WP-Safety

Post Connector Security & Risk Analysis

wordpress.org/plugins/post-connector

A WordPress plugin that allows you to easily create related posts that don't lag your server!

90 active installs v1.0.11 PHP + WP 5.0+ Updated Sep 21, 2023
connectionpost-connectionpost-connectorrelatedrelated-posts
59
C · Use Caution
CVEs total4
Unpatched1
Last CVEAug 6, 2025
Plugin page Download
Safety Verdict

Is Post Connector Safe to Use in 2026?

Use With Caution

Score 59/100

Post Connector has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Aug 6, 2025Updated 2yr ago
Risk Assessment

The 'post-connector' plugin v1.0.11 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling, nonce checks, and capability checks, indicating some awareness of security principles, several areas raise concerns. The static analysis reveals a significant portion of output is not properly escaped (39% escaped), which, when combined with taint analysis showing unsanitized paths, presents a clear risk of Cross-Site Scripting (XSS) vulnerabilities. Although no critical or high-severity taint flows were found, the presence of unsanitized paths is a red flag. The vulnerability history is particularly worrying, with four known CVEs, one of which remains unpatched, and all historically being of medium severity and related to XSS. This pattern suggests a recurring weakness in input sanitization and output escaping, despite some efforts in the current version. The plugin's strengths lie in its controlled attack surface and secure database interactions, but the ongoing XSS issues and unpatched vulnerability significantly detract from its overall security. A more robust approach to output sanitization and prompt patching of known vulnerabilities are essential for improving its security.

Key Concerns

  • Output escaping is insufficient (39% escaped)
  • Taint analysis shows unsanitized paths
  • 1 unpatched CVE (medium severity)
  • Bundled library (TinyMCE) potential risk
Vulnerabilities
4

Post Connector Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
1 CVE in 2023
2023
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-52741medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Connector <= 1.0.11 - Reflected Cross-Site Scripting

Aug 6, 2025Unpatched
CVE-2023-28931medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Connector <= 1.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 20, 2023 Patched in 1.0.10 (187d)
CVE-2015-9362medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Connector < 1.0.4 - Reflected Cross-Site Scripting

Apr 20, 2015 Patched in 1.0.4 (3200d)
WF-c3d7728f-7c25-4505-8db3-b67a5c17a439-post-connectormedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Connector <= 1.0.3 and Post Conector Premium <= 1.6.3 - Reflected Cross-Site Scripting

Apr 20, 2015 Patched in 1.0.4 (3200d)
Code Analysis
Analyzed Mar 16, 2026

Post Connector Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
41
26 escaped
Nonce Checks
6
Capability Checks
11
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

39% escaped67 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

9 flows4 with unsanitized paths
link_post_screen_content (core\classes\hooks\class-hook-link-post-screen.php:163)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Post Connector Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 1

authwp_ajax_sp_delete_pt_linkcore\classes\class-admin-menu.php:14

Shortcodes 1

[subposts_show_childs] core\classes\class-manager-shortcode.php:18
WordPress Hooks 10
actionadmin_initcore\classes\class-admin-menu.php:11
filterposts_wherecore\classes\class-create-link-list-table.php:97
actionwidgets_initcore\classes\class-post-connector-core.php:52
actionadd_meta_boxescore\classes\meta-boxes\class-meta-box-manage.php:21
filterwp_insert_post_datacore\classes\meta-boxes\class-meta-box-meta.php:30
actionsave_postcore\classes\meta-boxes\class-meta-box-meta.php:31
actionadd_meta_boxescore\classes\meta-boxes\class-meta-box-meta.php:32
actionadmin_headcore\classes\meta-boxes\class-meta-box-meta.php:33
actionsave_postcore\classes\meta-boxes\class-meta-box-meta.php:257
actionplugins_loadedpost-connector.php:49
Maintenance & Trust

Post Connector Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8
Last updatedSep 21, 2023
PHP min version
Downloads11K

Community Trust

Rating100/100
Number of ratings5
Active installs90
Alternatives

Post Connector Alternatives

Inline Related Posts

Inline Related Posts

intelly-related-posts

A
96

Inline Related Posts AUTOMATICALLY inserts related posts INSIDE your content, capturing immediately the reader's attention.

100K 7 CVEs
VK All in One Expansion Unit

VK All in One Expansion Unit

vk-all-in-one-expansion-unit

A
95

This plug-in is an integrated plug-in with a variety of features that make it powerful your web site.

100K 10 CVEs
YARPP – Yet Another Related Posts Plugin

YARPP – Yet Another Related Posts Plugin

yet-another-related-posts-plugin

B
83

The best WordPress plugin for displaying related posts. Simple and flexible, with a powerful proven algorithm and inbuilt caching.

100K 8 CVEs
Contextual Related Posts

Contextual Related Posts

contextual-related-posts

A
86

Keep visitors on your site longer with intelligent, fast-loading, contextually related posts. Block, shortcode, custom post type and widget ready.

60K 8 CVEs
Related Posts for WordPress

Related Posts for WordPress

related-posts-for-wp

A
99

The best WordPress plugin for related posts. Simple, flexible, powerful algorithm, and built-in caching. Fully setup with only 1 click!

20K 6 CVEs
Developer Profile

Post Connector Developer Profile

Barry Kooij

8 plugins · 62K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
1432 days
View full developer profile
Detection Fingerprints

How We Detect Post Connector

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-connector/core/assets/js/post-connector-ptl.min.js/wp-content/plugins/post-connector/core/assets/js/post-connector-ptl.js/wp-content/plugins/post-connector/core/assets/js/post-connector-connection-edit.min.js/wp-content/plugins/post-connector/core/assets/js/post-connector-connection-edit.js/wp-content/plugins/post-connector/core/assets/js/post-connector-pl.min.js/wp-content/plugins/post-connector/core/assets/js/post-connector-pl.js/wp-content/plugins/post-connector/core/assets/js/post-connector-widget-shortcode.min.js/wp-content/plugins/post-connector/core/assets/js/post-connector-widget-shortcode.js+2 more
Script Paths
core/assets/js/post-connector-ptlcore/assets/js/post-connector-connection-editcore/assets/js/post-connector-plcore/assets/js/post-connector-widget-shortcode
Version Parameters
post-connector/core/assets/js/post-connector-ptl.min.js?ver=post-connector/core/assets/js/post-connector-ptl.js?ver=post-connector/core/assets/js/post-connector-connection-edit.min.js?ver=post-connector/core/assets/js/post-connector-connection-edit.js?ver=post-connector/core/assets/js/post-connector-pl.min.js?ver=post-connector/core/assets/js/post-connector-pl.js?ver=post-connector/core/assets/js/post-connector-widget-shortcode.min.js?ver=post-connector/core/assets/js/post-connector-widget-shortcode.js?ver=post-connector/core/assets/css/post-connector.min.css?ver=post-connector/core/assets/css/post-connector.css?ver=

HTML / DOM Fingerprints

JS Globals
sp_js
Shortcode Output
[post_connector_[subposts_show_childs]
FAQ

Frequently Asked Questions about Post Connector