Feedback Extended Security & Risk Analysis
wordpress.org/plugins/feedback-extendedThis plugin requires Jetpack 1.3 or up with Contact Form plugin active. This plugin will enable users to reply to feedbacks from the admin panel.
Is Feedback Extended Safe to Use in 2026?
Generally Safe
Score 85/100Feedback Extended has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The feedback-extended v1.0.0 plugin exhibits a concerning security posture primarily due to a lack of authentication checks on its sole entry point. The static analysis reveals one AJAX handler that is not protected by any authentication or capability checks, creating a significant attack surface. This unprotected endpoint is a direct path for unauthorized users to interact with the plugin's functionality, potentially leading to unintended consequences.
While the plugin demonstrates good practices in other areas, such as using prepared statements for all SQL queries and avoiding file operations and external HTTP requests, these strengths are overshadowed by the fundamental security flaw in its AJAX handling. The presence of a dangerous function like `create_function` is also a red flag, though the taint analysis did not identify any critical or high-severity issues stemming from it. The absence of any recorded vulnerabilities in its history is positive, suggesting that past versions might not have had exploitable flaws, or they were not publicly disclosed. However, this historical lack of vulnerabilities should not breed complacency given the identified code-level risks.
In conclusion, the "feedback-extended" plugin's security is severely compromised by its unprotected AJAX endpoint. While it benefits from secure SQL practices and avoids certain risky operations, the critical flaw in its entry point makes it a high risk. The lack of historical vulnerabilities is a minor positive but does not mitigate the immediate risks identified in the code.
Key Concerns
- Unprotected AJAX handler
- Dangerous function create_function used
- Low percentage of properly escaped output
- Missing Nonce check on AJAX handler
- Missing Capability check on AJAX handler
Feedback Extended Security Vulnerabilities
Feedback Extended Code Analysis
Dangerous Functions Found
Output Escaping
Data Flow Analysis
Feedback Extended Attack Surface
AJAX Handlers 1
WordPress Hooks 2
Maintenance & Trust
Feedback Extended Maintenance & Trust
Maintenance Signals
Community Trust
Feedback Extended Alternatives
Contact Form & SMTP Plugin for WordPress by PirateForms
pirate-forms
A simple and effective WordPress contact form & SMTP plugin. Compatible with best themes out there, is both a secure and responsive contact form p …
Contact Form Clean and Simple
clean-and-simple-contact-form-by-meg-nicholas
A clean and simple contact form with flexible CSS framework support.
More Mails for CF7
more-mails-for-cf7
Extends the ubiquitous Contact Form 7 plugin to allow three or more messages.
Contact Form 7 Countries
cf7-countries
Country drop-down menu for Contact Form 7.
Contact Form X
contact-form-x
Displays a user-friendly contact form that your visitors will love. Lightweight, fast, secure, and accessible (ADA/WCAG compliant).
Feedback Extended Developer Profile
2 plugins · 310 total installs
How We Detect Feedback Extended
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/feedback-extended/feedback-extended.css/wp-content/plugins/feedback-extended/feedback-extended.jsfeedback-extended/feedback-extended.css?ver=feedback-extended/feedback-extended.js?ver=HTML / DOM Fingerprints
replysubmitdelete<!-- more -->id="fe_reply_area_id="com-replyid="replyrowid="com-reply-id="replyheadid="edithead+12 morefeFeedbackReplywindow.feFeedbackReply