Post Word Count Security & Risk Analysis

wordpress.org/plugins/post-word-count

Counts the total number of words in all posts or the number of words in a single post.

10 active installs v1.2 PHP + WP + Updated Dec 8, 2015
countpostswords
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Post Word Count Safe to Use in 2026?

Generally Safe

Score 85/100

Post Word Count has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The "post-word-count" plugin v1.2 exhibits a generally positive security posture based on the static analysis provided. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events with or without authentication significantly limits the attack surface. Furthermore, the plugin does not utilize dangerous functions, perform file operations, or make external HTTP requests, which are common vectors for exploits. The use of prepared statements for all SQL queries is a strong indication of secure database interaction practices.

However, a significant concern arises from the "Output escaping" signal, which shows that 100% of the total outputs are not properly escaped. This presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious code could be injected into the WordPress site and executed by users. While the taint analysis shows no identified flows with unsanitized paths, this is likely due to the lack of any analyzed flows to begin with, rather than a proven absence of such issues. The plugin also has no recorded vulnerability history, which is a positive indicator, but does not negate the risk posed by the unescaped output.

In conclusion, the plugin demonstrates good practices in terms of limiting its attack surface and handling database queries securely. The complete lack of identified vulnerabilities in its history is also reassuring. Nevertheless, the critical issue of unescaped output must be addressed as it represents a direct and exploitable security risk. Addressing this single vulnerability would significantly improve the plugin's overall security.

Key Concerns

  • Unescaped output detected
Vulnerabilities
None known

Post Word Count Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Post Word Count Release Timeline

v1.02
v1.2Current
v1.1
Code Analysis
Analyzed Mar 16, 2026

Post Word Count Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
1
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

0% escaped1 total outputs
Attack Surface

Post Word Count Attack Surface

Entry Points0
Unprotected0
Maintenance & Trust

Post Word Count Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedDec 8, 2015
PHP min version
Downloads6K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Post Word Count Developer Profile

Nick Momrik

12 plugins · 3K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Post Word Count

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Shortcode Output
[post_word_count][post_word_count single=true]
FAQ

Frequently Asked Questions about Post Word Count