WP-Safety

Markup Markdown Security & Risk Analysis

wordpress.org/plugins/markup-markdown

Disable Wordpress's native Gutenberg or TinyMCE editor in favor of a Markdown editor.

2K active installs v3.25.1 PHP 7.2.0+ WP 6.6+ Updated Nov 28, 2025
editormarkdown
97
A · Safe
CVEs total3
Unpatched0
Last CVESep 1, 2025
Plugin page Download
Safety Verdict

Is Markup Markdown Safe to Use in 2026?

Generally Safe

Score 97/100

Markup Markdown has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Sep 1, 2025Updated 5mo ago
Risk Assessment

The "markup-markdown" v3.25.1 plugin exhibits a generally good security posture based on static analysis, with a limited attack surface and no identified critical or high-severity taint flows. The plugin also demonstrates responsible coding practices by utilizing prepared statements for all SQL queries and incorporating nonce and capability checks for its AJAX handler. A high percentage of output escaping suggests a good effort to prevent cross-site scripting vulnerabilities.

However, the plugin's vulnerability history reveals a pattern of three past medium-severity Cross-Site Scripting (XSS) vulnerabilities. While there are no currently unpatched CVEs, the recurring nature of XSS issues, even if patched, indicates a persistent area of concern that warrants careful monitoring. The static analysis did not identify any critical security weaknesses, but the historical context suggests that further scrutiny of the output escaping logic and input validation, particularly concerning user-generated content that is rendered, could be beneficial. Overall, the plugin is reasonably secure, but the past XSS vulnerabilities necessitate a cautious approach.

Key Concerns

  • 3 medium severity XSS vulnerabilities in history
  • 84% of output properly escaped
Vulnerabilities
3 published

Markup Markdown Security Vulnerabilities

CVEs by Year

3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-9540medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 1, 2025 Patched in 3.20.10 (25d)
CVE-2025-9541medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 1, 2025 Patched in 3.20.10 (25d)
CVE-2025-49420medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Markup Markdown <= 3.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 19, 2025 Patched in 3.20.7 (7d)
Version History

Markup Markdown Release Timeline

v3.25.1Current
v3.25.0
v3.24.1
v3.24.0
v3.23.0
v3.22.1
v3.22.0
v3.21.0
v3.20.12
v3.20.11
v3.20.10
v3.20.92 CVEs
CVE-2025-9540 CVE-2025-9541
v3.20.82 CVEs
CVE-2025-9540 CVE-2025-9541
v3.20.72 CVEs
CVE-2025-9540 CVE-2025-9541
v3.20.63 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
v3.20.53 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
v3.20.23 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
v3.20.13 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
v3.20.03 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
v3.19.13 CVEs
CVE-2025-9540 CVE-2025-49420 CVE-2025-9541
Code Analysis
Analyzed Mar 16, 2026

Markup Markdown Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
18
95 escaped
Nonce Checks
3
Capability Checks
1
File Operations
5
External Requests
3
Bundled Libraries
0

Output Escaping

84% escaped113 total outputs
Attack Surface

Markup Markdown Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_mmduser-editoptionsMarkupMarkdown\Addons\Released\EngineEasyMDE.php:54
WordPress Hooks 158
filtermmd_verified_configMarkupMarkdown\Addons\Released\CodeHighlighter.php:36
filtermmd_var2constMarkupMarkdown\Addons\Released\CodeHighlighter.php:37
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\CodeHighlighter.php:38
actionwp_headMarkupMarkdown\Addons\Released\CodeHighlighter.php:46
actionwp_footerMarkupMarkdown\Addons\Released\CodeHighlighter.php:47
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\CodeHighlighter.php:100
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\CodeHighlighter.php:101
filtermmd_verified_configMarkupMarkdown\Addons\Released\Comments.php:35
filtermmd_var2constMarkupMarkdown\Addons\Released\Comments.php:36
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\Comments.php:37
filtercomment_textMarkupMarkdown\Addons\Released\Comments.php:39
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\Comments.php:78
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\Comments.php:79
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\Debug.php:24
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\Debug.php:31
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\Debug.php:32
filterscreen_settingsMarkupMarkdown\Addons\Released\EngineEasyMDE.php:57
actioninitMarkupMarkdown\Addons\Released\EngineEasyMDE.php:59
actionwp_headMarkupMarkdown\Addons\Released\EngineEasyMDE.php:63
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\EngineEasyMDE.php:145
filtermmd_verified_configMarkupMarkdown\Addons\Released\LaTeX.php:32
filtermmd_var2constMarkupMarkdown\Addons\Released\LaTeX.php:33
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\LaTeX.php:34
actionmmd_load_engine_stylesheetsMarkupMarkdown\Addons\Released\LaTeX.php:41
actionmmd_load_engine_scriptsMarkupMarkdown\Addons\Released\LaTeX.php:42
actionwp_headMarkupMarkdown\Addons\Released\LaTeX.php:44
actionwp_footerMarkupMarkdown\Addons\Released\LaTeX.php:45
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\LaTeX.php:98
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\LaTeX.php:99
filtermmd_verified_configMarkupMarkdown\Addons\Released\Layout.php:55
filtermmd_var2constMarkupMarkdown\Addons\Released\Layout.php:56
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\Layout.php:57
filteraddon_markdown2htmlMarkupMarkdown\Addons\Released\Layout.php:59
filteraddon_markdown2htmlMarkupMarkdown\Addons\Released\Layout.php:62
filtergallery_styleMarkupMarkdown\Addons\Released\Layout.php:63
filterwp_get_attachment_link_attributesMarkupMarkdown\Addons\Released\Layout.php:64
filterbody_classMarkupMarkdown\Addons\Released\Layout.php:65
actionwp_enqueue_scriptsMarkupMarkdown\Addons\Released\Layout.php:67
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\Layout.php:145
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\Layout.php:146
filtergallery_styleMarkupMarkdown\Addons\Released\Layout.php:237
filterwp_get_attachment_link_attributesMarkupMarkdown\Addons\Released\Layout.php:238
filteraddon_markdown2htmlMarkupMarkdown\Addons\Released\Media\Image.php:44
filterthe_contentMarkupMarkdown\Addons\Released\Media\Image.php:72
filteraddon_markdown2htmlMarkupMarkdown\Addons\Released\Media\Vimeo.php:29
filteraddon_markdown2htmlMarkupMarkdown\Addons\Released\Media\Youtube.php:29
filtermmd_verified_configMarkupMarkdown\Addons\Released\Mermaid.php:32
filtermmd_var2constMarkupMarkdown\Addons\Released\Mermaid.php:33
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Released\Mermaid.php:34
actionmmd_load_engine_scriptsMarkupMarkdown\Addons\Released\Mermaid.php:41
actionwp_footerMarkupMarkdown\Addons\Released\Mermaid.php:43
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Released\Mermaid.php:94
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Released\Mermaid.php:95
filteracf/format_value/type=markupmarkdownMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields\mmd_acf_field_markdown.php:75
actioninitMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:30
actionwpMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:32
filteracf/post_type/available_supportsMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:55
actionacf/input/admin_headMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:74
filtermmd_frontend_enabledMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:75
filteracf/get_valid_fieldMarkupMarkdown\Addons\Unsupported\AdvancedCustomFields.php:78
filtermmd_verified_configMarkupMarkdown\Addons\Unsupported\SpellChecker.php:116
filtermmd_var2constMarkupMarkdown\Addons\Unsupported\SpellChecker.php:117
actionadmin_enqueue_scriptsMarkupMarkdown\Addons\Unsupported\SpellChecker.php:118
actionwp_footerMarkupMarkdown\Addons\Unsupported\SpellChecker.php:120
actionadmin_footerMarkupMarkdown\Addons\Unsupported\SpellChecker.php:167
actionmmd_before_optionsMarkupMarkdown\Addons\Unsupported\SpellChecker.php:169
actionmmd_tabmenu_optionsMarkupMarkdown\Addons\Unsupported\SpellChecker.php:170
actionmmd_tabcontent_optionsMarkupMarkdown\Addons\Unsupported\SpellChecker.php:171
actionbbp_enqueue_scriptsMarkupMarkdown\AutoPlugs\BBPress.php:33
filtermmd_proxy_filtersMarkupMarkdown\AutoPlugs\BBPress.php:34
filtermmd_frontend_enabledMarkupMarkdown\AutoPlugs\BBPress.php:66
actionmmd_load_engine_stylesheetsMarkupMarkdown\AutoPlugs\BBPress.php:68
actionmmd_load_engine_scriptsMarkupMarkdown\AutoPlugs\BBPress.php:69
filtermmd_proxy_filtersMarkupMarkdown\AutoPlugs\BuddyPress.php:45
actionadmin_enqueue_scriptsMarkupMarkdown\AutoPlugs\BuddyPress.php:47
actioncurrent_screenMarkupMarkdown\AutoPlugs\BuddyPress.php:50
actionbp_enqueue_scriptsMarkupMarkdown\AutoPlugs\BuddyPress.php:53
filtermmd_backend_enabledMarkupMarkdown\AutoPlugs\BuddyPress.php:77
filtermmd_frontend_enabledMarkupMarkdown\AutoPlugs\BuddyPress.php:103
actionmmd_load_engine_stylesheetsMarkupMarkdown\AutoPlugs\BuddyPress.php:106
actionmmd_load_engine_scriptsMarkupMarkdown\AutoPlugs\BuddyPress.php:107
actionbp_enqueue_scriptsMarkupMarkdown\AutoPlugs\BuddyPressDocs.php:33
filtermmd_frontend_enabledMarkupMarkdown\AutoPlugs\BuddyPressDocs.php:58
actionmmd_load_engine_stylesheetsMarkupMarkdown\AutoPlugs\BuddyPressDocs.php:61
actionmmd_load_engine_scriptsMarkupMarkdown\AutoPlugs\BuddyPressDocs.php:62
filtermmd_disable_gutenbergMarkupMarkdown\AutoPlugs\CodeSnippets.php:22
actionadmin_initMarkupMarkdown\AutoPlugs\DisableEmojis.php:21
actioninitMarkupMarkdown\AutoPlugs\DisableEmojis.php:24
actionadmin_initMarkupMarkdown\AutoPlugs\DisableEmojis.php:25
filtertiny_mce_pluginsMarkupMarkdown\AutoPlugs\DisableEmojis.php:44
filterwp_resource_hintsMarkupMarkdown\AutoPlugs\DisableEmojis.php:45
actionwp_enqueue_scriptsMarkupMarkdown\AutoPlugs\FrontendAdmin.php:23
actioninitMarkupMarkdown\AutoPlugs\FrontendAdmin.php:25
filtermmd_frontend_enabledMarkupMarkdown\AutoPlugs\FrontendAdmin.php:38
filtero2_post_fragmentMarkupMarkdown\AutoPlugs\O2.php:14
filterthe_contentMarkupMarkdown\AutoPlugs\O2.php:15
actionmmd_load_engine_scriptsMarkupMarkdown\AutoPlugs\QTranslateXT.php:33
actionafter_setup_themeMarkupMarkdown\AutoPlugs\Woocommerce.php:14
filterwoocommerce_taxonomy_archive_description_rawMarkupMarkdown\AutoPlugs\Woocommerce.php:20
actionafter_setup_themeMarkupMarkdown\AutoPlugs\WPCodeBlocks.php:14
filteraddon_markdown2htmlMarkupMarkdown\AutoPlugs\WPCodeBlocks.php:20
actionwp_enqueue_scriptsMarkupMarkdown\AutoPlugs\WPCodeBlocks.php:22
actionafter_setup_themeMarkupMarkdown\AutoPlugs\WPGeshi.php:16
filteraddon_markdown2htmlMarkupMarkdown\AutoPlugs\WPGeshi.php:26
actionwp_footerMarkupMarkdown\AutoPlugs\WPGeshi.php:30
actionupgrader_process_completeMarkupMarkdown\Core\Activation.php:21
filterload_textdomain_mofileMarkupMarkdown\Core\Activation.php:23
filterplugin_row_metaMarkupMarkdown\Core\Activation.php:25
actionplugins_loadedMarkupMarkdown\Core\Activation.php:48
filtermmd_load_addonMarkupMarkdown\Core\Addons.php:41
filtermmd_autoplugs_enabledMarkupMarkdown\Core\AutoPlugs.php:31
filtermmd_verified_configMarkupMarkdown\Core\AutoPlugs.php:33
filtermmd_var2constMarkupMarkdown\Core\AutoPlugs.php:34
actionadmin_enqueue_scriptsMarkupMarkdown\Core\AutoPlugs.php:35
actionmmd_tabmenu_optionsMarkupMarkdown\Core\AutoPlugs.php:186
actionmmd_tabcontent_optionsMarkupMarkdown\Core\AutoPlugs.php:187
filterpost_markdown2htmlMarkupMarkdown\Core\Parser.php:39
filterfield_markdown2htmlMarkupMarkdown\Core\Parser.php:40
filterpost_markdown2htmlMarkupMarkdown\Core\Parser.php:41
filterfield_markdown2htmlMarkupMarkdown\Core\Parser.php:42
actionadmin_menuMarkupMarkdown\Core\Settings.php:34
actionload-settings_page_markup-markdown-adminMarkupMarkdown\Core\Settings.php:39
actionadmin_enqueue_scriptsMarkupMarkdown\Core\Settings.php:43
actionadmin_noticesMarkupMarkdown\Core\Settings.php:92
actionadmin_noticesMarkupMarkdown\Core\Settings.php:97
filterscreen_options_show_screenMarkupMarkdown\Core\Settings.php:188
filterscreen_options_show_submitMarkupMarkdown\Core\Settings.php:189
filterscreen_settingsMarkupMarkdown\Core\Settings.php:190
actioninitMarkupMarkdown\Core\Support.php:65
filtermmd_backend_enabledMarkupMarkdown\Core\Support.php:68
filtermmd_proxy_filtersMarkupMarkdown\Core\Support.php:70
actionmmd_addons_loadedMarkupMarkdown\Core\Support.php:71
actioninitMarkupMarkdown\Core\Support.php:73
actionwp_loadedMarkupMarkdown\Core\Support.php:75
filtermmd_frontend_enabledMarkupMarkdown\Core\Support.php:78
actionrest_api_initMarkupMarkdown\Core\Support.php:80
actionwpMarkupMarkdown\Core\Support.php:85
actionmmd_addons_loadedMarkupMarkdown\Core\Support.php:86
actionwp_headMarkupMarkdown\Core\Support.php:90
actionwp_headMarkupMarkdown\Core\Support.php:94
filterkses_allowed_protocolsMarkupMarkdown\Core\Support.php:97
filterrest_prepare_categoryMarkupMarkdown\Core\Support.php:230
filterrest_prepare_post_tagMarkupMarkdown\Core\Support.php:231
actionsave_postMarkupMarkdown\Core\Support.php:297
filteruser_can_richeditMarkupMarkdown\Core\Support.php:300
filterwp_editor_settingsMarkupMarkdown\Core\Support.php:302
filteruse_block_editor_for_post_typeMarkupMarkdown\Core\Support.php:333
filtergutenberg_can_edit_post_typeMarkupMarkdown\Core\Support.php:336
filterthe_contentMarkupMarkdown\Core\Support.php:533
filterthe_excerptMarkupMarkdown\Core\Support.php:534
filtercategory_descriptionMarkupMarkdown\Core\Support.php:535
filterterm_descriptionMarkupMarkdown\Core\Support.php:536
filtermmd_proxy_filtersMarkupMarkdown\Core\Support.php:537
filterrender_blockMarkupMarkdown\Core\Support.php:538
filterthe_contentMarkupMarkdown\Core\Support.php:555
filterthe_excerptMarkupMarkdown\Core\Support.php:556
filtercategory_descriptionMarkupMarkdown\Core\Support.php:557
filterterm_descriptionMarkupMarkdown\Core\Support.php:558
Maintenance & Trust

Markup Markdown Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 28, 2025
PHP min version7.2.0
Downloads49K

Community Trust

Rating100/100
Number of ratings11
Active installs2K
Alternatives

Markup Markdown Alternatives

Markdown Editor (Formerly Dark Mode)

Markdown Editor (Formerly Dark Mode)

dark-mode

A
99

Quickly edit content in your WordPress site by getting an immersive, peaceful and natural writing experience with the coolest editor.

1K 3 CVEs
Ultimate Markdown – Markdown Editor, Importer, & Exporter

Ultimate Markdown – Markdown Editor, Importer, & Exporter

ultimate-markdown

A
100

Generate articles from a Markdown file, bulk import and export Markdown documents, create Markdown documents from an editor, and more.

1K No CVEs
Markdown Editor

Markdown Editor

markdown-editor

A
85

Replaces the default WordPress editor with a Markdown editor for your posts and pages.

200 No CVEs
Git it Write – Write posts from GitHub

Git it Write – Write posts from GitHub

git-it-write

A
92

Publish markdown files present in a GitHub repository as posts to WordPress automatically

100 No CVEs
Simple Export to Markdown

Simple Export to Markdown

simple-export-md

A
100

Adds a Gutenberg editor panel to export any post or page content to Markdown format (.md file or clipboard).

100 No CVEs
Developer Profile

Markup Markdown Developer Profile

Pierre-Henri Lavigne

1 plugin · 2K total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
19 days
View full developer profile
Detection Fingerprints

How We Detect Markup Markdown

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/markup-markdown/MarkupMarkdown/View/Admin/css/markup-markdown.css/wp-content/plugins/markup-markdown/MarkupMarkdown/View/Admin/js/markup-markdown.js
Script Paths
/wp-content/plugins/markup-markdown/MarkupMarkdown/View/Admin/js/markup-markdown.js
Version Parameters
markup-markdown/MarkupMarkdown/View/Admin/css/markup-markdown.css?ver=markup-markdown/MarkupMarkdown/View/Admin/js/markup-markdown.js?ver=

HTML / DOM Fingerprints

CSS Classes
mmd-wrapper
HTML Comments
<!-- MARKUP-MARKDOWN BY PIERRE-HENRI LAVIGNE -->
Data Attributes
data-mmd-editor
JS Globals
window.MarkupMarkdown
Shortcode Output
[markup-markdown]
FAQ

Frequently Asked Questions about Markup Markdown