Does Plugin Notes Plus have any unpatched vulnerabilities?

No. All known vulnerabilities in Plugin Notes Plus have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Plugin Notes Plus compatible with WordPress 6.7.5?

According to WordPress.org data, Plugin Notes Plus 1.2.10 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Plugin Notes Plus compatible with PHP 5.6+?

Plugin Notes Plus requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Plugin Notes Plus updated?

Plugin Notes Plus was last updated on Mar 20, 2025. Frequent updates are generally a positive security signal.

What is Plugin Notes Plus's security score?

Plugin Notes Plus has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Plugin Notes Plus Security & Risk Analysis

wordpress.org/plugins/plugin-notes-plus

Adds a column to the Plugins page where you can add, edit, or delete notes about a plugin.

9K active installs v1.2.10 PHP 5.6+ WP 6.2+ Updated Mar 20, 2025

memoplugin-notesplugins

A · Safe

CVEs total2

Unpatched0

Last CVEAug 16, 2024

Plugin page Download

Safety Verdict

Is Plugin Notes Plus Safe to Use in 2026?

Generally Safe

Score 91/100

Plugin Notes Plus has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 16, 2024Updated 1yr ago

Risk Assessment

The plugin "plugin-notes-plus" v1.2.10 exhibits a mixed security posture. While it demonstrates good practices in handling SQL queries with prepared statements and has a high percentage of properly escaped output, significant concerns arise from its attack surface and taint analysis.

The static analysis reveals two AJAX handlers, both lacking authentication checks. This presents a direct entry point for unauthenticated attackers to potentially interact with plugin functionalities. The taint analysis further exacerbates this concern, identifying two flows with unsanitized paths that are classified as high severity. This indicates that user-supplied input in these flows is not being adequately validated or sanitized before being used, potentially leading to vulnerabilities like Cross-Site Scripting or other injection attacks.

The vulnerability history shows a pattern of past medium-severity vulnerabilities, including Missing Authorization and Cross-site Scripting. While there are currently no unpatched CVEs, the recurrence of these vulnerability types suggests a potential ongoing weakness in input validation and authorization mechanisms. The plugin's strengths lie in its robust SQL handling and output escaping, but the unprotected AJAX endpoints and high-severity taint flows represent immediate and critical risks that need to be addressed.

Key Concerns

Unprotected AJAX handlers
High severity taint flows with unsanitized paths
History of Missing Authorization vulnerabilities
History of Cross-Site Scripting vulnerabilities

Vulnerabilities

Plugin Notes Plus Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-43326medium · 4.3Missing Authorization

Plugin Notes Plus <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Note Deletion

Aug 16, 2024 Patched in 1.2.8 (4d)

CVE-2024-37561medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Plugin Notes Plus <= 1.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 9, 2024 Patched in 1.2.7 (11d)

Code Analysis

Analyzed Mar 16, 2026

Plugin Notes Plus Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

97% escaped30 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

pnp_add_response (admin\class-plugin-notes-plus-admin.php:248)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Plugin Notes Plus Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_pnp_add_responseincludes\class-plugin-notes-plus.php:167

authwp_ajax_pnp_delete_responseincludes\class-plugin-notes-plus.php:168

WordPress Hooks 9

actioninitincludes\class-plugin-notes-plus.php:131

actionadmin_enqueue_scriptsincludes\class-plugin-notes-plus.php:146

actionadmin_enqueue_scriptsincludes\class-plugin-notes-plus.php:147

actionafter_setup_themeincludes\class-plugin-notes-plus.php:150

filterplugin_row_metaincludes\class-plugin-notes-plus.php:156

filtermanage_plugins_columnsincludes\class-plugin-notes-plus.php:159

actionmanage_plugins_custom_columnincludes\class-plugin-notes-plus.php:160

filtermanage_plugins-network_columnsincludes\class-plugin-notes-plus.php:163

actionplugins_loadedplugin-notes-plus.php:62

Maintenance & Trust

Plugin Notes Plus Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 20, 2025

PHP min version5.6

Downloads75K

Community Trust

Rating100/100

Number of ratings61

Active installs9K

Alternatives

Plugin Notes Plus Alternatives

Plugin Notes

plugin-notes

Allows you to add notes to plugins.

500 No CVEs

Plugin Notes Label

plugin-notes-label

100

Add your Notes to each plugin.

50 No CVEs

WP Rollback – Rollback Plugins and Themes

wp-rollback

Rollback (or forward) any WordPress.org plugin, theme, or block like a boss.

300K 2 CVEs

Download Plugin

download-plugin

Download any plugin from your WordPress admin panel's Plugins page by just one click! Now, download themes, users, blog posts, pages, custom post …

50K 5 CVEs

Advanced Automatic Updates

automatic-updater

Adds extra options to WordPress' built-in Automatic Updates feature.

30K No CVEs

Developer Profile

Plugin Notes Plus Developer Profile

jamiebergen

1 plugin · 9K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

8 days

View full developer profile

Detection Fingerprints

How We Detect Plugin Notes Plus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/plugin-notes-plus/admin/css/plugin-notes-plus-admin.css/wp-content/plugins/plugin-notes-plus/admin/js/plugin-notes-plus-admin.js/wp-content/plugins/plugin-notes-plus/admin/js/plugin-notes-plus-updates.js

Script Paths

/wp-content/plugins/plugin-notes-plus/admin/js/plugin-notes-plus-admin.js/wp-content/plugins/plugin-notes-plus/admin/js/plugin-notes-plus-updates.js

Version Parameters

plugin-notes-plus/admin/css/plugin-notes-plus-admin.css?ver=plugin-notes-plus/admin/js/plugin-notes-plus-admin.js?ver=plugin-notes-plus/admin/js/plugin-notes-plus-updates.js?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

data-plugin-notes-plus

JS Globals

pnp_paramsupdateslabels

FAQ