WP-Safety

Post Kinds Security & Risk Analysis

wordpress.org/plugins/indieweb-post-kinds

Ever want to reply to someone else's post with a post on your own site? Or to "like" someone else's post, but with your own site?

100 active installs v3.7.3 PHP 7.0+ WP 4.9.9+ Updated Apr 9, 2024
indiewebinteractionpostssharewebmention
92
A · Safe
CVEs total1
Unpatched0
Last CVEMay 13, 2015
Plugin page Download
Safety Verdict

Is Post Kinds Safe to Use in 2026?

Generally Safe

Score 92/100

Post Kinds has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 13, 2015Updated 1yr ago
Risk Assessment

The "indieweb-post-kinds" plugin v3.7.3 presents a mixed security posture. While it demonstrates good practices in several areas, such as using prepared statements for all SQL queries and having no known critical or high-severity vulnerabilities in its history, there are significant concerns arising from the static analysis.

The plugin exposes one REST API route that lacks permission callbacks, creating an unprotected entry point into the application. This is a critical flaw as it means any unauthenticated user could potentially interact with this endpoint. Although the static analysis did not reveal any dangerous functions, unescaped output, or unsanitized taint flows, the presence of an unprotected API route is a substantial risk that could be exploited for various malicious purposes, depending on the functionality of that route.

The vulnerability history, while dated, shows a past medium-severity Cross-Site Scripting (XSS) vulnerability. The lack of recent vulnerabilities and the existence of only one medium-severity one from 2015 could indicate improved development practices over time or simply a lack of recent, impactful discoveries. However, the current static analysis findings, particularly the unprotected REST API route, overshadow the historical record. The plugin's overall security is moderately compromised by this single, significant exposure.

Key Concerns

  • Unprotected REST API route
  • Low output escaping rate (42%)
  • Dated vulnerability history (2015)
Vulnerabilities
1

Post Kinds Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2015-9494medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Kinds < 1.3.1.1 - Cross-Site Scripting

May 13, 2015 Patched in 1.3.1.1 (3177d)
Code Analysis
Analyzed Mar 16, 2026

Post Kinds Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
190
137 escaped
Nonce Checks
1
Capability Checks
3
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

42% escaped327 total outputs
Attack Surface
1 unprotected

Post Kinds Attack Surface

Entry Points1
Unprotected1

REST API Routes 1

GET/wp-json/post-kinds/1.0/fieldsincludes\class-kind-taxonomy.php:96
WordPress Hooks 72
actionadmin_initincludes\class-kind-config.php:22
actionadmin_menuincludes\class-kind-config.php:23
actionload-post.phpincludes\class-kind-config.php:25
actionadmin_bar_menuincludes\class-kind-config.php:92
actionadmin_bar_menuincludes\class-kind-config.php:93
filterquery_varsincludes\class-kind-config.php:192
filterwp_generate_attachment_metadataincludes\class-kind-media-metadata.php:15
filterwp_update_attachment_metadataincludes\class-kind-media-metadata.php:17
actionwp_enqueue_scriptsincludes\class-kind-media-metadata.php:19
actionsave_postincludes\class-kind-media-metadata.php:21
filterattachment_fields_to_editincludes\class-kind-media-metadata.php:23
filterattachment_fields_to_saveincludes\class-kind-media-metadata.php:24
actionedit_form_after_titleincludes\class-kind-metabox.php:22
actionload-post.phpincludes\class-kind-metabox.php:24
actionload-post-new.phpincludes\class-kind-metabox.php:25
actionsave_postincludes\class-kind-metabox.php:26
actiontransition_post_statusincludes\class-kind-metabox.php:27
filterwp_insert_post_empty_contentincludes\class-kind-metabox.php:28
actionchange_kindincludes\class-kind-metabox.php:29
actionadd_meta_boxesincludes\class-kind-metabox.php:125
actionadmin_enqueue_scriptsincludes\class-kind-metabox.php:126
actionafter_micropubincludes\class-kind-plugins.php:19
actionafter_micropubincludes\class-kind-plugins.php:20
filterbefore_micropubincludes\class-kind-plugins.php:21
filtertempus_widget_post_titleincludes\class-kind-plugins.php:22
filtersemantic_linkbacks_post_typeincludes\class-kind-plugins.php:24
actionhum_local_typesincludes\class-kind-plugins.php:38
actionhum_type_prefixincludes\class-kind-plugins.php:39
filteractivitypub_postincludes\class-kind-plugins.php:42
filterget_the_archive_titleincludes\class-kind-taxonomy.php:19
filterget_the_archive_titleincludes\class-kind-taxonomy.php:21
filterget_the_archive_title_prefixincludes\class-kind-taxonomy.php:24
filterget_the_archive_descriptionincludes\class-kind-taxonomy.php:25
filterdocument_title_partsincludes\class-kind-taxonomy.php:26
filterpost_linkincludes\class-kind-taxonomy.php:29
filterpost_type_linkincludes\class-kind-taxonomy.php:30
filterquery_varsincludes\class-kind-taxonomy.php:33
actionpre_get_postsincludes\class-kind-taxonomy.php:34
actionpre_get_postsincludes\class-kind-taxonomy.php:35
actionpre_get_postsincludes\class-kind-taxonomy.php:36
actionpre_get_postsincludes\class-kind-taxonomy.php:37
actionrestrict_manage_postsincludes\class-kind-taxonomy.php:40
filterwebmention_linksincludes\class-kind-taxonomy.php:43
filterenclosure_linksincludes\class-kind-taxonomy.php:46
filterpost_classincludes\class-kind-taxonomy.php:49
filtertransition_post_statusincludes\class-kind-taxonomy.php:52
actionsave_postincludes\class-kind-taxonomy.php:54
actionset_object_termsincludes\class-kind-taxonomy.php:57
filtersingle_post_titleincludes\class-kind-taxonomy.php:59
filterthe_titleincludes\class-kind-taxonomy.php:60
filterget_sample_permalinkincludes\class-kind-taxonomy.php:61
actionrest_api_initincludes\class-kind-taxonomy.php:63
filterembed_template_hierarchyincludes\class-kind-taxonomy.php:65
filtertemplate_includeincludes\class-kind-taxonomy.php:66
actionrest_api_initincludes\class-kind-taxonomy.php:68
filterthe_contentincludes\class-kind-view.php:13
filterthe_content_feedincludes\class-kind-view.php:14
filterthe_excerptincludes\class-kind-view.php:15
filterjson_feed_itemincludes\class-kind-view.php:18
filterwp_get_attachment_image_attributesincludes\class-kind-view.php:19
actionupgrader_process_completeindieweb-post-kinds.php:40
actionadmin_noticesindieweb-post-kinds.php:43
actionadmin_noticesindieweb-post-kinds.php:47
actionplugins_loadedindieweb-post-kinds.php:50
actioninitindieweb-post-kinds.php:51
actioninitindieweb-post-kinds.php:153
actionwp_enqueue_scriptsindieweb-post-kinds.php:161
actionadmin_enqueue_scriptsindieweb-post-kinds.php:162
actionadmin_initindieweb-post-kinds.php:165
actiondo_feed_rss2indieweb-post-kinds.php:168
actiondo_feed_atomindieweb-post-kinds.php:169
actionwidgets_initindieweb-post-kinds.php:172
Maintenance & Trust

Post Kinds Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedApr 9, 2024
PHP min version7.0
Downloads32K

Community Trust

Rating86/100
Number of ratings6
Active installs100
Alternatives

Post Kinds Alternatives

Webmention

Webmention

webmention

A
100

Enable conversation across the web.

900 1 CVE
IndieWeb

IndieWeb

indieweb

A
99

IndieWeb for WordPress!

600 1 CVE
Swifty Bar, sticky bar by WPGens

Swifty Bar, sticky bar by WPGens

swifty-bar

A
85

Adds sticky bar at the bottom of post that shows category,post title, author, time needed to read article, share buttons and previous/next post links

400 1 CVE
IndieBlocks

IndieBlocks

indieblocks

A
97

Use blocks, and, optionally, "short-form" post types to easily "IndieWebify" your WordPress site.

100 2 CVEs
Mastodon Auto Share

Mastodon Auto Share

wp-mastodon-share

A
85

Publish your posts on your Mastodon's instance.

100 No CVEs
Developer Profile

Post Kinds Developer Profile

David Shanske

5 plugins · 720 total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
3177 days
View full developer profile
Detection Fingerprints

How We Detect Post Kinds

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/indieweb-post-kinds/css/kind.min.css/wp-content/plugins/indieweb-post-kinds/css/kind.admin.min.css
Version Parameters
indieweb-post-kinds/css/kind.min.css?ver=indieweb-post-kinds/css/kind.admin.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
kind-menu-widgetkind-post-widget
Data Attributes
data-kind
REST Endpoints
/wp-json/parse-this/
FAQ

Frequently Asked Questions about Post Kinds