WP-Safety

LuckyWP Glossary Security & Risk Analysis

wordpress.org/plugins/luckywp-glossary

The plugin implements the glossary/dictionary functionality with support of synonyms.

200 active installs v1.0.9 PHP 5.6.20+ WP 4.7+ Updated Jul 1, 2020
dictionaryglossarysynonymstermswiki
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is LuckyWP Glossary Safe to Use in 2026?

Generally Safe

Score 85/100

LuckyWP Glossary has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "luckywp-glossary" plugin v1.0.9 exhibits a generally positive security posture in several key areas, indicating good development practices. The absence of any known CVEs and a clean vulnerability history are significant strengths, suggesting a stable and well-maintained codebase. Furthermore, the code utilizes prepared statements for all SQL queries, and the presence of nonce and capability checks demonstrates an awareness of common WordPress security mechanisms.

However, a critical concern arises from the static analysis revealing that 100% of output is not properly escaped. This is a significant weakness, as unescaped output can lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is rendered directly in the browser. While the taint analysis shows no critical or high severity flows, the presence of two flows with unsanitized paths, combined with the universal lack of output escaping, presents a potential vector for XSS. The limited attack surface (one shortcode) is a mitigating factor, but the vulnerability potential from unescaped output remains.

In conclusion, while the plugin benefits from a clean vulnerability history and secure database query practices, the pervasive lack of output escaping represents a notable security risk that needs immediate attention. The absence of critical taint flows is reassuring but doesn't negate the inherent danger of unescaped output, especially considering the identified unsanitized paths.

Key Concerns

  • 100% of output is not properly escaped
  • 2 flows with unsanitized paths
Vulnerabilities
None known

LuckyWP Glossary Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

LuckyWP Glossary Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
47
0 escaped
Nonce Checks
1
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped47 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
showTabs (core\wp\Settings.php:400)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

LuckyWP Glossary Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[lwpglsTermsArchive] plugin\shortcodes\termsArchive\TermsArchiveShortcode.php:15
WordPress Hooks 28
actionadmin_menuadmin\Admin.php:28
actionadd_meta_boxesadmin\Admin.php:29
actionadmin_noticesadmin\Admin.php:30
actionadmin_enqueue_scriptsadmin\Admin.php:31
filterdisplay_post_statesadmin\Admin.php:40
actionadmin_noticesadmin\Admin.php:56
actionsave_postadmin\controllers\MbTermSynonymsController.php:16
actionwp_loadedcore\admin\AdminController.php:20
actionplugins_loadedcore\base\BasePlugin.php:61
actionwp_loadedcore\wp\RewriteRules.php:14
actionadmin_initcore\wp\Settings.php:98
actionwp_enqueue_scriptsfront\Front.php:24
filterwp_list_pagesfront\Front.php:27
filternav_menu_css_classfront\Front.php:44
actioninitfront\Route.php:28
filterrewrite_rules_arrayfront\Route.php:31
actionpre_get_postsfront\Route.php:34
actionwpfront\Route.php:54
filtersave_postfront\Route.php:62
filterpost_type_archive_linkfront\Route.php:72
filterpost_type_linkfront\Route.php:77
actiontemplate_redirectfront\Route.php:108
filterthe_contentfront\template_hooks.php:6
actioninitplugin\Plugin.php:44
actionadmin_initplugin\shortcodes\termsArchive\TermsArchiveShortcode.php:16
actionprint_media_templatesplugin\shortcodes\termsArchive\TermsArchiveShortcode.php:19
filtermce_external_pluginsplugin\shortcodes\termsArchive\TermsArchiveShortcode.php:28
filtermce_buttonsplugin\shortcodes\termsArchive\TermsArchiveShortcode.php:32
Maintenance & Trust

LuckyWP Glossary Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedJul 1, 2020
PHP min version5.6.20
Downloads8K

Community Trust

Rating94/100
Number of ratings6
Active installs200
Alternatives

LuckyWP Glossary Alternatives

Heroic Glossary – Block for building Glossaries, Dictionaries and more

Heroic Glossary – Block for building Glossaries, Dictionaries and more

heroic-glossary

A
100

The best WordPress glossary builder plugin to create and manage your own glossary of terms.

4K No CVEs
Encyclopedia / Glossary / Wiki

Encyclopedia / Glossary / Wiki

encyclopedia-lexicon-glossary-wiki-dictionary

A
91

Supercharged tool to build your own awesome Encyclopedia / Lexicon / Glossary / Wiki / Dictionary / Knowledge base / Directory / Vocabulary in no time

1K 1 CVE
iThoughts Tooltip Glossary

iThoughts Tooltip Glossary

ithoughts-tooltip-glossary

A
85

Create beautiful tooltips for descriptions or glossary terms, easily

20 No CVEs
mowsterGlossary

mowsterGlossary

mowster-glossary

A
85

Allows to manage and display a glossary in WordPress.

10 No CVEs
3task Glossary – Dictionary, Wiki & Knowledge Base

3task Glossary – Dictionary, Wiki & Knowledge Base

3task-glossary

A
100

Create glossaries, dictionaries & knowledge bases using WordPress pages. A-Z navigation, auto-linking, dark mode. No database, just pages.

0 No CVEs
Developer Profile

LuckyWP Glossary Developer Profile

LuckyWP

5 plugins · 119K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
174 days
View full developer profile
Detection Fingerprints

How We Detect LuckyWP Glossary

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/luckywp-glossary/assets/css/admin.css/wp-content/plugins/luckywp-glossary/assets/js/admin.js/wp-content/plugins/luckywp-glossary/assets/css/term-synonyms-metabox.css/wp-content/plugins/luckywp-glossary/assets/js/term-synonyms-metabox.js/wp-content/plugins/luckywp-glossary/assets/css/settings.css/wp-content/plugins/luckywp-glossary/assets/js/settings.js/wp-content/plugins/luckywp-glossary/assets/css/glossary.css/wp-content/plugins/luckywp-glossary/assets/js/glossary.js
Script Paths
/wp-content/plugins/luckywp-glossary/assets/js/admin.js/wp-content/plugins/luckywp-glossary/assets/js/term-synonyms-metabox.js/wp-content/plugins/luckywp-glossary/assets/js/settings.js/wp-content/plugins/luckywp-glossary/assets/js/glossary.js
Version Parameters
luckywp-glossary/assets/css/admin.css?ver=luckywp-glossary/assets/js/admin.js?ver=luckywp-glossary/assets/css/term-synonyms-metabox.css?ver=luckywp-glossary/assets/js/term-synonyms-metabox.js?ver=luckywp-glossary/assets/css/settings.css?ver=luckywp-glossary/assets/js/settings.js?ver=luckywp-glossary/assets/css/glossary.css?ver=luckywp-glossary/assets/js/glossary.js?ver=

HTML / DOM Fingerprints

CSS Classes
lwpgls-synonyms-metaboxlwpgls-settings-pagelwpgls-glossary-termslwpgls-term-synonyms
HTML Comments
<!-- LuckyWP Glossary -->
Data Attributes
data-lwpgls-term-iddata-lwpgls-synonym-id
JS Globals
luckywp_glossary_admin_paramsluckywp_glossary_metabox_paramsluckywp_glossary_settings_paramsluckywp_glossary_params
Shortcode Output
[lwpglsTermsArchive]
FAQ

Frequently Asked Questions about LuckyWP Glossary