jQuery Hover Footnotes Security & Risk Analysis

wordpress.org/plugins/jquery-hover-footnotes

JQuery Hover Footnotes lets you add footnotes with qualifiers of you're choosing, then dynamically displays them on hover-over.

100 active installs v1.4 PHP + WP 2.8+ Updated Feb 23, 2011
footnoteshoverjquerypopup
41
D · High Risk
CVEs total2
Unpatched2
Last CVEJun 8, 2026
Safety Verdict

Is jQuery Hover Footnotes Safe to Use in 2026?

High Risk

Score 41/100

jQuery Hover Footnotes carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Jun 8, 2026Updated 15yr ago
Risk Assessment

The "jquery-hover-footnotes" v1.4 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals no direct attack surface in terms of AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication or permission checks. Furthermore, all SQL queries are properly prepared, and there are no observed file operations or external HTTP requests, which are common vectors for vulnerabilities. The plugin also has no recorded vulnerability history (CVEs), suggesting a history of relatively secure development or minimal public scrutiny.

However, significant concerns arise from the code analysis regarding output escaping. 100% of the identified output points are not properly escaped. This presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, as malicious scripts could be injected into content displayed by the plugin. While the taint analysis did not reveal critical or high severity issues, the presence of unsanitized paths in the taint flows, albeit without immediate exploitable consequences in this snapshot, coupled with the complete lack of output escaping, indicates a potential for developing exploitable conditions if user-supplied data is not handled with extreme care. The absence of nonce and capability checks, while not directly exploitable due to the lack of exposed entry points, points to a lack of robust security implementation practices.

In conclusion, while the plugin is strong in preventing direct entry point attacks and has a clean vulnerability history, the severe lack of output escaping is a critical weakness that exposes users to XSS attacks. The taint analysis also hints at potential underlying issues with data handling. This plugin requires immediate attention to address the output escaping vulnerabilities to mitigate the significant XSS risk.

Key Concerns

  • All output points are not properly escaped
  • Taint flows with unsanitized paths present
  • No nonce checks implemented
  • No capability checks implemented
Vulnerabilities
2 published

jQuery Hover Footnotes Security Vulnerabilities

CVEs by Year

2 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-10553medium · 4.3Cross-Site Request Forgery (CSRF)

jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update

Jun 8, 2026Unpatched
CVE-2026-10738medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)

Jun 8, 2026Unpatched
Version History

jQuery Hover Footnotes Release Timeline

Code Analysis
Analyzed Mar 16, 2026

jQuery Hover Footnotes Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped4 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
jqFootnotes_options_subpanel (jqFootnotes.php:55)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

jQuery Hover Footnotes Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 2
filterthe_contentjqFootnotes.php:264
actionadmin_menujqFootnotes.php:270
Maintenance & Trust

jQuery Hover Footnotes Maintenance & Trust

Maintenance Signals

WordPress version tested3.0.5
Last updatedFeb 23, 2011
PHP min version
Downloads9K

Community Trust

Rating86/100
Number of ratings4
Active installs100
Developer Profile

jQuery Hover Footnotes Developer Profile

Lance

1 plugin · 100 total installs

53
trust score
Avg Security Score
41/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect jQuery Hover Footnotes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jquery-hover-footnotes/jqfoot.css/wp-content/plugins/jquery-hover-footnotes/jqfoot.js
Script Paths
/wp-content/plugins/jquery-hover-footnotes/jqfoot.js
Version Parameters
jquery-hover-footnotes/jqfoot.css?ver=jquery-hover-footnotes/jqfoot.js?ver=

HTML / DOM Fingerprints

CSS Classes
jqFootnote
Data Attributes
data-jqFootnote-content
JS Globals
jqFootnote
FAQ

Frequently Asked Questions about jQuery Hover Footnotes