Does InComment have any unpatched vulnerabilities?

No. All known vulnerabilities in InComment have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is InComment compatible with WordPress 3.0.5?

According to WordPress.org data, InComment 0.4 has been tested up to WordPress 3.0.5. Check the plugin's changelog for the latest compatibility information.

How often is InComment updated?

InComment was last updated on Jan 10, 2011. Frequent updates are generally a positive security signal.

What is InComment's security score?

InComment has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

InComment Security & Risk Analysis

wordpress.org/plugins/incomment-referrer

Adds an extra "referral" note to the bottom of comment forms, so you could see where people come from comment. Useful for finding resources …

10 active installs v0.4 PHP + WP 2.8+ Updated Jan 10, 2011

commentcookiedofollowreferralspam

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is InComment Safe to Use in 2026?

Generally Safe

Score 85/100

InComment has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago

Risk Assessment

The "incomment-referrer" plugin version 0.4 presents a mixed security posture. On the positive side, it exhibits no known CVEs and has a minimal attack surface, with no reported AJAX handlers, REST API routes, shortcodes, or cron events. The plugin also avoids dangerous functions and external HTTP requests, and all SQL queries are prepared, which are strong security practices. However, there are significant concerns regarding output escaping and taint analysis. Notably, 100% of outputs are not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis revealed two flows with unsanitized paths, indicating potential avenues for malicious data injection or manipulation, although these were not classified as critical or high severity. The lack of nonce and capability checks, while less critical in this instance due to the zero attack surface, highlights a broader pattern of insufficient input validation and authorization checks that could become problematic if the plugin's functionality were to expand.

Key Concerns

Unescaped output
Taint flows with unsanitized paths
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

InComment Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

InComment Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped1 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

incomment_add_referrers (incomment.php:33)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

InComment Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionsend_headersincomment.php:22

filtercomment_notification_textincomment.php:23

filtercomment_moderation_textincomment.php:24

actioncomment_formincomment.php:25

Maintenance & Trust

InComment Maintenance & Trust

Maintenance Signals

WordPress version tested3.0.5

Last updatedJan 10, 2011

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

InComment Alternatives

Cookies for Comments

cookies-for-comments

Sets a cookie on a random URL that is then checked when a comment is posted. If the cookie is missing the comment is marked as spam.

20K No CVEs

WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics)

wp-referrer-spam-blacklist

WordPress plugin to fight with 2040+ referrer spammers (like semalt, buttons-for-website and many more).

700 No CVEs

CommentRefs

comment-refs

Build bigger community and inspire more reading by reward the commentator a link to their recent post.

0 No CVEs

Akismet Anti-spam: Spam Protection

akismet

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs

Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

disable-comments

Allows administrators to globally disable comments on their site. Comments can be disabled according to post type. Multisite friendly.

1.0M 1 CVE

Developer Profile

InComment Developer Profile

Rhys Wynne

13 plugins · 7K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

476 days

View full developer profile

Detection Fingerprints

How We Detect InComment

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/incomment-referrer/style.css/wp-content/plugins/incomment-referrer/script.js

Script Paths

/wp-content/plugins/incomment-referrer/script.js

Version Parameters

incomment-referrer/style.css?ver=incomment-referrer/script.js?ver=

HTML / DOM Fingerprints

Data Attributes

name='incomment_ref'

Shortcode Output

<input type='hidden' name='incomment_ref' value='

FAQ