Does Private Comment have any unpatched vulnerabilities?

No. All known vulnerabilities in Private Comment have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Private Comment compatible with WordPress 6.9.4?

According to WordPress.org data, Private Comment 0.0.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Private Comment updated?

Private Comment was last updated on Feb 11, 2026. Frequent updates are generally a positive security signal.

What is Private Comment's security score?

Private Comment has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Private Comment Security & Risk Analysis

wordpress.org/plugins/private-comment

Allow commenters to choose restrict their comments exhibition only to site owners

60 active installs v0.0.5 PHP + WP 5.0+ Updated Feb 11, 2026

commentsmessageprivate

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 17, 2026

Plugin page Download

Safety Verdict

Is Private Comment Safe to Use in 2026?

Generally Safe

Score 99/100

Private Comment has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 17, 2026Updated 1mo ago

Risk Assessment

The private-comment plugin v0.0.5 exhibits a generally positive security posture based on the provided static analysis. The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events with unprotected entry points suggests a limited attack surface. The code also demonstrates good practices by exclusively using prepared statements for SQL queries and having a decent percentage of output correctly escaped. The lack of dangerous functions, file operations, and external HTTP requests further strengthens its security profile. However, the presence of one known, albeit patched, CVE related to Cross-site Scripting is a point of concern, indicating that past vulnerabilities have existed. While no critical taint flows were identified in the current analysis, the past XSS vulnerability highlights the potential for such issues if input handling is not meticulously maintained. Overall, the plugin appears to be developed with security in mind, but the historical vulnerability warrants continued vigilance.

Key Concerns

Known vulnerability history (1 CVE)
Output escaping is not 100% proper
No nonce checks found

Vulnerabilities

Private Comment Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-2281medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Private Comment <= 0.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Label Text Setting

Feb 17, 2026 Patched in 0.0.5 (1d)

Code Analysis

Analyzed Mar 16, 2026

Private Comment Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

71% escaped7 total outputs

Attack Surface

Private Comment Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 12

actionadmin_initprivate-comment.php:20

filtercomment_form_field_commentprivate-comment.php:22

actioncomment_postprivate-comment.php:23

filterwp_update_comment_dataprivate-comment.php:24

filterget_commentprivate-comment.php:25

filterget_comment_textprivate-comment.php:26

filterthe_commentsprivate-comment.php:27

actionwp_set_comment_statusprivate-comment.php:28

filtercomment_row_actionsprivate-comment.php:29

filteredit_comment_misc_actionsprivate-comment.php:30

filterplugin_action_linksprivate-comment.php:48

actioninitprivate-comment.php:260

Maintenance & Trust

Private Comment Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 11, 2026

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs60

Alternatives

Private Comment Alternatives

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.

10K 13 CVEs

Front End PM

front-end-pm

Front End PM is a Private Messaging system and a secure contact form to your WordPress site.This is full functioning messaging system from front end.

5K 1 CVE

bbPress Messages

bbp-messages

bbPress Messages - Simple yet powerful private messaging system tailored for bbPress.

100 No CVEs

Front End PM – Ultimate Member Integration

front-end-pm-ultimate-member-integration

Front End PM extension to integrate with Ultimate Member

100 No CVEs

BuddyPress Messaging Control

bp-messaging-control

This plugin is a Swiss Army Knife for messaging, It allows the site admin to place restrictions on public and private messages including general rules …

80 No CVEs

Developer Profile

Private Comment Developer Profile

Ederson Peka

6 plugins · 540 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

742 days

View full developer profile

Detection Fingerprints

How We Detect Private Comment

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/private-comment/private-comment.php

HTML / DOM Fingerprints

CSS Classes

comment-form-privateprivate-comment-display-private

Data Attributes

id="wp-comment-private"

FAQ