Private Tags Security & Risk Analysis

wordpress.org/plugins/private-tags

Hide posts with certain tags/categories from the public and other authors

10 active installs v0.1 PHP + WP 2.6+ Updated Apr 11, 2009
categoriesprivatetags
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Private Tags Safe to Use in 2026?

Generally Safe

Score 85/100

Private Tags has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 17yr ago
Risk Assessment

The 'private-tags' plugin version 0.1 presents a mixed security picture. On the positive side, the plugin has no reported vulnerabilities historically and the static analysis shows no dangerous functions, file operations, or external HTTP requests. The single SQL query detected is correctly using prepared statements. However, a significant concern arises from the complete lack of output escaping. This means any dynamic data displayed by the plugin could be vulnerable to cross-site scripting (XSS) attacks if not properly sanitized before rendering.

Furthermore, the analysis indicates zero capability checks and zero nonce checks. While the attack surface of AJAX handlers, REST API routes, shortcodes, and cron events is reported as zero, this could be a snapshot of the plugin's current state. If the plugin were to introduce any user-facing functionality in the future, the absence of these fundamental security checks would immediately create significant vulnerabilities, especially for AJAX endpoints where authentication and authorization are crucial.

The plugin's vulnerability history of zero CVEs is reassuring, suggesting either a well-written plugin or a lack of prior scrutiny. However, the current code analysis reveals a critical weakness in output handling. The zero taint flows are positive, but the lack of output escaping is a glaring issue that needs immediate attention. While the plugin currently appears to have a small attack surface, the lack of built-in security best practices for output rendering leaves it susceptible to injection attacks.

Key Concerns

  • Output escaping is not implemented
  • No capability checks implemented
  • No nonce checks implemented
Vulnerabilities
None known

Private Tags Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Private Tags Release Timeline

v0.1Current
Code Analysis
Analyzed Apr 16, 2026

Private Tags Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
4
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped4 total outputs
Attack Surface

Private Tags Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
filterposts_whereprivate-tags.php:251
filterposts_joinprivate-tags.php:252
filterposts_distinctprivate-tags.php:253
filterget_termsprivate-tags.php:254
actionadmin_menuprivate-tags.php:256
actionadmin_print_scriptsprivate-tags.php:257
Maintenance & Trust

Private Tags Maintenance & Trust

Maintenance Signals

WordPress version tested2.7.1
Last updatedApr 11, 2009
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Private Tags Developer Profile

michaeltyson

4 plugins · 170 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Private Tags

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Data Attributes
private_tags_modeprivate_tagspublic_tagspt_exclusivept_inclusive
JS Globals
jQuery
FAQ

Frequently Asked Questions about Private Tags