Most Commented Widget Security & Risk Analysis

wordpress.org/plugins/most-commented

Add a widget to display a list of the posts/pages with the most comments.

300 active installs v3.0 PHP + WP 2.8+ Updated Dec 8, 2015
commentspopularrankwidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Most Commented Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Most Commented Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The "most-commented" v3.0 plugin exhibits a mixed security posture. On one hand, the absence of known CVEs and a clean taint analysis report are positive indicators. The plugin also demonstrates good practice by utilizing prepared statements for all its SQL queries. However, significant concerns arise from the static analysis. The presence of the `create_function` dangerous function is a notable risk, as it can lead to code injection vulnerabilities if used with untrusted input. Furthermore, a very low percentage of properly escaped output (29%) suggests a high probability of cross-site scripting (XSS) vulnerabilities, which is a critical security weakness. The lack of any nonce checks or capability checks on its entry points, though the entry point count is currently zero, indicates a potential for future vulnerabilities if new features are added without proper security considerations.

While the vulnerability history is currently clean, this can be misleading. The static analysis findings, particularly the `create_function` usage and the extremely poor output escaping, present substantial immediate risks. The plugin's strengths lie in its SQL handling and lack of external requests, but these are overshadowed by the significant potential for XSS and code injection. A cautious approach is warranted, prioritizing the remediation of the identified code quality issues before relying on the absence of past vulnerabilities.

Key Concerns

  • Dangerous function create_function found
  • Low percentage of properly escaped output
  • No nonce checks on entry points
  • No capability checks on entry points
Vulnerabilities
None known

Most Commented Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Most Commented Widget Release Timeline

v3.0Current
v2.2
v1.6
v1.4
v1.02
Code Analysis
Analyzed Mar 16, 2026

Most Commented Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
3 prepared
Unescaped Output
20
8 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget( "Most_Commented_Widget" );most-commented.php:173

SQL Query Safety

100% prepared3 total queries

Output Escaping

29% escaped28 total outputs
Attack Surface

Most Commented Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 1
actionwidgets_initmost-commented.php:173
Maintenance & Trust

Most Commented Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedDec 8, 2015
PHP min version
Downloads117K

Community Trust

Rating0/100
Number of ratings0
Active installs300
Developer Profile

Most Commented Widget Developer Profile

Nick Momrik

12 plugins · 3K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Most Commented Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Data Attributes
id="most_commented_widget_"name="most_commented_widget_"for="most_commented_widget_"
Shortcode Output
<a href=" title=""></a>
FAQ

Frequently Asked Questions about Most Commented Widget