WP-Safety

Last FM Security & Risk Analysis

wordpress.org/plugins/last-fm

Permits the display in your sidebar of your most recent listened to tracks

40 active installs v1.0.3 PHP + WP 4.3.1+ Updated Apr 27, 2019
fmlastmusicrecenttracks
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Last FM Safe to Use in 2026?

Generally Safe

Score 85/100

Last FM has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago
Risk Assessment

The 'last-fm' v1.0.3 plugin exhibits a mixed security posture. On the positive side, the absence of known vulnerabilities in its history and a lack of dangerous functions, SQL queries without prepared statements, and file operations are strong indicators of good development practices regarding common attack vectors. The presence of a nonce check and a single external HTTP request are also positive signs. However, a significant concern arises from the static analysis of output escaping, where 100% of outputs are not properly escaped. This is a critical flaw that can lead to Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website. The taint analysis, while not reporting critical or high severity flows, did reveal 4 flows with unsanitized paths, which, combined with the unescaped output, presents a tangible risk of XSS if these paths involve user-controllable data.

Key Concerns

  • 100% of outputs not properly escaped
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Last FM Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Last FM Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
11
0 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

0% escaped11 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
lastfm_admin (last-fm.php:153)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Last FM Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
actionadmin_menulast-fm.php:44
actionwidgets_initlast-fm.php:56
actionadmin_noticeslast-fm.php:140
Maintenance & Trust

Last FM Maintenance & Trust

Maintenance Signals

WordPress version tested5.2.24
Last updatedApr 27, 2019
PHP min version
Downloads3K

Community Trust

Rating92/100
Number of ratings5
Active installs40
Alternatives

Last FM Alternatives

Recent LastFm Tracks

Recent LastFm Tracks

recent-lastfm-tracks

A
85

This simple widget includes your LastFm recent tracks into the sidebar.

10 No CVEs
Last.FM Recent Tracks – WordPress Plugin

Last.FM Recent Tracks – WordPress Plugin

recent-tracks-lastfm

A
85

With this plugin you can add your recent scrobbled tracks on Last.FM to your site.

10 No CVEs
Last.fm for WordPress

Last.fm for WordPress

lastfm-for-wordpress

A
85

Last.fm for WordPress displays your recently listened tracks in your WordPress blog.

40 No CVEs
last.fm Live!

last.fm Live!

lastfm-live

A
85

Widget to display your recently played tracks from last.fm LIVE! shows any song you play(& scrobble) on your site in realtime.

10 No CVEs
Last.fm RPS

Last.fm RPS

lastfm-rps

A
85

Widget Plugin that lists your recently listened songs on your sidebar with album or artist images and text.

10 No CVEs
Developer Profile

Last FM Developer Profile

Kieran O'Shea

4 plugins · 4K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
1609 days
View full developer profile
Detection Fingerprints

How We Detect Last FM

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Last FM