Does Post Head Includes have any unpatched vulnerabilities?

No. All known vulnerabilities in Post Head Includes have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Post Head Includes compatible with WordPress 3.5.2?

According to WordPress.org data, Post Head Includes 0.2.1 has been tested up to WordPress 3.5.2. Check the plugin's changelog for the latest compatibility information.

How often is Post Head Includes updated?

Post Head Includes was last updated on Unknown. Frequent updates are generally a positive security signal.

What is Post Head Includes's security score?

Post Head Includes has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Post Head Includes Security & Risk Analysis

wordpress.org/plugins/post-head-includes

Easily add scripts and stylesheets to the HEAD of your posts, keeping your HTML cleaner without inline scripts or styles.

10 active installs v0.2.1 PHP + WP + Updated Unknown

cssjavascriptpost-head-includeswp_enqueue_scriptwp_enqueue_style

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Post Head Includes Safe to Use in 2026?

Generally Safe

Score 100/100

Post Head Includes has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The 'post-head-includes' plugin version 0.2.1 exhibits a generally positive security posture, with no known vulnerabilities or critical code signals detected during static and taint analysis. The absence of any reported CVEs, coupled with the consistent use of prepared statements for SQL queries, indicates a strong adherence to secure coding practices in these areas. Furthermore, the presence of nonce and capability checks suggests an awareness of common WordPress security measures.

However, a significant concern arises from the output escaping. With only 25% of outputs properly escaped, there is a notable risk of Cross-Site Scripting (XSS) vulnerabilities. This means that user-supplied or dynamic data, if not handled carefully, could be injected into the page, potentially leading to malicious code execution in the user's browser. While the attack surface appears minimal with no exposed AJAX handlers, REST API routes, shortcodes, or cron events, the unescaped output presents a direct and tangible risk.

In conclusion, the plugin demonstrates good practices in areas like SQL handling and authentication checks, and its lack of historical vulnerabilities is a positive sign. Nevertheless, the poor output escaping is a critical weakness that requires immediate attention to mitigate the risk of XSS attacks. Addressing this single point of failure would significantly improve the plugin's overall security.

Key Concerns

Poor output escaping (25% properly escaped)

Vulnerabilities

None known

Post Head Includes Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Post Head Includes Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

25% escaped4 total outputs

Attack Surface

Post Head Includes Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 5

actionwp_headplugin.php:26

actionwp_enqueue_scriptsplugin.php:27

actionwp_footerplugin.php:28

actionadd_meta_boxespost-meta.php:18

actionsave_postpost-meta.php:19

Maintenance & Trust

Post Head Includes Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2

Last updatedUnknown

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Post Head Includes Alternatives

Asset CleanUp: Page Speed Booster

wp-asset-clean-up

Make your website load FASTER by stopping specific styles (.CSS) & scripts (.JS) from loading. It works best with a page caching plugin / service.

100K 6 CVEs

Scripts n Styles

scripts-n-styles

This plugin allows Admin users to individually add HTML, custom CSS, Classes and JavaScript directly to Post, Pages or any other custom post types.

30K 1 CVE

Custom CSS and JavaScript

custom-css-and-javascript

Easily add custom CSS and JavaScript code to your WordPress site, with draft previewing, revisions, and minification!

10K No CVEs

Raw HTML

raw-html

Lets you use raw HTML or any other code in your posts. You can also disable smart quotes and other automatic formatting on a per-post basis.

10K No CVEs

Code Embed

simple-embed-code

Code Embed provides a very easy and efficient way to embed code (JavaScript, CSS and HTML) in your posts and pages.

10K 4 CVEs

Developer Profile

Post Head Includes Developer Profile

Rick Buczynski

1 plugin · 10 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Post Head Includes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/post-head-includes/item.php

Version Parameters

post-head-includes/style.css?ver=post-head-includes/script.js?ver=

HTML / DOM Fingerprints

HTML Comments

<!--[if IE]>
	<script type="text/javascript" src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->

JS Globals

window.WP_Plugins_Postheadincludesvar $_postheadincludes

FAQ