Does Schema Scalpel have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Schema Scalpel compatible with WordPress 6.9.4?

According to WordPress.org data, Schema Scalpel 2.0.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Schema Scalpel compatible with PHP 7.4+?

Schema Scalpel requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Schema Scalpel updated?

Schema Scalpel was last updated on Mar 26, 2026. Frequent updates are generally a positive security signal.

What is Schema Scalpel's security score?

Schema Scalpel has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Schema Scalpel Security & Risk Analysis

wordpress.org/plugins/schema-scalpel

Add custom JSON-LD schema markup per post or page with a powerful new editor metabox – precise, fast, and SEO-boosting.

90 active installs v2.0.3 PHP 7.4+ WP 5.0+ Updated Mar 26, 2026

json-ldrich-snippetsschemaseostructured-data

A · Safe

CVEs total1

Unpatched0

Last CVEOct 31, 2025

Plugin page Download

Safety Verdict

Is Schema Scalpel Safe to Use in 2026?

Generally Safe

Score 99/100

Schema Scalpel has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Oct 31, 2025Updated 1mo ago

Risk Assessment

The "schema-scalpel" v2.0 plugin demonstrates a generally good security posture with several positive indicators. Its attack surface is small, with all identified entry points (AJAX handlers) secured by authentication checks. The vast majority of SQL queries utilize prepared statements, and a significant percentage of output is properly escaped, reducing the risk of common web vulnerabilities.

However, the presence of five dangerous `unserialize` functions is a notable concern. While the taint analysis did not reveal any critical or high-severity unsanitized flows, the potential for deserialization vulnerabilities, especially when user-controlled input is involved, cannot be ignored. The history of one medium-severity Cross-Site Scripting (XSS) vulnerability, although now patched, suggests that input sanitization and output escaping require continuous vigilance.

In conclusion, "schema-scalpel" v2.0 has made good progress in securing its codebase, particularly in its handling of database queries and output. The primary area for improvement lies in addressing the `unserialize` function usage, ensuring that any data being unserialized is from trusted sources or is thoroughly validated to prevent potential attacks. The past XSS vulnerability should serve as a reminder to maintain rigorous security testing.

Key Concerns

Presence of dangerous unserialize function
Vulnerability history with medium XSS

Vulnerabilities

1 published

Schema Scalpel Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-12118medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Schema Scalpel <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in JSON-LD Schema

Oct 31, 2025 Patched in 1.6.2 (1d)

Version History

Schema Scalpel Release Timeline

v2.0.3Current

v2.0.2

v2.0.1

v2.0

v1.6.4

v1.6.3

v1.6.2

v1.6.11 CVE

v1.61 CVE

v1.51 CVE

v1.4.71 CVE

v1.4.61 CVE

v1.4.51 CVE

v1.4.41 CVE

v1.4.31 CVE

v1.4.21 CVE

v1.4.11 CVE

v1.41 CVE

v1.3.21 CVE

v1.3.11 CVE

Code Analysis

Analyzed Mar 16, 2026

Schema Scalpel Code Analysis

Dangerous Functions

Raw SQL Queries

130 prepared

Unescaped Output

136 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$wet_cereal = unserialize( $results[ $key ]['custom_schema'] );admin\partials\scsc-global-tab.php:47

unserialize$no_cereal = unserialize( $schema_results_pages[ $key ]['custom_schema'] );admin\partials\scsc-pages-tab.php:107

unserialize$no_cereal = unserialize( $schema_results_posts[ $key ]['custom_schema'] );admin\partials\scsc-posts-tab.php:105

unserialize$unserialized = unserialize( $row['custom_schema'] );admin\partials\scsc-user-export.php:81

unserialize$unserialized = unserialize( $raw_schema );admin\partials\scsc-user-export.php:206

SQL Query Safety

99% prepared131 total queries

Output Escaping

76% escaped180 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

handle_requests (admin\partials\scsc-admin-main.php:74)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Schema Scalpel Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 3

authwp_ajax_scsc_save_metabox_schemaadmin\class-scsc-admin.php:58

authwp_ajax_scsc_create_metabox_schemaadmin\class-scsc-admin.php:59

authwp_ajax_scsc_delete_metabox_schemaadmin\class-scsc-admin.php:60

WordPress Hooks 23

actionadd_meta_boxesadmin\class-scsc-admin.php:63

actionadmin_footeradmin\partials\scsc-admin-main.php:2020

actionadmin_footeradmin\partials\scsc-examples-tab.php:180

actionadmin_footeradmin\partials\scsc-posts-tab.php:138

actionadmin_footeradmin\partials\scsc-user-export.php:279

actionadmin_footeradmin\partials\scsc-user-settings.php:1449

actionadmin_enqueue_scriptsincludes\class-schema-scalpel.php:92

actionadmin_enqueue_scriptsincludes\class-schema-scalpel.php:93

actionwp_enqueue_scriptsincludes\class-schema-scalpel.php:106

actionadmin_menuincludes\class-schema-scalpel.php:155

actionadmin_headincludes\class-schema-scalpel.php:156

actionadmin_headincludes\class-schema-scalpel.php:200

actionadmin_noticesincludes\class-scsc-upgrade.php:157

actionadmin_noticesincludes\class-scsc-upgrade.php:168

actionupgrader_process_completeschema-scalpel.php:65

actionplugins_loadedschema-scalpel.php:98

filterwpseo_schema_graphschema-scalpel.php:131

filterwpseo_json_ld_outputschema-scalpel.php:134

filteraioseo_schema_outputschema-scalpel.php:139

filteraioseo_disable_schemaschema-scalpel.php:140

filterrank_math/json_ldschema-scalpel.php:145

filterrank_math/frontend/disable_schemaschema-scalpel.php:146

actionwpschema-scalpel.php:149

Maintenance & Trust

Schema Scalpel Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 26, 2026

PHP min version7.4

Downloads9K

Community Trust

Rating100/100

Number of ratings1

Active installs90

Alternatives

Schema Scalpel Alternatives

Cirv Box

cirv-box

100

Automatically generate Schema.org structured data for better Google rankings. Article, Product, Organization, and FAQ schemas included FREE!

10 No CVEs

Smart Schema Automation

pichautari-schema-automation

100

Automated Schema.org structured data generator for LocalBusiness, FAQ, Product, Service, Article, Video, Job Posting, and Breadcrumb schemas.

10 No CVEs

Frank Schema Markup Generator

frank-schema-markup-generator

100

Generate JSON-LD schema with 100+ types. Centralized management, view/copy features, and 50+ ready-made templates.

0 No CVEs

Sekhlo Schema Code

sekhlo-schema-code

100

Advanced Schema Markup Manager with Entity Builder, Local Business schema, site-wide identity injection, Headers & Footers, and AI Search optimiza …

0 No CVEs

Structured Data for Schema.org

structured-data-for-schema-org

100

Generate Schema.org structured data via shortcode. Supports HowTo, FAQPage, ItemList, CreativeWork.

0 No CVEs

Developer Profile

Schema Scalpel Developer Profile

Kevin Gillispie

1 plugin · 90 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Schema Scalpel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/schema-scalpel/admin/css/bootstrap.min.css/wp-content/plugins/schema-scalpel/admin/css/prism.css/wp-content/plugins/schema-scalpel/admin/css/scsc-admin.css

Version Parameters

schema-scalpel/admin/css/bootstrap.min.css?ver=schema-scalpel/admin/css/prism.css?ver=schema-scalpel/admin/css/scsc-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

scsc-schema-editorscsc-editor-toolbarscsc-editor-fieldscsc-editor-actionsscsc-field-labelscsc-field-inputscsc-schema-type-selectorscsc-schema-field-wrapper+4 more

HTML Comments

+5 more

Data Attributes

data-scsc-schema-iddata-scsc-schema-typedata-scsc-field-namedata-scsc-field-path

JS Globals

SchemaScalpelAdmin

REST Endpoints

/wp-json/schema-scalpel/v1/schemas/wp-json/schema-scalpel/v1/schema

FAQ

Schema Scalpel Security & Risk Analysis

Is Schema Scalpel Safe to Use in 2026?

Generally Safe

Key Concerns

Schema Scalpel Security Vulnerabilities

CVEs by Year

Severity Breakdown

Schema Scalpel Release Timeline

Schema Scalpel Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Schema Scalpel Attack Surface

AJAX Handlers 3

Schema Scalpel Maintenance & Trust

Maintenance Signals

Community Trust

Schema Scalpel Alternatives

Cirv Box

Smart Schema Automation

Frank Schema Markup Generator

Sekhlo Schema Code

Structured Data for Schema.org

Schema Scalpel Developer Profile

How We Detect Schema Scalpel

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Schema Scalpel