kk blog card Security & Risk Analysis

wordpress.org/plugins/kk-blog-card

ショートコードを利用してブログカードを表示するプラグイン

30 active installs v1.3 PHP + WP 4.9.4+ Updated Mar 5, 2018
blogcardlinkcard
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 8, 2026
Safety Verdict

Is kk blog card Safe to Use in 2026?

Use With Caution

Score 63/100

kk blog card has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 8, 2026Updated 8yr ago
Risk Assessment

The kk-blog-card plugin v1.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices in areas such as using prepared statements for all SQL queries and ensuring all output is properly escaped. There are no known CVEs associated with this plugin, suggesting a generally stable history. However, the static analysis reveals significant concerns, particularly regarding its attack surface. The presence of an unprotected REST API route is a notable weakness, as it represents a direct entry point that could be exploited without proper authorization checks. The absence of nonce checks on its AJAX handlers, although there are none, is also a potential area for future vulnerabilities if AJAX functionality is added without adequate security. The plugin also performs file operations and makes external HTTP requests, which, while not inherently insecure, can become vectors for attack if not handled with extreme care and proper validation.

Key Concerns

  • Unprotected REST API route
  • Zero nonce checks on AJAX handlers
  • File operations without clear context
  • External HTTP requests without clear context
Vulnerabilities
1 published

kk blog card Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8895medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Jun 8, 2026Unpatched
Version History

kk blog card Release Timeline

v1.3Current1 CVE
v1.21 CVE
v1.11 CVE
v1.01 CVE
Code Analysis
Analyzed Mar 16, 2026

kk blog card Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries
Attack Surface
1 unprotected

kk blog card Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

GET/wp-json/v1/kkblogcardkk-blog-card-api.php:7

Shortcodes 1

[blog-card] kk-blog-card-shortcode.php:3
WordPress Hooks 5
actionrest_api_initkk-blog-card-api.php:6
actionwp_enqueue_scriptskk-blog-card-register.php:13
actionadmin_print_footer_scriptskk-blog-card-shortcode.php:11
filtermce_buttonskk-blog-card-shortcode.php:21
filtermce_external_pluginskk-blog-card-shortcode.php:28
Maintenance & Trust

kk blog card Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedMar 5, 2018
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Developer Profile

kk blog card Developer Profile

kubotak

1 plugin · 30 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect kk blog card

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/kk-blog-card/index.js
Version Parameters
kk-blog-card/index.js?ver=1.3

HTML / DOM Fingerprints

Data Attributes
data-type
REST Endpoints
/wp-json/v1/kkblogcard
Shortcode Output
<blog-card href=data-type=
FAQ

Frequently Asked Questions about kk blog card