Does HM Content TOC have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is HM Content TOC compatible with WordPress 4.3.34?

According to WordPress.org data, HM Content TOC 1.0.1 has been tested up to WordPress 4.3.34. Check the plugin's changelog for the latest compatibility information.

How often is HM Content TOC updated?

HM Content TOC was last updated on Oct 7, 2015. Frequent updates are generally a positive security signal.

What is HM Content TOC's security score?

HM Content TOC has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HM Content TOC Security & Risk Analysis

wordpress.org/plugins/hm-content-toc

Creates TOC (table of contents) for specified HTML elements from post/page content; to allow jumping to corresponding header by clicking a link in TOC

10 active installs v1.0.1 PHP + WP 4.2+ Updated Oct 7, 2015

content-tocpost-tocshortcodetoctoc-shortcode

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is HM Content TOC Safe to Use in 2026?

Generally Safe

Score 85/100

HM Content TOC has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago

Risk Assessment

The "hm-content-toc" v1.0.1 plugin exhibits a strong security posture based on the provided static analysis. The absence of dangerous functions, the exclusive use of prepared statements for SQL queries, and the 100% proper output escaping are excellent indicators of secure coding practices. Furthermore, the lack of file operations and external HTTP requests minimizes potential attack vectors. The plugin's vulnerability history is also clean, with no recorded CVEs, which suggests a commitment to security or a lack of targeted exploitation. However, a key area of concern is the complete absence of nonce and capability checks. While the current attack surface is small and appears to have no unprotected entry points, this lack of checks is a significant weakness. Any future expansion of functionality or the introduction of new entry points could easily become vulnerable if these security measures are not implemented.

Key Concerns

Missing nonce checks
Missing capability checks

Vulnerabilities

None known

HM Content TOC Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

HM Content TOC Release Timeline

v1.0.1Current

v1.0.0

Code Analysis

Analyzed Apr 16, 2026

HM Content TOC Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped29 total outputs

Attack Surface

HM Content TOC Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[hm_content_toc] includes/class-content-toc.php:39

WordPress Hooks 6

actionplugins_loadedhm-content-toc.php:43

actionplugins_loadedhm-content-toc.php:46

actionadmin_menuincludes/admin/class-admin.php:51

actionadmin_initincludes/admin/class-admin.php:54

actioninitincludes/class-content-toc.php:43

filterthe_contentincludes/class-content-toc.php:144

Maintenance & Trust

HM Content TOC Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34

Last updatedOct 7, 2015

PHP min version

Downloads5K

Community Trust

Rating70/100

Number of ratings2

Active installs10

Alternatives

HM Content TOC Alternatives

f(x) TOC

fx-toc

Simple Table Of Contents Plugin. Just add [toc] shortcode in content to display.

300 1 unpatched

Shortcode Table of Contents

shortcode-toc

Display an automated table of contents via shortcode.

300 No CVEs

StockViz

stockviz

The Wordpress shortcode plugin allows you to pull in the latest stock price from within your post.

10 No CVEs

Adanos Market Sentiment Widgets

adanos-market-sentiment-widgets

100

Embed self-hosted stock sentiment widgets and shortcodes for WordPress, powered by Adanos.

0 No CVEs

Cryptocurrency Shortcodes

cryptocurrency-shortcodes

Retrieves information in realtime about cryptocurrencies through our API and display them using our shortcodes. The data retrieved are made available …

0 No CVEs

Developer Profile

HM Content TOC Developer Profile

dashaluna

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect HM Content TOC

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/hm-content-toc/css/style.css/wp-content/plugins/hm-content-toc/js/script.js

Script Paths

/wp-content/plugins/hm-content-toc/js/script.js

Version Parameters

hm-content-toc/css/style.css?ver=hm-content-toc/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

hm_content_toc_placeholderhm-content-toc-wrapperhm-content-toc-listhm-content-toc-itemhm-content-toc-titlehm-content-toc-anchor

Data Attributes

data-shortcode-ui-editor

Shortcode Output

<div class="hm_content_toc_placeholder" style="display:none"></div>

FAQ