Does Posts By Tag have any unpatched vulnerabilities?

Yes — Posts By Tag currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Posts By Tag compatible with WordPress 5.8.13?

According to WordPress.org data, Posts By Tag 3.2.1 has been tested up to WordPress 5.8.13. Check the plugin's changelog for the latest compatibility information.

How often is Posts By Tag updated?

Posts By Tag was last updated on Oct 13, 2021. Frequent updates are generally a positive security signal.

What is Posts By Tag's security score?

Posts By Tag has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Posts By Tag Security & Risk Analysis

wordpress.org/plugins/posts-by-tag

Provide sidebar widget, shortcode and template functions that can be used to display posts from a set of tags using various options in the sidebar or …

1K active installs v3.2.1 PHP + WP 4.0+ Updated Oct 13, 2021

cachepostssidebartagwidget

C · Use Caution

CVEs total1

Unpatched1

Last CVEOct 22, 2025

Plugin page Download

Safety Verdict

Is Posts By Tag Safe to Use in 2026?

Use With Caution

Score 63/100

Posts By Tag has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Oct 22, 2025Updated 4yr ago

Risk Assessment

The "posts-by-tag" plugin version 3.2.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements, no dangerous functions, no file operations, and no external HTTP requests. The presence of nonce and capability checks suggests an awareness of securing entry points. However, a significant concern arises from the low output escaping rate, with only 10% of outputs being properly escaped. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data could be rendered unsafely in the browser.

The vulnerability history reveals one known medium-severity CVE, identified as Cross-Site Scripting, which is currently unpatched. This is a critical indicator of an existing security flaw that could be exploited by attackers. While the static analysis did not explicitly flag unsanitized output that leads to XSS, the low escaping rate strongly suggests this is the likely cause of the past vulnerability and a continuing risk.

In conclusion, while the plugin has some strong security foundations, the unpatched XSS vulnerability and the low rate of output escaping represent significant weaknesses. The single unpatched CVE demands immediate attention, and the general lack of robust output escaping in the codebase presents a persistent threat that could lead to further exploitable vulnerabilities.

Key Concerns

Unpatched medium severity CVE
Low output escaping (90% unescaped)

Vulnerabilities

Posts By Tag Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62983medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Posts By Tag <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 22, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Posts By Tag Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

101

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

10% escaped112 total outputs

Attack Surface

Posts By Tag Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[posts-by-tag] posts-by-tag.php:108

WordPress Hooks 8

actioninitinclude\posts-by-tag-google-analytics.php:105

actionadmin_print_scriptsposts-by-tag.php:95

actionadmin_headposts-by-tag.php:96

actionadmin_menuposts-by-tag.php:99

actionsave_postposts-by-tag.php:102

filterplugin_row_metaposts-by-tag.php:105

actioninitposts-by-tag.php:375

actionwidgets_initposts-by-tag.php:381

Maintenance & Trust

Posts By Tag Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13

Last updatedOct 13, 2021

PHP min version

Downloads80K

Community Trust

Rating76/100

Number of ratings15

Active installs1K

Alternatives

Posts By Tag Alternatives

Selective Tag Cloud Widget

selective-tags

Provide sidebar widgets that can be used to display Selective Tags from a set of tags which is selected by admin in the sidebar.

10 No CVEs

FF Tab Widget

ff-tab-widget

Display popular posts, recent posts, recent commets, and tags in an animated tabs in a single widget.

80 No CVEs

SensitiveTagCloud

sensitive-tag-cloud

This wordpress plugin provides a tagcloud that shows tags depending of the current context (e.g. Category, Author, Tag, Post) only.

50 1 unpatched

Widget Logic

widget-logic

Widget Logic lets you control on which pages widgets appear using WP's conditional tags.

100K 2 CVEs

Advanced Random Posts Widget

advanced-random-posts-widget

Provides flexible and advanced random posts. Display it via shortcode or widget with thumbnails, post excerpt, and much more!

10K No CVEs

Developer Profile

Posts By Tag Developer Profile

Sudar Muthu

16 plugins · 21K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Posts By Tag

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/posts-by-tag/include/posts-by-tag-google-analytics.php

HTML / DOM Fingerprints

JS Globals

Posts_By_Tag

FAQ