Does HTML to Post have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is HTML to Post compatible with WordPress 3.5.2?

According to WordPress.org data, HTML to Post 1.0 has been tested up to WordPress 3.5.2. Check the plugin's changelog for the latest compatibility information.

How often is HTML to Post updated?

HTML to Post was last updated on Jan 24, 2013. Frequent updates are generally a positive security signal.

What is HTML to Post's security score?

HTML to Post has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTML to Post Security & Risk Analysis

wordpress.org/plugins/html-to-post

The HTML, CSS and JS file you choose will be inserted Your post or page.

10 active installs v1.0 PHP + WP 3.2+ Updated Jan 24, 2013

csshtmljavascriptjspost

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is HTML to Post Safe to Use in 2026?

Generally Safe

Score 85/100

HTML to Post has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago

Risk Assessment

The "html-to-post" v1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong practices by exclusively using prepared statements for SQL queries and has no recorded vulnerability history, suggesting a development team that prioritizes security or a lack of prior high-impact issues. The absence of external HTTP requests and bundled libraries also reduces potential attack vectors. However, significant concerns arise from the code analysis. The fact that 0% of its 38 output operations are properly escaped is a critical flaw, leaving the plugin highly susceptible to Cross-Site Scripting (XSS) vulnerabilities. Furthermore, while the taint analysis shows no critical or high severity flows, the presence of 2 flows with unsanitized paths, even if low severity, warrants attention, especially in conjunction with the unescaped output.

Key Concerns

0% of output operations are properly escaped
2 taint flows with unsanitized paths
0 Nonce checks on entry points

Vulnerabilities

None known

HTML to Post Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

HTML to Post Release Timeline

v1.0Current

Code Analysis

Analyzed Mar 16, 2026

HTML to Post Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped38 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

redirect (fw_sujin_puglin.php:15)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

HTML to Post Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[html2post] functions.php:37

WordPress Hooks 7

filterthe_contentfunctions.php:25

actionwp_enqueue_scriptsfunctions.php:29

actionadmin_enqueue_scriptsfunctions.php:32

actionadd_meta_boxesfunctions.php:34

actionsave_postfunctions.php:35

actionwp_footerfw_sujin_puglin.php:11

actionadmin_footerfw_sujin_puglin.php:12

Maintenance & Trust

HTML to Post Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2

Last updatedJan 24, 2013

PHP min version

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

HTML to Post Alternatives

Raw HTML

raw-html

Lets you use raw HTML or any other code in your posts. You can also disable smart quotes and other automatic formatting on a per-post basis.

10K No CVEs

WP Minify Fix

wp-minify-fix

[Fixed] This plugin uses the Minify engine to combine and compress JS and CSS files to improve page load time.

900 No CVEs

Insert Code by Angie Makes

wpc-insert-code

Easily insert HTML, Javascript, CSS, into the head and footer areas of your site.

900 No CVEs

Specific CSS/JS for Posts and Pages

specific-cssjs-for-posts-and-pages

With Specific CSS/JS for Posts and Pages you can add CSS or JavaScript files to a specific page or post.

400 No CVEs

Insert JS or CSS in post via Custom Field

insert-js-or-css-in-post-via-custom-field

This plugin will insert urls of JavaScript or CSS stylesheet files added into a particular posts or page via Custom Fields.

10 No CVEs

Developer Profile

HTML to Post Developer Profile

sujin2f

6 plugins · 130 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect HTML to Post

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/html-to-post/style.css

Version Parameters

html-to-post/style.css?ver=

HTML / DOM Fingerprints

CSS Classes

unset

Data Attributes

data-post_id

JS Globals

sjHtmlToPost

Shortcode Output

[html2post /]

FAQ