Does Create have any unpatched vulnerabilities?

No. All known vulnerabilities in Create have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Create compatible with WordPress 6.9.4?

According to WordPress.org data, Create 2.1.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Create compatible with PHP 7.4+?

Create requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Create updated?

Create was last updated on Mar 5, 2026. Frequent updates are generally a positive security signal.

What is Create's security score?

Create has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Create Security & Risk Analysis

wordpress.org/plugins/mediavine-create

Complete tool for creating and publishing recipes and other schema types on your site.

6K active installs v2.1.1 PHP 7.4+ WP 6.5+ Updated Mar 5, 2026

how-tonutritionreciperecipe-cardschema

A · Safe

CVEs total4

Unpatched0

Last CVEAug 12, 2024

Plugin page Download

Safety Verdict

Is Create Safe to Use in 2026?

Generally Safe

Score 95/100

Create has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Aug 12, 2024Updated 29d ago

Risk Assessment

The mediavine-create plugin v2.1.1 exhibits a mixed security posture. On the positive side, the static analysis shows good practices in output escaping, with 100% of outputs being properly escaped. The majority of SQL queries (85%) also utilize prepared statements, mitigating common SQL injection risks. The plugin also correctly uses capability checks for some operations and doesn't appear to make external HTTP requests, reducing its attack surface in those areas. However, several concerning factors emerge, particularly from its vulnerability history. The plugin has a history of 4 known CVEs, including one critical vulnerability, indicating a pattern of past security weaknesses that require vigilance. The types of past vulnerabilities (Exposure of Sensitive Information, XSS, SQL Injection) are serious and suggest potential areas for future exploitation if not addressed proactively.

While the current static analysis reports zero unprotected entry points and no critical taint flows, the historical prevalence of critical vulnerabilities, especially SQL injection, warrants caution. The lack of nonce checks in conjunction with shortcodes and the presence of file operations, though not flagged as problematic in this specific analysis, could become vectors if coupled with other less secure coding practices or chained with other vulnerabilities. The plugin's reliance on bundled libraries like TinyMCE and Guzzle also presents a potential risk if these libraries are outdated or have known vulnerabilities not reflected in the plugin's direct CVE count. Overall, while current code analysis suggests improvements, the plugin's past indicates a higher-than-desirable risk profile that necessitates careful monitoring and prompt patching of any future discovered vulnerabilities.

Key Concerns

History of 1 critical CVE
History of 3 medium CVEs
Bundled library: TinyMCE
Bundled library: Guzzle
0 nonce checks

Vulnerabilities

Create Security Vulnerabilities

CVEs by Year

4 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

Medium

4 total CVEs

CVE-2024-43264medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure

Aug 12, 2024 Patched in 1.9.9 (26d)

CVE-2024-37495medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Create by Mediavine <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 4, 2024 Patched in 1.9.8 (7d)

CVE-2024-5601medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Create by Mediavine <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode

Jun 26, 2024 Patched in 1.9.8 (1d)

CVE-2024-1711critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Create by Mediavine <= 1.9.4 - Unauthenticated SQL Injection via 'id'

Mar 19, 2024 Patched in 1.9.5 (7d)

Code Analysis

Analyzed Mar 16, 2026

Create Code Analysis

Dangerous Functions

Raw SQL Queries

17 prepared

Unescaped Output

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCEGuzzle

SQL Query Safety

85% prepared20 total queries

Output Escaping

100% escaped12 total outputs

Attack Surface

Create Attack Surface

Entry Points4

Unprotected0

Shortcodes 4

[mv_img] class-plugin.php:373

[mvc_ad] class-plugin.php:374

[mv_schema_meta] class-plugin.php:375

[mv_index] class-plugin.php:378

WordPress Hooks 32

filtertiny_mce_before_initadmin\class-admin-init.php:331

actionadmin_initadmin\class-admin-init.php:817

filtersubmenu_fileadmin\class-admin-init.php:818

actionadmin_headadmin\class-admin-init.php:819

actionadmin_headadmin\class-admin-init.php:820

actionadmin_footeradmin\class-admin-init.php:821

actionadmin_enqueue_scriptsadmin\class-admin-init.php:822

actionadmin_menuadmin\class-admin-init.php:823

actionmedia_buttonsadmin\class-admin-init.php:824

actioninitadmin\class-admin-init.php:826

actioninitadmin\class-admin-init.php:827

actionenqueue_block_editor_assetsadmin\class-admin-init.php:830

actionafter_setup_themeclass-plugin.php:302

filtermv_publish_create_settingsclass-plugin.php:307

filtermv_create_is_proclass-plugin.php:327

filtermv_wp_router_configclass-plugin.php:332

actioninitclass-plugin.php:347

actioninitclass-plugin.php:348

actioninitclass-plugin.php:349

actionmv_fix_video_description_queue_actionclass-plugin.php:370

filterrest_prepare_postclass-plugin.php:380

filtermv_create_paapi_access_key_settings_valueclass-plugin.php:382

filtermv_create_paapi_secret_key_settings_valueclass-plugin.php:383

filtermv_create_paapi_tag_settings_valueclass-plugin.php:384

filtermv_create_localized_admin_settingsclass-plugin.php:385

filtermv_create_is_proclass-plugin.php:511

actionadmin_noticesclass-plugin.php:908

filtermv_create_fieldsclass-plugin.php:1319

filterplugin_row_metamediavine-create.php:40

actionadmin_noticesmediavine-create.php:41

actionadmin_noticesmediavine-create.php:42

actionadmin_headmediavine-create.php:43

Maintenance & Trust

Create Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version7.4

Downloads269K

Community Trust

Rating82/100

Number of ratings18

Active installs6K

Alternatives

Create Alternatives

Recipe Card Blocks Lite

recipe-card-blocks-by-wpzoom

Recipe Card Blocks with Schema Markup — create SEO-optimized recipes with Gutenberg, Elementor & AMP support

10K 6 CVEs

Recipe Cards For Your Food Blog from Zip Recipes

zip-recipes

Zip Recipes is the best way to easily create a beautiful food blog with professional looking recipes that can be found by Google.

1K 4 CVEs

WP Recipe Maker

wp-recipe-maker

The easy and user-friendly recipe plugin for everyone. Automatic JSON-LD metadata for food AND how-to recipes will improve your SEO!

50K 20 CVEs

Cooked – Recipe Management

cooked

Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized, galleries, timers, and much more.

3K 11 CVEs

Tasty Recipes Lite

tasty-recipes-lite

The easiest recipe plugin to get your food blog up and running fast.

1K 2 CVEs

Developer Profile

Create Developer Profile

mischiefmarmot

1 plugin · 6K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

10 days

View full developer profile

Detection Fingerprints

How We Detect Create

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ