Hinagata Speech Balloon Security & Risk Analysis
wordpress.org/plugins/hinagata-speech-balloonAdds a highly customizable "Speech Balloon" block to the WordPress editor. Allows creating presets with avatars and inserting them as blocks.
Is Hinagata Speech Balloon Safe to Use in 2026?
Generally Safe
Score 100/100Hinagata Speech Balloon has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The hinagata-speech-balloon plugin version 1.2.4 presents a significant security risk due to its large, unprotected attack surface, specifically its REST API routes. All five identified REST API routes lack permission callbacks, meaning any unauthenticated user can potentially interact with them. While the plugin demonstrates good practices in its handling of SQL queries (all prepared statements) and output escaping (all properly escaped), this is overshadowed by the lack of authorization checks on its primary entry points.
The static analysis reveals no dangerous functions, file operations, or external HTTP requests, which are positive indicators. The absence of taint analysis findings is also encouraging, suggesting no obvious instances of unsanitized data processing. The vulnerability history is clean, with zero recorded CVEs. However, this clean history, combined with the current lack of authentication on REST API endpoints, could be interpreted as a potential blind spot rather than a guarantee of inherent security. The plugin needs to implement robust authorization checks on its REST API endpoints to mitigate the risk of unauthorized access and manipulation.
Key Concerns
- REST API routes without permission callbacks
- No nonce checks on entry points
- One capability check, but not enforced on all entry points
Hinagata Speech Balloon Security Vulnerabilities
Hinagata Speech Balloon Code Analysis
SQL Query Safety
Output Escaping
Hinagata Speech Balloon Attack Surface
REST API Routes 5
WordPress Hooks 7
Maintenance & Trust
Hinagata Speech Balloon Maintenance & Trust
Maintenance Signals
Community Trust
Hinagata Speech Balloon Alternatives
User Profile Picture
metronet-profile-picture
Set a custom profile image (avatar) for a user using the standard WordPress media upload tool.
Author Avatars List/Block
author-avatars
Display lists of user avatars using widgets or shortcodes. With Gutenberg support.
AI + Block Editor
ai-plus-block-editor
Add AI Capabilities to the Block Editor. Generate Captions/Headlines, Summaries, Slugs, SEO Keywords using our amazing plugin.
WP-Speech-Balloon
wp-speech-balloon
WordPress の記事内で簡単に吹き出し会話を使えるプラグインです。AMPページでも通常ページと同じように吹き出し会話を使えます。 This is a plugin that makes it easy to use balloon conversation with WordPress.
Redirect Gravatar requests
redirect-gravatar-requests
All requests to load an avatar from gravatar.com are redirected to a local image, preventing Gravatar from potentially gathering data about your site …
Hinagata Speech Balloon Developer Profile
2 plugins · 30 total installs
How We Detect Hinagata Speech Balloon
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/hinagata-speech-balloon/build/admin.js/wp-content/plugins/hinagata-speech-balloon/build/style-block.csshinagata-speech-balloon/build/admin.asset.phphinagata-speech-balloon/build/admin.jshinagata-speech-balloon/build/style-block.cssHTML / DOM Fingerprints
hinagata-sb-admin-appdata-block="hinagata/speech-balloon"window.hinagataSpeechBalloonAdmin/wp-json/hinagata-sb/v1/presets/wp-json/hinagata-sb/v1/settings/wp-json/hinagata-sb/v1/usage