Does Headless have any unpatched vulnerabilities?

No. All known vulnerabilities in Headless have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Headless compatible with WordPress 6.7.5?

According to WordPress.org data, Headless 2.3.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Headless compatible with PHP 8.0+?

Headless requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Headless updated?

Headless was last updated on Mar 12, 2025. Frequent updates are generally a positive security signal.

What is Headless's security score?

Headless has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Headless Security & Risk Analysis

wordpress.org/plugins/headless

Adds features to use WordPress as headless CMS

20 active installs v2.3.1 PHP 8.0+ WP 5.0+ Updated Mar 12, 2025

blockdevelopergutenbergutils

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Headless Safe to Use in 2026?

Generally Safe

Score 92/100

Headless has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "headless" v2.3.1 plugin exhibits a generally good security posture with a small attack surface and a healthy proportion of SQL queries utilizing prepared statements. The absence of known vulnerabilities in its history is a positive indicator. However, there are significant areas of concern that warrant attention. Specifically, the presence of an unprotected AJAX handler creates a direct entry point that could be exploited without proper authentication. Furthermore, a notable portion of output is not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is present in these outputs.

The lack of nonce checks on the identified AJAX handler is a critical oversight, as it removes a standard WordPress security mechanism designed to prevent Cross-Site Request Forgery (CSRF) attacks. While taint analysis shows no critical or high severity unsanitized paths, the combination of an unprotected AJAX endpoint and unescaped output presents a tangible risk. The plugin's strengths lie in its limited attack surface and lack of historical vulnerabilities, but the immediate risks from the unprotected AJAX handler and potential XSS are substantial enough to necessitate careful review and remediation.

Key Concerns

AJAX handler without authentication
Outputs not properly escaped
No nonce checks on AJAX

Vulnerabilities

None known

Headless Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Headless Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

18 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

88% prepared8 total queries

Output Escaping

67% escaped27 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

admin_preview (classes\Preview.php:62)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Headless Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 2

authwp_ajax_headless_previewclasses\Preview.php:16

noprivwp_ajax_headless_previewclasses\Preview.php:17

WordPress Hooks 18

actioninitclasses\Components\Plugin.php:74

actionwp_dashboard_setupclasses\Dashboard.php:8

actionrest_api_initclasses\Extensions.php:58

filterrest_prepare_revisionclasses\Extensions.php:108

filterrest_prepare_commentclasses\Extensions.php:111

filterrest_prepare_userclasses\Extensions.php:114

filterrest_post_dispatchclasses\Headers.php:8

actioncron_logger_initclasses\Log.php:13

actionadmin_initclasses\PluginAssets.php:21

actionenqueue_block_editor_assetsclasses\PluginAssets.php:22

filterpreview_post_linkclasses\Preview.php:15

actionplugins_loadedclasses\Preview.php:18

actionsave_postclasses\Revalidate.php:12

actionedit_commentclasses\Revalidate.php:13

actionwp_insert_commentclasses\Revalidate.php:14

actionrest_api_initclasses\Routes.php:16

actionadmin_initclasses\Schedule.php:12

filterwp_is_application_passwords_availableclasses\Security.php:11

Maintenance & Trust

Headless Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 12, 2025

PHP min version8.0

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs20

Alternatives

Headless Alternatives

BlockX

blockx

Elevate your Gutenberg Block development experience.

30 No CVEs

Block Catalog

block-catalog

100

Keep track of which Gutenberg Blocks are used across your site.

100 No CVEs

Block X-ray Attributes

block-xray-attributes

100

This plugin adds a section called "Block X-ray" to the Document sidebar in the editor. This "Block X-ray" section displays the att …

20 No CVEs

Wicked Block Builder

wicked-block-builder

100

Create your own custom blocks and patterns in as little as a few minutes!

10 No CVEs

Classic Editor

classic-editor

100

Enables the previous "classic" editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. Supports all plugins that extend this screen.

9.0M No CVEs

Developer Profile

Headless Developer Profile

EdwardBock

22 plugins · 2K total installs

trust score

Avg Security Score

90/100

Avg Patch Time

107 days

View full developer profile

Detection Fingerprints

How We Detect Headless

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/headless/dist/gutenberg.js/wp-content/plugins/headless/dist/gutenberg.css/wp-content/plugins/headless/dist/admin.js

Script Paths

/wp-content/plugins/headless/dist/gutenberg.js/wp-content/plugins/headless/dist/admin.js

HTML / DOM Fingerprints

JS Globals

window.Headlesswindow.HeadlessAdmin

REST Endpoints

/wp-json/headless/v1/menus/wp-json/headless/v1/menus/(?P<menu>[\S]+)

FAQ