqus Conditional Load

disqus-conditional-load

100

Use Disqus comments with advanced features like lazy load, shortcode, widgets etc. Don't let Disqus to slow your site down.

3K 1 CVE

Social Comments by Heateor

heateor-social-comments

100

Integrate Facebook Comments, Vkontakte Comments and/or Disqus Comments along with default comment form at your website

800 1 CVE

pipDisqus – Lightweight Disqus Comments

pipdisqus

A lightweight solution for adding Disqus to your WordPress blog.

300 1 CVE

Disqus Latest Comments Addon

disqus-latest-comments

Display latest Disqus comments in a page, post or widget

100 No CVEs

Developer Profile

FastComments Developer Profile

winrid

1 plugin · 40 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect FastComments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fastcomments/js/embed-widget-comment-count-bulk.min.js

Script Paths

https://embed.fastcomments.com/js/embed-widget-comment-count-bulk.min.js

Version Parameters

fastcomments_widget_count

HTML / DOM Fingerprints

CSS Classes

fast-comments-countfc-cardfc-back

HTML Comments

Data Attributes

data-fast-comments-url-id

JS Globals

window.FastCommentsBulkCountConfig

Shortcode Output

<span class="fast-comments-count" data-fast-comments-url-id=

FAQ