Premium Posts Security & Risk Analysis

wordpress.org/plugins/premium-posts

Mark posts as "Premium" and display a custom message or ad code.

10 active installs v2.3 PHP + WP 3.1+ Updated May 30, 2013
markpostpostspremiumtag
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Premium Posts Safe to Use in 2026?

Generally Safe

Score 85/100

Premium Posts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The 'premium-posts' plugin v2.3 exhibits a generally positive security posture based on the static analysis and vulnerability history provided. The plugin has a very small attack surface, with no discovered AJAX handlers, REST API routes, shortcodes, or cron events, indicating a minimal footprint for potential attackers. Furthermore, the code analysis shows no dangerous functions, no file operations, and no external HTTP requests, which are all good security indicators. The use of prepared statements for SQL queries is also a significant strength.

However, there are notable areas of concern. The most significant is the complete lack of output escaping on the single output found in the code. This represents a clear risk of cross-site scripting (XSS) vulnerabilities, where malicious code could be injected and executed in users' browsers. Additionally, the absence of nonce checks and capability checks, especially given the lack of explicit authentication checks on any potential entry points (even though the attack surface is zero), suggests a potential weakness if any new entry points were introduced or if current ones are overlooked. The vulnerability history also shows no recorded CVEs, which is positive, but the lack of any historical data makes it difficult to assess long-term security trends.

In conclusion, while the plugin's limited attack surface and secure SQL practices are commendable, the unescaped output is a critical oversight that needs immediate attention. The lack of comprehensive security checks like nonces and capability checks, while not immediately exploitable due to the zero attack surface, points to a need for more robust security implementation in the code. The overall risk is moderate, primarily due to the XSS vulnerability.

Key Concerns

  • Unescaped output found
  • No nonce checks
  • No capability checks
Vulnerabilities
None known

Premium Posts Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Premium Posts Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Premium Posts Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped1 total outputs
Attack Surface

Premium Posts Attack Surface

Entry Points0
Unprotected0
Maintenance & Trust

Premium Posts Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedMay 30, 2013
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

Premium Posts Developer Profile

Shaun Scovil

4 plugins · 130 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Premium Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/premium-posts/premium-posts.php

HTML / DOM Fingerprints

Shortcode Output
premium_posts()
FAQ

Frequently Asked Questions about Premium Posts