Does Include Me have any unpatched vulnerabilities?

No. All known vulnerabilities in Include Me have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Include Me compatible with WordPress 6.9.4?

According to WordPress.org data, Include Me 1.3.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Include Me compatible with PHP 7.0+?

Include Me requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Include Me updated?

Include Me was last updated on Feb 5, 2026. Frequent updates are generally a positive security signal.

What is Include Me's security score?

Include Me has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Include Me Security & Risk Analysis

wordpress.org/plugins/include-me

Include Me helps to include any external file (textual, HTML or PHP) in posts or pages.

4K active installs v1.3.7 PHP 7.0+ WP 6.1+ Updated Feb 5, 2026

external-pageiframeincludephpphp-execute

A · Safe

CVEs total2

Unpatched0

Last CVESep 9, 2025

Plugin page Download

Safety Verdict

Is Include Me Safe to Use in 2026?

Generally Safe

Score 97/100

Include Me has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 9, 2025Updated 1mo ago

Risk Assessment

The 'include-me' plugin v1.3.7 exhibits a mixed security posture. While the static analysis reveals good practices such as 100% output escaping and the presence of nonce and capability checks, the lack of prepared statements for its single SQL query is a significant concern, especially given its vulnerability history. The total absence of unprotected entry points (AJAX, REST API) is a strong positive sign, indicating that immediate public-facing code execution is well-protected. However, the plugin's past vulnerabilities, including Cross-site Scripting and PHP Remote File Inclusion, are critical red flags. The presence of these severe vulnerability types in its history, despite no currently unpatched CVEs, suggests a recurring pattern of insecure coding practices that may not be fully addressed by the current version. While the static analysis does not reveal active critical or high severity taint flows, the historical data strongly indicates a latent risk that users should be aware of. Therefore, users should proceed with caution and ensure diligent updating practices.

Key Concerns

SQL queries not using prepared statements
Total known CVEs (2) in history
High severity historical CVE (1)
Medium severity historical CVE (1)

Vulnerabilities

Include Me Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-58983medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Include Me <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 9, 2025 Patched in 1.3.3 (7d)

CVE-2021-24453high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Include Me <= 1.2.1 - Local File Inclusion leading to Authenticated Remote Code Execution

Jan 2, 2022 Patched in 1.2.2 (751d)

Code Analysis

Analyzed Mar 16, 2026

Include Me Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

100% escaped11 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<options> (admin\options.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Include Me Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[includeme] plugin.php:141

WordPress Hooks 1

actionadmin_menuplugin.php:22

Maintenance & Trust

Include Me Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 5, 2026

PHP min version7.0

Downloads91K

Community Trust

Rating96/100

Number of ratings21

Active installs4K

Alternatives

Include Me Alternatives

HG3-Include

hg3-include

Plugin to include any code (html, php, javascript,...) directly into the WordPress editor.

10 No CVEs

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs

WPS Hide Login

wps-hide-login

Change wp-login.php to anything you want.

2.0M 10 CVEs

Code Snippets

code-snippets

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs

Header Footer Code Manager

header-footer-code-manager

Easily add tracking code snippets, conversion pixels, or other scripts required by third party services for analytics, marketing, or chat features.

600K 4 CVEs

Developer Profile

Include Me Developer Profile

Stefano Lissa

14 plugins · 515K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

650 days

View full developer profile

Detection Fingerprints

How We Detect Include Me

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Shortcode Output

Include me shortcode: the file attribute is emptyThe provided file (<code></code>) does not exist. This message is shown only to administrators.The provided file (<code>

FAQ