Does Hype have any unpatched vulnerabilities?

Yes — Hype currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Hype compatible with WordPress 6.1.10?

According to WordPress.org data, Hype 1.0.5 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

Is Hype compatible with PHP 5.2.4+?

Hype requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Hype updated?

Hype was last updated on Apr 5, 2023. Frequent updates are generally a positive security signal.

What is Hype's security score?

Hype has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Hype Security & Risk Analysis

wordpress.org/plugins/pico

Intelligent popups and landing pages to fully manage email and phone number signups, newsletters, subscriptions, donations, and memberships.

30 active installs v1.0.5 PHP 5.2.4+ WP 3.7+ Updated Apr 5, 2023

membershipsstripesubscriptions

C · Use Caution

CVEs total1

Unpatched1

Last CVEDec 4, 2025

Plugin page Download

Safety Verdict

Is Hype Safe to Use in 2026?

Use With Caution

Score 63/100

Hype has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 4, 2025Updated 2yr ago

Risk Assessment

The 'pico' v1.0.5 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a remarkably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication. This indicates a strong effort to limit potential entry points for attackers.

However, significant concerns arise from the code signals and vulnerability history. The relatively low percentage of properly escaped output (22%) suggests a risk of Cross-Site Scripting (XSS) vulnerabilities, as data displayed to users may not be adequately sanitized. The presence of external HTTP requests also warrants careful review to ensure these are not exploited for malicious purposes.

The most pressing concern is the single known unpatched CVE with a medium severity, dated December 4, 2025. The historical pattern of a "Missing Authorization" vulnerability and the current unpatched medium severity issue strongly suggest a recurring weakness in how the plugin handles user permissions. While the attack surface is small, a successfully exploited authorization flaw could still lead to unauthorized actions or data exposure. The plugin's strengths lie in its limited attack surface, but its weaknesses in output escaping and a history of authorization issues, compounded by an unpatched CVE, necessitate immediate attention.

Key Concerns

Unpatched medium severity CVE
Low percentage of properly escaped output
Low percentage of SQL prepared statements

Vulnerabilities

Hype Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-49348medium · 5.3Missing Authorization

Hype <= 1.0.5 - Missing Authorization

Dec 4, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Hype Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

33% prepared6 total queries

Output Escaping

22% escaped18 total outputs

Attack Surface

Hype Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 12

filterrest_pre_serve_requestincludes\class.api.php:16

actionrest_api_initincludes\class.api.php:137

actionadmin_print_scriptsincludes\class.menu.php:8

actionadmin_enqueue_scriptsincludes\class.menu.php:9

actionadmin_menuincludes\class.menu.php:10

actionwpincludes\class.widget.php:10

actionwp_footerincludes\class.widget.php:36

actionwp_enqueue_scriptsincludes\class.widget.php:37

filterthe_contentincludes\class.widget.php:41

actionwp_footerincludes\class.widget.php:44

actioninitpico.php:26

actioninitpico.php:30

Maintenance & Trust

Hype Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedApr 5, 2023

PHP min version5.2.4

Downloads6K

Community Trust

Rating100/100

Number of ratings4

Active installs30

Alternatives

Hype Alternatives

SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments

surecart

Make ecommerce easy with a simple to use, all-in-one platform, that anyone can set up in just a few minutes!

90K 2 CVEs

Memberful – Membership Plugin

memberful-wp

Sell memberships and restrict access to content with WordPress and Memberful.

1K 3 CVEs

Subscriptions & Memberships for PayPal

subscriptions-memberships-for-paypal

A simple and easy way to sell subscriptions and / or memberships with PayPal. No Coding Required. Official PayPal Partner.

1K 4 CVEs

Payment Page | Payment Form for Stripe

payment-page

Payment Page is an extremely easy way to accept online payments. Connect your payment gateway, choose a template, and you're ready to go!

200 1 CVE

Wallkit Subscriptions & Paywall Plugin for WordPress

wallkit

A Plug & Play paid-content system to manage subscribers, gather fees and drive additional content sales.

20 No CVEs

Developer Profile

Hype Developer Profile

Hype

1 plugin · 30 total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Hype

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pico/includes/css/pico.css/wp-content/plugins/pico/includes/js/pico.js

Script Paths

/wp-content/plugins/pico/includes/js/pico.js

Version Parameters

/wp-content/plugins/pico/includes/css/pico.css?ver=/wp-content/plugins/pico/includes/js/pico.js?ver=

HTML / DOM Fingerprints

CSS Classes

error-messageerror-iconerror-text

Data Attributes

data-publisher-id

JS Globals

picoSettings

Shortcode Output

[pico_display_auth][pico_display_connected]

FAQ