Does Open Search have any unpatched vulnerabilities?

No. All known vulnerabilities in Open Search have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Open Search compatible with WordPress 6.9.4?

According to WordPress.org data, Open Search 4.1.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Open Search updated?

Open Search was last updated on Dec 7, 2025. Frequent updates are generally a positive security signal.

What is Open Search's security score?

Open Search has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Open Search Security & Risk Analysis

wordpress.org/plugins/open-search-document

Create an OpenSearch Document for your blog.

200 active installs v4.1.3 PHP + WP 4.6+ Updated Dec 7, 2025

open-searchopen-search-documentopensearchosdsearch

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Open Search Safe to Use in 2026?

Generally Safe

Score 100/100

Open Search has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The 'open-search-document' plugin v4.1.3 presents a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, raw SQL queries, file operations, and external HTTP requests, significant concerns arise from its unprotected entry points. The static analysis reveals two REST API routes that lack any permission callbacks, creating a direct attack surface for unauthenticated users. Furthermore, none of the output within the plugin is properly escaped, making it highly susceptible to Cross-Site Scripting (XSS) vulnerabilities. The absence of any recorded vulnerabilities in its history is a positive indicator, but it does not negate the immediate risks posed by the identified code weaknesses.

In conclusion, the plugin's lack of essential security checks on its entry points and its failure to escape output are critical flaws that expose users to significant risks, primarily XSS. The absence of vulnerability history is encouraging but should not lead to complacency, as the code analysis clearly indicates exploitable weaknesses. The overall security posture is compromised by these readily identifiable flaws, despite some positive coding practices.

Key Concerns

Unprotected REST API routes
Unescaped output
No capability checks

Vulnerabilities

None known

Open Search Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Open Search Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped8 total outputs

Attack Surface

2 unprotected

Open Search Attack Surface

Entry Points2

Unprotected2

REST API Routes 2

GET/wp-json/opensearch/1.1/documentincludes\class-wp-rest-controller.php:27

GET/wp-json/opensearch/1.1/suggestionsincludes\class-wp-rest-controller.php:39

WordPress Hooks 13

actionatom_nsincludes\class-discovery.php:17

filtersite_icon_image_sizesincludes\class-discovery.php:19

actionosd_xmlincludes\class-discovery.php:20

filterweb_app_manifestincludes\class-discovery.php:21

actionwp_headincludes\class-discovery.php:24

actionatom_headincludes\class-discovery.php:25

actionrss2_headincludes\class-discovery.php:26

filterxrds_simpleincludes\class-discovery.php:27

filterhost_metaincludes\class-discovery.php:28

filterwebfinger_user_dataincludes\class-discovery.php:29

actionrest_api_initincludes\class-wp-rest-controller.php:17

filterrest_pre_serve_requestincludes\class-wp-rest-controller.php:20

actioninitopen-search-document.php:27

Maintenance & Trust

Open Search Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 7, 2025

PHP min version

Downloads11K

Community Trust

Rating100/100

Number of ratings4

Active installs200

Alternatives

Open Search Alternatives

OpenSearch

opensearch

Add OpenSearch discovery and querying to your WordPress site.

30 No CVEs

Add Browser Search

add-browser-search

Add Wordpress standard search address into the browser menu, follow OpenSearch.org standard.

10 No CVEs

OpenSearchServer Search

opensearchserver-search

The OpenSearchServer Search Plugin enables OpenSearchServer full-text search in WordPress-based websites.

10 No CVEs

WP Opensearch Advance

wp-opensearch-advance

Add Open Search to your website has never been so easy.

10 No CVEs

Site Kit by Google – Analytics, Search Console, AdSense, Speed

google-site-kit

100

Site Kit is a one-stop solution for WordPress users to use everything Google has to offer to make them successful on the web.

5.0M 1 CVE

Developer Profile

Open Search Developer Profile

Matthias Pfefferle

8 plugins · 3K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

321 days

View full developer profile

Detection Fingerprints

How We Detect Open Search

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

REST Endpoints

/opensearch/1.1/document/opensearch/1.1/suggestions

FAQ

Open Search Security & Risk Analysis

Is Open Search Safe to Use in 2026?

Generally Safe

Key Concerns

Open Search Security Vulnerabilities

Open Search Code Analysis

Output Escaping

Open Search Attack Surface

REST API Routes 2

Open Search Maintenance & Trust

Maintenance Signals

Community Trust

Open Search Alternatives

OpenSearch

Add Browser Search

OpenSearchServer Search

WP Opensearch Advance

Site Kit by Google – Analytics, Search Console, AdSense, Speed

Open Search Developer Profile

How We Detect Open Search

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Open Search