Does Pretty Url have any unpatched vulnerabilities?

Yes — Pretty Url currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Pretty Url compatible with WordPress 6.8.5?

According to WordPress.org data, Pretty Url 1.5.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Pretty Url updated?

Pretty Url was last updated on Jun 18, 2025. Frequent updates are generally a positive security signal.

What is Pretty Url's security score?

Pretty Url has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Pretty Url Security & Risk Analysis

wordpress.org/plugins/pretty-url

Description: Pretty URLs is a powerful WordPress plugin that lets you create clean, SEO-optimized custom URLs for any content type — including Posts, …

90 active installs v1.5.5 PHP + WP 3.4+ Updated Jun 18, 2025

custom-category-urlcustom-page-urlcustom-post-type-pretty-urlcustom-post-urlseo-friendly-url

B · Generally Safe

CVEs total3

Unpatched1

Last CVEJan 7, 2025

Plugin page Download

Safety Verdict

Is Pretty Url Safe to Use in 2026?

Mostly Safe

Score 77/100

Pretty Url is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Jan 7, 2025Updated 9mo ago

Risk Assessment

The 'pretty-url' plugin exhibits a mixed security posture. While it has a commendable zero-attack surface for direct entry points like AJAX handlers and REST API routes, and a reasonable number of SQL queries utilize prepared statements, there are significant concerns. The taint analysis revealing two flows with unsanitized paths, classified as high severity, is a critical finding that indicates potential vulnerabilities in how user input is handled, which could lead to serious security issues if exploited.

The plugin's vulnerability history, with three known CVEs and two currently unpatched, is a major red flag. The fact that these past vulnerabilities include Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) suggests a recurring pattern of input validation and state management weaknesses. The most recent vulnerability being in 2025 further indicates that these issues may be persistent and not adequately addressed.

In conclusion, despite a strong showing in minimizing direct attack vectors and a good percentage of prepared SQL statements, the presence of high-severity unsanitized taint flows and a history of unpatched CSRF and XSS vulnerabilities present a substantial risk. Users should exercise extreme caution and prioritize patching any known vulnerabilities. The plugin has strengths in code hygiene for certain areas, but the identified taint flows and historical issues require immediate attention.

Key Concerns

Unpatched CVEs
High severity unsanitized taint flows
Medium severity unpatched CVEs
SQL queries not using prepared statements
Outputs not properly escaped
Missing nonce checks
Missing capability checks

Vulnerabilities

Pretty Url Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-22564medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pretty Url <= 1.5.4 - Reflected Cross-Site Scripting

Jan 7, 2025 Patched in 1.5.5 (416d)

CVE-2025-22563medium · 4.3Cross-Site Request Forgery (CSRF)

Pretty Url <= 1.5.4 - Cross-Site Request Forgery

Jan 7, 2025Unpatched

CVE-2023-2009medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pretty Url < 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 18, 2023 Patched in 1.5.5 (1065d)

Code Analysis

Analyzed Mar 16, 2026

Pretty Url Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

76% prepared42 total queries

Output Escaping

66% escaped47 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

prettyurls_manage (wp-prettyyurls.php:262)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Pretty Url Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 11

actionadmin_menuwp-prettyyurls.php:28

actionadd_meta_boxeswp-prettyyurls.php:29

actionsave_postwp-prettyyurls.php:30

filterterm_linkwp-prettyyurls.php:33

filterpage_linkwp-prettyyurls.php:34

filterpost_linkwp-prettyyurls.php:35

filterpost_type_linkwp-prettyyurls.php:36

filterredirect_canonicalwp-prettyyurls.php:37

filterrewrite_rules_arraywp-prettyyurls.php:38

filterwp_titlewp-prettyyurls.php:39

actionwp_headwp-prettyyurls.php:40

Maintenance & Trust

Pretty Url Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 18, 2025

PHP min version

Downloads11K

Community Trust

Rating100/100

Number of ratings1

Active installs90

Alternatives

Pretty Url Alternatives

Make Paths Relative

make-paths-relative

100

Convert Absolute URLs to be relative in your fingertip.

2K 1 CVE

Simple SEO Criteria Check

simple-seo-criteria-check

The plugin 'Simple SEO Criteria Checklist" evaluates your post URLs, internal and external post links and image meta data.

60 No CVEs

WP URL Extension

wp-url-extension

Adds .html, .php, .whatever to pages, post, custom post type with rewrite rule

10 No CVEs

Nested Blog Posts

nested-blog-posts

100

Enable parent/child hierarchy for standard Posts and generate nested permalinks like /parent/child/ (unlimited depth).

0 No CVEs

Developer Profile

Pretty Url Developer Profile

faaiq

6 plugins · 630 total installs

trust score

Avg Security Score

89/100

Avg Patch Time

498 days

View full developer profile

Detection Fingerprints

How We Detect Pretty Url

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ