Does Remoji – Post/Comment Reaction and Enhancement have any unpatched vulnerabilities?

Yes — Remoji – Post/Comment Reaction and Enhancement currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Remoji – Post/Comment Reaction and Enhancement compatible with WordPress 6.8.5?

According to WordPress.org data, Remoji – Post/Comment Reaction and Enhancement 2.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

What is Remoji – Post/Comment Reaction and Enhancement's security score?

Remoji – Post/Comment Reaction and Enhancement has a WP-Safety security score of 75/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Remoji – Post/Comment Reaction and Enhancement Security & Risk Analysis

wordpress.org/plugins/remoji

Reactive emoji. Allow visitors to add emoji reactions to your posts and comments. Disable comment for pages, posts.

400 active installs v2.2 PHP + WP 4.0+ Updated Oct 15, 2025

commentcounteremojipostviewsviews

B · Generally Safe

CVEs total1

Unpatched1

Last CVEMar 17, 2026

Download

Safety Verdict

Is Remoji – Post/Comment Reaction and Enhancement Safe to Use in 2026?

Mostly Safe

Score 75/100

Remoji – Post/Comment Reaction and Enhancement is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Mar 17, 2026Updated 5mo ago

Risk Assessment

The remoji plugin v2.2 exhibits a mixed security posture. While it boasts no known vulnerabilities in its history and makes good use of prepared statements for SQL queries, significant concerns arise from its attack surface and code signals. The presence of three unprotected REST API routes presents a considerable risk, as these can be accessed by unauthenticated users, potentially leading to unauthorized actions or data exposure. Furthermore, the taint analysis reveals two high-severity flows with unsanitized paths, indicating potential for code injection or other malicious operations if these paths are triggered with user-controlled input. The low percentage of properly escaped output (33%) is another red flag, suggesting a higher likelihood of cross-site scripting (XSS) vulnerabilities.

The lack of historical vulnerabilities is a positive sign, suggesting that the developers may be attentive to security. However, the static analysis findings, particularly the unprotected REST API endpoints and high-severity taint flows, cannot be ignored. The plugin demonstrates a weakness in input validation and access control for its REST API, which, combined with insufficient output escaping, creates a notable risk profile despite the absence of past CVEs. Vigilance is recommended, and immediate attention should be paid to securing the identified REST API routes and addressing the identified taint flows.

Key Concerns

Unprotected REST API routes
High severity taint flows
Low percentage of properly escaped output
Unprotected entry points (REST API)

Vulnerabilities

Remoji – Post/Comment Reaction and Enhancement Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2026-25452high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Remoji – Post/Comment Reaction and Enhancement <= 2.2 - Unauthenticated Stored Cross-Site Scripting

Mar 17, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

Remoji – Post/Comment Reaction and Enhancement Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

108

53 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

94% prepared16 total queries

Output Escaping

33% escaped161 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths

redirect (src\router.cls.php:57)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Remoji – Post/Comment Reaction and Enhancement Attack Surface

Entry Points4

Unprotected3

REST API Routes 3

GET/wp-json/remoji/v1/show_reaction_panelsrc\rest.cls.php:30

POST/wp-json/remoji/v1/addsrc\rest.cls.php:36

POST/wp-json/remoji/v1/postviewsrc\rest.cls.php:42

Shortcodes 1

[views] src\postview.cls.php:23

WordPress Hooks 23

actionadmin_menusrc\admin.cls.php:20

filterplugin_action_links_remoji/remoji.phpsrc\admin.cls.php:21

actionadmin_initsrc\admin.cls.php:22

actionadmin_enqueue_scriptssrc\admin.cls.php:24

actionadmin_noticessrc\admin.cls.php:52

filtermanage_edit-post_columnssrc\admin.cls.php:54

actionmanage_posts_custom_columnsrc\admin.cls.php:55

filtermanage_edit-post_sortable_columnssrc\admin.cls.php:56

filtercomments_arraysrc\comment.cls.php:26

filtercomments_opensrc\comment.cls.php:27

actiontemplate_redirectsrc\comment.cls.php:28

filtercomments_templatesrc\comment.cls.php:67

actionwp_enqueue_scriptssrc\gui.cls.php:44

filtercomment_textsrc\gui.cls.php:47

filterthe_contentsrc\gui.cls.php:51

actionplugins_loadedsrc\lang.cls.php:18

actionremoji_postviewsrc\postview.cls.php:21

actiontwentytwenty_end_of_post_meta_listsrc\postview.cls.php:27

filterthe_contentsrc\postview.cls.php:32

actionrest_api_initsrc\rest.cls.php:20

actioninitsrc\router.cls.php:26

filterauto_update_pluginsrc\util.cls.php:21

actionwidgets_initsrc\widget.cls.php:15

Maintenance & Trust

Remoji – Post/Comment Reaction and Enhancement Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 15, 2025

PHP min version

Downloads12K

Community Trust

Rating100/100

Number of ratings5

Active installs400

Alternatives

Remoji – Post/Comment Reaction and Enhancement Alternatives

Post Views Counter

post-views-counter

Post Views Counter allows you to collect and display how many times a post, page, or other content has been viewed in a simple, fast and reliable way.

200K 2 CVEs

WP-PostViews

wp-postviews

Enables you to display how many times a post/page had been viewed.

100K 1 CVE

Post View Count

wp-simple-post-view

100

Add a "Post View Count" plugin to get the count of views for your posts.

4K 1 CVE

Post Views Stats Counter

post-views-stats-counter

This plugin will display how many times post and page viewed. It shows total view of access per day, week, month, and all days.

700 No CVEs

WP-PostViews Plus

wp-postviews-plus

Enables You To Display How Many Times A Post Had Been Viewed By User Or Bot.

400 No CVEs

Developer Profile

Remoji – Post/Comment Reaction and Enhancement Developer Profile

WPDO

6 plugins · 8K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

146 days

View full developer profile

Detection Fingerprints

How We Detect Remoji – Post/Comment Reaction and Enhancement

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/remoji/assets/css/remoji.css/wp-content/plugins/remoji/assets/remoji.js/wp-content/plugins/remoji/assets/remoji_admin.js

Script Paths

/wp-content/plugins/remoji/assets/remoji.js/wp-content/plugins/remoji/assets/remoji_admin.js

Version Parameters

remoji/assets/css/remoji.css?ver=remoji/assets/remoji.js?ver=remoji/assets/remoji_admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

remoji-switch

Data Attributes

name="_settings-enroll[]"name="comment_emoji"name="post_emoji"name="postview"name="postview_delay"

JS Globals

window.remojivar localized_settings

REST Endpoints

/wp-json/remoji/v1/show_reaction_panel/wp-json/remoji/v1/add/wp-json/remoji/v1/postview

FAQ