Does IndieWeb have any unpatched vulnerabilities?

No. All known vulnerabilities in IndieWeb have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is IndieWeb compatible with WordPress 6.9.4?

According to WordPress.org data, IndieWeb 5.0.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is IndieWeb compatible with PHP 7.4+?

IndieWeb requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is IndieWeb updated?

IndieWeb was last updated on Dec 19, 2025. Frequent updates are generally a positive security signal.

What is IndieWeb's security score?

IndieWeb has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

IndieWeb Security & Risk Analysis

wordpress.org/plugins/indieweb

IndieWeb for WordPress!

600 active installs v5.0.0 PHP 7.4+ WP 4.7+ Updated Dec 19, 2025

indieauthindiewebpossewebmention

A · Safe

CVEs total1

Unpatched0

Last CVEJan 8, 2026

Plugin page Download

Safety Verdict

Is IndieWeb Safe to Use in 2026?

Generally Safe

Score 99/100

IndieWeb has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 8, 2026Updated 3mo ago

Risk Assessment

The "indieweb" plugin version 5.0.0 exhibits a generally good security posture based on the static analysis provided. It demonstrates strong adherence to best practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output. Furthermore, it incorporates nonce and capability checks on its entry points, limiting the attack surface that could be exploited without proper authorization. The absence of any critical or high-severity taint flows suggests that user-supplied data is being handled with care.

Despite these strengths, there are minor areas for improvement. The presence of a past medium-severity Cross-Site Scripting (XSS) vulnerability, even though currently patched, warrants continued vigilance. While the static analysis shows no immediate exploitable XSS, the history suggests a potential area where developer attention might be needed in future audits. The fact that the last vulnerability was recorded in 2026 indicates that the plugin might not be actively maintained or that there's a lag in vulnerability reporting, which could be a concern for long-term security.

In conclusion, "indieweb" v5.0.0 appears to be a relatively secure plugin, with robust handling of database queries and output. The primary concern stems from its historical vulnerability to XSS, highlighting the need for ongoing security scrutiny. The plugin's low number of entry points and their proper authentication are positive indicators. However, the dated vulnerability history might suggest a need for more frequent updates or a review of its maintenance cycle to ensure continued security.

Key Concerns

Past medium CVE (XSS)
Bundled library (Lodash)

Vulnerabilities

IndieWeb Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-14893medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter

Jan 8, 2026 Patched in 5.0.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

IndieWeb Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

171 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Lodash

SQL Query Safety

100% prepared1 total queries

Output Escaping

93% escaped184 total outputs

Attack Surface

IndieWeb Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_cnkt_plugin_installerincludes\class-plugin-installer.php:32

authwp_ajax_cnkt_plugin_activationincludes\class-plugin-installer.php:33

WordPress Hooks 23

actionadmin_menuincludes\class-general-settings.php:8

actioninitincludes\class-general-settings.php:9

actionadmin_menuincludes\class-general-settings.php:10

actionwidgets_initincludes\class-hcard-author-widget.php:10

actioninitincludes\class-hcard-user.php:8

actionwidgets_initincludes\class-hcard-user.php:9

filterauthor_linkincludes\class-hcard-user.php:22

filteruser_contactmethodsincludes\class-hcard-user.php:24

actionshow_user_profileincludes\class-hcard-user.php:26

actionedit_user_profileincludes\class-hcard-user.php:27

actionpersonal_options_updateincludes\class-hcard-user.php:29

actionedit_user_profile_updateincludes\class-hcard-user.php:30

filterwp_headincludes\class-hcard-user.php:31

actionrest_api_initincludes\class-hcard-user.php:32

actioninitincludes\class-integrations.php:8

filterpubsubhubbub_feed_urlsincludes\class-integrations.php:19

actionadmin_enqueue_scriptsincludes\class-plugin-installer.php:31

actionwp_headincludes\class-relme-widget.php:26

actionplugins_loadedindieweb.php:18

actionwp_enqueue_scriptsindieweb.php:61

actionadmin_enqueue_scriptsindieweb.php:63

actionadmin_menuindieweb.php:72

actionadmin_initindieweb.php:75

Maintenance & Trust

IndieWeb Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 19, 2025

PHP min version7.4

Downloads31K

Community Trust

Rating100/100

Number of ratings6

Active installs600

Alternatives

IndieWeb Alternatives

IndieWeb Press This

indieweb-press-this

IndieWebified Press This bookmarklets.

20 No CVEs

Webmention

webmention

Enable conversation across the web.

900 3 CVEs

IndieAuth

indieauth

IndieAuth is a way to allow users to use their own domain to sign into other websites and services.

400 1 CVE

Syndication Links

syndication-links

100

Link to copies of your cross-posted content in other social networks or websites.

300 1 CVE

IndieBlocks

indieblocks

Use blocks, and, optionally, "short-form" post types to easily "IndieWebify" your WordPress site.

100 2 CVEs

Developer Profile

IndieWeb Developer Profile

IndieWeb

5 plugins · 1K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

4 days

View full developer profile

Detection Fingerprints

How We Detect IndieWeb

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/indieweb/static/css/indieweb-bw.css/wp-content/plugins/indieweb/static/css/indieweb.css/wp-content/plugins/indieweb/static/css/indieweb-admin.css

Version Parameters

indieweb-bw.css?ver=indieweb.css?ver=indieweb-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

cnkt-plugin-installer

Data Attributes

data-slug="webmention"data-slug="micropub"data-slug="indieweb-post-kinds"data-slug="syndication-links"data-slug="indieauth"data-slug="simple-location"+2 more

FAQ