WP-Safety

No unsafe-inline Security & Risk Analysis

wordpress.org/plugins/no-unsafe-inline

No unsafe-inline helps you to build a Content Security Policy avoiding to use 'unsafe-inline' and 'unsafe-hashes'.

200 active installs v1.3.0 PHP 7.4+ WP 5.9+ Updated Dec 4, 2025
content-security-policycspmultisitesecurityunsafe-inline
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is No unsafe-inline Safe to Use in 2026?

Generally Safe

Score 100/100

No unsafe-inline has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The "no-unsafe-inline" v1.3.0 plugin exhibits a concerning security posture due to a significant number of unprotected entry points. With 7 unprotected AJAX handlers and 1 unprotected REST API route, the plugin exposes a substantial attack surface that could be exploited by unauthenticated users. While the majority of SQL queries use prepared statements and a good percentage of outputs are properly escaped, these strengths are overshadowed by the lack of basic authorization checks on critical entry points. The taint analysis, while not revealing critical or high severity issues, did identify flows with unsanitized paths, which in conjunction with the unprotected entry points, warrants careful consideration. The plugin's history of zero known vulnerabilities is a positive indicator, suggesting the developers may be diligent or that the plugin hasn't been a significant target. However, this lack of history doesn't negate the risks presented by the current code's structural weaknesses. The primary concern is the ease with which an attacker could interact with these unprotected endpoints. To improve its security, the plugin must implement proper authentication and capability checks on all AJAX handlers and REST API routes. The presence of unsanitized paths also requires a thorough review and sanitization to prevent potential injection vulnerabilities.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Flows with unsanitized paths
Vulnerabilities
None known

No unsafe-inline Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

No unsafe-inline Code Analysis

Dangerous Functions
0
Raw SQL Queries
12
104 prepared
Unescaped Output
68
204 escaped
Nonce Checks
22
Capability Checks
4
File Operations
3
External Requests
2
Bundled Libraries
0

SQL Query Safety

90% prepared116 total queries

Output Escaping

75% escaped272 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

10 flows4 with unsanitized paths
update_summary_tables (admin\class-no-unsafe-inline-admin.php:2635)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

No unsafe-inline Attack Surface

Entry Points8
Unprotected8

AJAX Handlers 7

authwp_ajax_nunil_update_summary_tablesincludes\class-no-unsafe-inline.php:227
authwp_ajax_nunil_trigger_clusteringincludes\class-no-unsafe-inline.php:229
authwp_ajax_nunil_clean_databaseincludes\class-no-unsafe-inline.php:230
authwp_ajax_nunil_prune_databaseincludes\class-no-unsafe-inline.php:231
authwp_ajax_nunil_test_classifierincludes\class-no-unsafe-inline.php:232
authwp_ajax_nunil_fetch_logsincludes\class-no-unsafe-inline.php:234
authwp_ajax_nunil_display_logsincludes\class-no-unsafe-inline.php:235

REST API Routes 1

GET/wp-json/no-unsafe-inline/v1/capture-by-violationpublic\class-no-unsafe-inline-public.php:536
WordPress Hooks 29
actioninitincludes\class-no-unsafe-inline.php:194
actionadmin_enqueue_scriptsincludes\class-no-unsafe-inline.php:208
actionadmin_enqueue_scriptsincludes\class-no-unsafe-inline.php:209
actionadmin_initincludes\class-no-unsafe-inline.php:211
actionnunil_upgradeincludes\class-no-unsafe-inline.php:213
actionnunil_upgradeincludes\class-no-unsafe-inline.php:214
actionnunil_upgradeincludes\class-no-unsafe-inline.php:215
actionnunil_upgradeincludes\class-no-unsafe-inline.php:216
actionnunil_upgradeincludes\class-no-unsafe-inline.php:217
actionadmin_menuincludes\class-no-unsafe-inline.php:219
actionadmin_noticesincludes\class-no-unsafe-inline.php:221
actionadmin_initincludes\class-no-unsafe-inline.php:223
actionadmin_initincludes\class-no-unsafe-inline.php:224
actionadmin_initincludes\class-no-unsafe-inline.php:225
filterplugin_row_metaincludes\class-no-unsafe-inline.php:238
filterset-screen-optionincludes\class-no-unsafe-inline.php:240
actionwp_enqueue_scriptsincludes\class-no-unsafe-inline.php:254
actionnunil_output_csp_headersincludes\class-no-unsafe-inline.php:257
filterno_unsafe_inline_final_outputincludes\class-no-unsafe-inline.php:260
filterno_unsafe_inline_meta_injectorincludes\class-no-unsafe-inline.php:263
actionrest_api_initincludes\class-no-unsafe-inline.php:266
actionupgrader_process_completeincludes\class-no-unsafe-inline.php:269
filterupgrader_pre_installincludes\class-no-unsafe-inline.php:270
filterupdate_feedbackincludes\class-no-unsafe-inline.php:272
actionplugins_loadedmu-plugin\no-unsafe-inline-output-buffering.php:19
actionshutdownmu-plugin\no-unsafe-inline-output-buffering.php:33
actioninitno-unsafe-inline.php:114
actionwp_initialize_siteno-unsafe-inline.php:122
actionwp_uninitialize_siteno-unsafe-inline.php:125
Maintenance & Trust

No unsafe-inline Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version7.4
Downloads11K

Community Trust

Rating100/100
Number of ratings5
Active installs200
Alternatives

No unsafe-inline Alternatives

Content Security Policy Manager

Content Security Policy Manager

csp-manager

A
85

Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors

2K No CVEs
GD Security Headers

GD Security Headers

gd-security-headers

A
91

Configure various security-related HTTP headers, including CSP, XSS, Referrer Policy and more.

1K 2 CVEs
CSP Friendly Security

CSP Friendly Security

csp-antsst

A
100

Adds a CSP header compatible with most WP plugins without breaking styles.

100 No CVEs
SeaSP Community Edition

SeaSP Community Edition

sea-sp-community-edition

A
85

SeaSP Community Edition is an automated Content Security Policy Manager. SeaSP allows you to create, configure, manage, and deploy a Content Security …

20 No CVEs
GDPR Helper using CSP

GDPR Helper using CSP

gdpr-helper

A
100

This plugin allows easy addition of Content Security Policy

10 No CVEs
Developer Profile

No unsafe-inline Developer Profile

Giuseppe

2 plugins · 700 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect No unsafe-inline

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/no-unsafe-inline/css/no-unsafe-inline-admin.css/wp-content/plugins/no-unsafe-inline/js/no-unsafe-inline-admin.js
Script Paths
/wp-content/plugins/no-unsafe-inline/js/no-unsafe-inline-admin.js
Version Parameters
no-unsafe-inline/css/no-unsafe-inline-admin.css?ver=no-unsafe-inline/js/no-unsafe-inline-admin.js?ver=no-unsafe-inline/css/jqueryui/no-unsafe-inline/css/jqueryui/css/smoothness/jquery-ui.css?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about No unsafe-inline