Does Pz-LinkCard have any unpatched vulnerabilities?

No. All known vulnerabilities in Pz-LinkCard have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Pz-LinkCard compatible with WordPress 6.9.4?

According to WordPress.org data, Pz-LinkCard 2.5.8.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Pz-LinkCard compatible with PHP 8.1.29+?

Pz-LinkCard requires PHP 8.1.29 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Pz-LinkCard updated?

Pz-LinkCard was last updated on Mar 7, 2026. Frequent updates are generally a positive security signal.

What is Pz-LinkCard's security score?

Pz-LinkCard has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Pz-LinkCard Security & Risk Analysis

wordpress.org/plugins/pz-linkcard

This plugin is intended to display a link in a blog card format. The goodbye to the text-only link.

20K active installs v2.5.8.1 PHP 8.1.29+ WP 6.0+ Updated Mar 7, 2026

blogcardexternal-linkinternal-linklinkcard

A · Safe

CVEs total6

Unpatched0

Last CVESep 23, 2025

Plugin page Download

Safety Verdict

Is Pz-LinkCard Safe to Use in 2026?

Generally Safe

Score 96/100

Pz-LinkCard has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Sep 23, 2025Updated 27d ago

Risk Assessment

The "pz-linkcard" plugin version 2.5.8.1 exhibits a mixed security posture. On the positive side, static analysis reveals a very small attack surface with no unprotected entry points, robust use of prepared statements for SQL queries, and excellent output escaping. Taint analysis also shows no critical or high severity issues related to unsanitized paths.

However, the plugin's vulnerability history is a significant concern. With six known medium-severity vulnerabilities, including historical instances of SSRF, CSRF, and XSS, it indicates a recurring pattern of insecure coding practices that have led to exploitable flaws. The fact that the last vulnerability was only recently discovered (2025-09-23) suggests that while they may be currently patched, the underlying issues are still present in the codebase. The absence of capability checks on its entry points, despite having AJAX handlers, is also a potential area for further investigation and hardening.

In conclusion, while the current version of "pz-linkcard" appears to have addressed immediate critical threats and demonstrates good practices in SQL and output handling, its past vulnerability record necessitates caution. Users should be aware of the historical susceptibility of this plugin, and developers should prioritize a thorough review of the codebase to prevent recurrence of past vulnerability types. The lack of capability checks is a notable weakness.

Key Concerns

History of medium vulnerabilities (6 total)
No capability checks on entry points
Limited nonce checks (1)

Vulnerabilities

Pz-LinkCard Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

3 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

6 total CVEs

CVE-2025-8594medium · 6.4Server-Side Request Forgery (SSRF)

Pz-LinkCard <= 2.5.6 - Authenticated (Contributor+) Server-Side Request Forgery

Sep 23, 2025 Patched in 2.5.7 (24d)

CVE-2024-0677medium · 5Server-Side Request Forgery (SSRF)

Pz-LinkCard <= 2.5.2 - Sever-Side Request Forgery

Mar 7, 2024 Patched in 2.5.3 (22d)

CVE-2024-0672medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pz-LinkCard <= 2.5.2 - Reflected Cross-Site Scripting

Mar 7, 2024 Patched in 2.5.3 (49d)

CVE-2024-0673medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pz-LinkCard <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 7, 2024 Patched in 2.5.3 (22d)

CVE-2023-47790medium · 5.4Cross-Site Request Forgery (CSRF)

Pz-LinkCard <= 2.5.2 - Cross-Site Request Forgery via page_cacheman

Nov 14, 2023 Patched in 2.5.3 (133d)

CVE-2021-25012medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pz-LinkCard <= 2.4.5.1 - Reflected Cross-Site Scripting

Mar 1, 2022 Patched in 2.4.5.2 (693d)

Code Analysis

Analyzed Mar 16, 2026

Pz-LinkCard Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

59 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

90% prepared10 total queries

Output Escaping

98% escaped60 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

action_ajax_lkc_click_count (pz-linkcard.php:2781)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Pz-LinkCard Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_pz_lkc_click_countpz-linkcard.php:454

noprivwp_ajax_pz_lkc_click_countpz-linkcard.php:455

WordPress Hooks 15

actioninitpz-linkcard.php:414

actionplugins_loadedpz-linkcard.php:415

actionupgrader_process_completepz-linkcard.php:416

actionwp_enqueue_scriptspz-linkcard.php:434

actionplugins_loadedpz-linkcard.php:436

filterthe_contentpz-linkcard.php:438

actionadmin_menupz-linkcard.php:2612

actionadmin_enqueue_scriptspz-linkcard.php:2613

actionadmin_print_stylespz-linkcard.php:2614

actionadmin_print_scriptspz-linkcard.php:2615

actionwp_before_admin_bar_renderpz-linkcard.php:2616

actionadmin_noticespz-linkcard.php:2617

actionadmin_print_footer_scriptspz-linkcard.php:2618

filtermce_external_pluginspz-linkcard.php:2620

filtermce_buttonspz-linkcard.php:2621

Maintenance & Trust

Pz-LinkCard Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 7, 2026

PHP min version8.1.29

Downloads700K

Community Trust

Rating100/100

Number of ratings9

Active installs20K

Alternatives

Pz-LinkCard Alternatives

Simple Blog Card

simple-blog-card

Get OGP and display blog card.

3K 2 CVEs

Broken Link Checker

broken-link-checker

Broken Link Checker helps you catch broken links & images fast, before they hurt your SEO or UX. Scan and bulk-fix issues from one easy dashboard.

500K 11 CVEs

Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links

broken-link-checker-seo

Broken Link Checker by AIOSEO ensures all links on your website are working. Check your site for broken links and easily fix them to improve SEO.

300K 3 CVEs

Pz-HatenaBlogCard

pz-hatenablogcard

This plug-in to display a link in the article by using the "Hatena blog card".

200 No CVEs

anyLink

anylink

AnyLink is a Wordpress plugin which allow you to customise you external link like an internal one.

100 No CVEs

Developer Profile

Pz-LinkCard Developer Profile

ぽぽろん＠ぽぽづれ。

4 plugins · 20K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

157 days

View full developer profile

Detection Fingerprints

How We Detect Pz-LinkCard

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pz-linkcard/assets/css/pz-linkcard.css/wp-content/plugins/pz-linkcard/assets/js/pz-linkcard.js

Script Paths

/wp-content/plugins/pz-linkcard/assets/js/pz-linkcard.js

Version Parameters

pz-linkcard/assets/css/pz-linkcard.css?ver=pz-linkcard/assets/js/pz-linkcard.js?ver=

HTML / DOM Fingerprints

CSS Classes

pz-linkcard

JS Globals

pz_linkcard_setting

Shortcode Output

[pz-linkcard[/pz-linkcard]

FAQ