Does HTML Purified have any unpatched vulnerabilities?

No. All known vulnerabilities in HTML Purified have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is HTML Purified compatible with WordPress 3.3.2?

According to WordPress.org data, HTML Purified 0.7 has been tested up to WordPress 3.3.2. Check the plugin's changelog for the latest compatibility information.

How often is HTML Purified updated?

HTML Purified was last updated on May 5, 2012. Frequent updates are generally a positive security signal.

What is HTML Purified's security score?

HTML Purified has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTML Purified Security & Risk Analysis

wordpress.org/plugins/html-purified

HTML Purified replaces the default comments filters with the more secure HTML Purifier.

50 active installs v0.7 PHP + WP 2.9+ Updated May 5, 2012

commentssecurityspamxhtmlxss

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is HTML Purified Safe to Use in 2026?

Generally Safe

Score 85/100

HTML Purified has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago

Risk Assessment

The 'html-purified' v0.7 plugin exhibits a generally strong security posture based on the provided static analysis. The absence of any attack surface points, such as AJAX handlers, REST API routes, shortcodes, or cron events, is a significant strength, indicating the plugin is not directly exposed to common web vulnerabilities. Furthermore, the complete reliance on prepared statements for all SQL queries and the lack of any recorded vulnerabilities or CVEs suggest a well-developed and secure codebase. This indicates diligent attention to secure coding practices in these critical areas.

However, the analysis does reveal some areas for improvement. The output escaping is only properly implemented for 50% of the identified outputs, which presents a potential risk of Cross-Site Scripting (XSS) vulnerabilities if untrusted data is displayed without adequate sanitization. While there are no reported vulnerabilities currently, this oversight in output handling warrants attention. The presence of file operations without further context is also a minor concern, as this could potentially be an attack vector if not handled securely, though the lack of taint flow analysis makes it impossible to confirm.

In conclusion, 'html-purified' v0.7 is commendably secure in its handling of direct web entry points and database interactions, and its history is clean. The primary area of concern is the inconsistent output escaping, which could lead to XSS vulnerabilities. Addressing this would further solidify its security.

Key Concerns

Output escaping only 50% properly

Vulnerabilities

None known

HTML Purified Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

HTML Purified Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

10 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

50% escaped20 total outputs

Attack Surface

HTML Purified Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 20

actionadmin_menuhtml-purified.php:33

actionbb_admin_menu_generatorhtml-purified.php:34

actionbb_admin_headhtml-purified.php:35

actionbb_inithtml-purified.php:51

actioninithtml-purified.php:53

actionset_current_userhtml-purified.php:54

actionwp_footerhtml-purified.php:57

actionbb_foothtml-purified.php:58

filterpre_posthtml-purified.php:467

filterpre_posthtml-purified.php:470

filterpre_posthtml-purified.php:477

filterbb_allowed_tagshtml-purified.php:481

filterpre_comment_contenthtml-purified.php:511

filterpre_comment_contenthtml-purified.php:514

filterpre_comment_contenthtml-purified.php:520

filtertitle_save_prehtml-purified.php:521

filtercontent_save_prehtml-purified.php:525

filterexcerpt_save_prehtml-purified.php:526

filtercontent_filtered_save_prehtml-purified.php:527

actioninitplugin.php:139

Maintenance & Trust

HTML Purified Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2

Last updatedMay 5, 2012

PHP min version

Downloads18K

Community Trust

Rating0/100

Number of ratings0

Active installs50

Alternatives

HTML Purified Alternatives

Comment Form CSRF Protection

comment-form-csrf-protection

Prevent Cross-Site Request Forgery attacks on your comments form.

500 No CVEs

Spam Comment Remover

spam-comment-remover

100

Automatically remove spam comments without Akismet. Universal spam detection that blocks junk, hidden links, fake names, gibberish, and automated subm …

70 No CVEs

GhostTrap

ghosttrap

100

Advanced 5-layer invisible spam protection for comments. No captcha, no user friction - professional spam blocking.

20 No CVEs

Back List

back-list

100

Adds Whitelist and Blacklist options for Trackbacks and Pingbacks

10 No CVEs

Identityplus

identity-plus

Identityplus is a novel security solution based on PKI (Public Key Infrastructure) called a network of trust. It features an all-in-one 2 (ocasionally …

10 No CVEs

Developer Profile

HTML Purified Developer Profile

John Godley

14 plugins · 2.1M total installs

trust score

Avg Security Score

87/100

Avg Patch Time

4069 days

View full developer profile

Detection Fingerprints

How We Detect HTML Purified

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/html-purified/css/admin.css/wp-content/plugins/html-purified/js/admin.js

HTML / DOM Fingerprints

CSS Classes

hp-admin-boxhp-admin-fieldhp-admin-field-label

HTML Comments

Data Attributes

data-fordata-inputdata-output

JS Globals

html_purified_options

FAQ