WP-Safety

PukiWiki for WordPress Security & Risk Analysis

wordpress.org/plugins/pukiwiki-for-wordpress

'PukiWiki for WordPress' converts a html from pukiwiki text on an entry.

20 active installs v0.2.3 PHP + WP 2.8+ Updated Unknown
japanesewiki
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is PukiWiki for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

PukiWiki for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "pukiwiki-for-wordpress" plugin v0.2.3 exhibits a concerning security posture despite a lack of publicly disclosed vulnerabilities. While the static analysis reveals no direct entry points like AJAX handlers, REST API routes, or shortcodes, and SQL queries are properly prepared, several critical code signals raise significant red flags. The presence of 12 instances of the `create_function` dangerous function is a major concern, as it can lead to code injection vulnerabilities. Furthermore, 100% of the 106 output operations are not properly escaped, meaning that any user-supplied data displayed on the frontend or backend could be vulnerable to cross-site scripting (XSS) attacks. The taint analysis also identified 3 flows with unsanitized paths, indicating potential for path traversal vulnerabilities, although these are not classified as critical or high severity in the provided data. The plugin's vulnerability history is empty, which could imply a history of good security practices or simply a lack of past discoveries. However, the identified code signals, particularly the unescaped output and use of `create_function`, present substantial risks that outweigh the absence of CVEs. A strong emphasis on output escaping and secure code practices is urgently needed.

Key Concerns

  • Unescaped output across all operations
  • Use of dangerous create_function
  • Unsanitized paths in taint analysis
  • No capability checks on entry points
  • No nonce checks on entry points
Vulnerabilities
None known

PukiWiki for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

PukiWiki for WordPress Code Analysis

Dangerous Functions
12
Raw SQL Queries
0
0 prepared
Unescaped Output
106
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
64
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

create_functionreturn preg_replace_callback('/\[pukiwiki\](.*?)\[\/pukiwiki\]/s',create_function('$matches',$replacpukiwiki.php:45
create_functionusort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));svc\pukiwiki\plugin\referer.inc.php:54
create_functionusort($data, create_function('$a,$b', 'return $a[0] - $b[0];'));svc\pukiwiki\plugin\referer.inc.php:60
create_functionusort($data, create_function('$a,$b', 'return $b[1] - $a[1];'));svc\pukiwiki\plugin\referer.inc.php:66
create_functionusort($data, create_function('$a,$b', 'return $a[1] - $b[1];'));svc\pukiwiki\plugin\referer.inc.php:72
create_functionusort($data, create_function('$a,$b', 'return $b[2] - $a[2];'));svc\pukiwiki\plugin\referer.inc.php:78
create_functionusort($data, create_function('$a,$b', 'return $a[2] - $b[2];'));svc\pukiwiki\plugin\referer.inc.php:84
create_functionusort($data, create_function('$a,$b',svc\pukiwiki\plugin\referer.inc.php:90
create_functioncreate_function('$a', 'return htmlspecialchars($a);'), $arr);svc\pukiwiki\plugin\tb.inc.php:143
create_functionusort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));svc\pukiwiki\plugin\tb.inc.php:203
create_functionlist($key,$style,$format) = array_pad(array_map(create_function('$a','return trim($a);'),$option),3,svc\pukiwiki\plugin\tracker.inc.php:373
create_function$options[$this->name] = array_flip(array_map(create_function('$arr','return $arr[0];'),$this->configsvc\pukiwiki\plugin\tracker.inc.php:465

Output Escaping

0% escaped106 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
<dump.inc> (svc\pukiwiki\plugin\dump.inc.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

PukiWiki for WordPress Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 5
actionwp_headpukiwiki.php:31
actionthe_contentpukiwiki.php:32
filteredit_page_formpukiwiki.php:33
filteredit_form_advancedpukiwiki.php:34
actioninitpukiwiki.php:92
Maintenance & Trust

PukiWiki for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedUnknown
PHP min version
Downloads5K

Community Trust

Rating0/100
Number of ratings0
Active installs20
Alternatives

PukiWiki for WordPress Alternatives

WP Multibyte Patch

WP Multibyte Patch

wp-multibyte-patch

A
100

Multibyte functionality enhancement for the WordPress Japanese package.

1.0M No CVEs
Aurora Heatmap

Aurora Heatmap

aurora-heatmap

A
100

Beautiful like an aurora! A simple WordPress heatmap that can be completed with just a plugin.

20K No CVEs
Japanese font for WordPress(Previously: Japanese Font for TinyMCE)

Japanese font for WordPress(Previously: Japanese Font for TinyMCE)

japanese-font-for-tinymce

A
100

Add Japanese font to Gutenberg and TinyMCE Advanced plugin's font family selections.

10K No CVEs
Japanized for WooCommerce

Japanized for WooCommerce

woocommerce-for-japan

A
95

Essential Japanese localization toolkit for WooCommerce - adds address formats, payment methods, delivery scheduling, and legal compliance.

10K 6 CVEs
BuddyPress Docs

BuddyPress Docs

buddypress-docs

A
97

Adds collaborative Docs to BuddyPress.

7K 3 CVEs
Developer Profile

PukiWiki for WordPress Developer Profile

makoto_kw

3 plugins · 40 total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect PukiWiki for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pukiwiki-for-wordpress/pukiwiki.css
Script Paths
/wp-content/plugins/pukiwiki-for-wordpress/admin.js

HTML / DOM Fingerprints

CSS Classes
pukiwiki_content
Shortcode Output
<div id="pukiwiki_content" class="pukiwiki_content">
FAQ

Frequently Asked Questions about PukiWiki for WordPress