WP-Safety

Schema Scalpel Security & Risk Analysis

wordpress.org/plugins/schema-scalpel

Add custom JSON-LD schema markup per post or page with a powerful new editor metabox – precise, fast, and SEO-boosting.

90 active installs v2.0 PHP 7.4+ WP 5.0+ Updated Jan 23, 2026
json-ldmarkupschemaseostructured-data
99
A · Safe
CVEs total1
Unpatched0
Last CVEOct 31, 2025
Plugin page Download
Safety Verdict

Is Schema Scalpel Safe to Use in 2026?

Generally Safe

Score 99/100

Schema Scalpel has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 31, 2025Updated 2mo ago
Risk Assessment

The "schema-scalpel" v2.0 plugin demonstrates a generally good security posture with several positive indicators. Its attack surface is small, with all identified entry points (AJAX handlers) secured by authentication checks. The vast majority of SQL queries utilize prepared statements, and a significant percentage of output is properly escaped, reducing the risk of common web vulnerabilities.

However, the presence of five dangerous `unserialize` functions is a notable concern. While the taint analysis did not reveal any critical or high-severity unsanitized flows, the potential for deserialization vulnerabilities, especially when user-controlled input is involved, cannot be ignored. The history of one medium-severity Cross-Site Scripting (XSS) vulnerability, although now patched, suggests that input sanitization and output escaping require continuous vigilance.

In conclusion, "schema-scalpel" v2.0 has made good progress in securing its codebase, particularly in its handling of database queries and output. The primary area for improvement lies in addressing the `unserialize` function usage, ensuring that any data being unserialized is from trusted sources or is thoroughly validated to prevent potential attacks. The past XSS vulnerability should serve as a reminder to maintain rigorous security testing.

Key Concerns

  • Presence of dangerous unserialize function
  • Vulnerability history with medium XSS
Vulnerabilities
1

Schema Scalpel Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-12118medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Schema Scalpel <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in JSON-LD Schema

Oct 31, 2025 Patched in 1.6.2 (1d)
Code Analysis
Analyzed Mar 16, 2026

Schema Scalpel Code Analysis

Dangerous Functions
5
Raw SQL Queries
1
130 prepared
Unescaped Output
44
136 escaped
Nonce Checks
6
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$wet_cereal = unserialize( $results[ $key ]['custom_schema'] );admin\partials\scsc-global-tab.php:47
unserialize$no_cereal = unserialize( $schema_results_pages[ $key ]['custom_schema'] );admin\partials\scsc-pages-tab.php:107
unserialize$no_cereal = unserialize( $schema_results_posts[ $key ]['custom_schema'] );admin\partials\scsc-posts-tab.php:105
unserialize$unserialized = unserialize( $row['custom_schema'] );admin\partials\scsc-user-export.php:81
unserialize$unserialized = unserialize( $raw_schema );admin\partials\scsc-user-export.php:206

SQL Query Safety

99% prepared131 total queries

Output Escaping

76% escaped180 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
handle_requests (admin\partials\scsc-admin-main.php:74)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Schema Scalpel Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_scsc_save_metabox_schemaadmin\class-scsc-admin.php:58
authwp_ajax_scsc_create_metabox_schemaadmin\class-scsc-admin.php:59
authwp_ajax_scsc_delete_metabox_schemaadmin\class-scsc-admin.php:60
WordPress Hooks 23
actionadd_meta_boxesadmin\class-scsc-admin.php:63
actionadmin_footeradmin\partials\scsc-admin-main.php:2020
actionadmin_footeradmin\partials\scsc-examples-tab.php:180
actionadmin_footeradmin\partials\scsc-posts-tab.php:138
actionadmin_footeradmin\partials\scsc-user-export.php:279
actionadmin_footeradmin\partials\scsc-user-settings.php:1449
actionadmin_enqueue_scriptsincludes\class-schema-scalpel.php:92
actionadmin_enqueue_scriptsincludes\class-schema-scalpel.php:93
actionwp_enqueue_scriptsincludes\class-schema-scalpel.php:106
actionadmin_menuincludes\class-schema-scalpel.php:155
actionadmin_headincludes\class-schema-scalpel.php:156
actionadmin_headincludes\class-schema-scalpel.php:200
actionadmin_noticesincludes\class-scsc-upgrade.php:157
actionadmin_noticesincludes\class-scsc-upgrade.php:168
actionupgrader_process_completeschema-scalpel.php:65
actionplugins_loadedschema-scalpel.php:98
filterwpseo_schema_graphschema-scalpel.php:131
filterwpseo_json_ld_outputschema-scalpel.php:134
filteraioseo_schema_outputschema-scalpel.php:139
filteraioseo_disable_schemaschema-scalpel.php:140
filterrank_math/json_ldschema-scalpel.php:145
filterrank_math/frontend/disable_schemaschema-scalpel.php:146
actionwpschema-scalpel.php:149
Maintenance & Trust

Schema Scalpel Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 23, 2026
PHP min version7.4
Downloads9K

Community Trust

Rating100/100
Number of ratings1
Active installs90
Alternatives

Schema Scalpel Alternatives

Schema – All In One Schema Rich Snippets

Schema – All In One Schema Rich Snippets

all-in-one-schemaorg-rich-snippets

A
99

Improve SEO, elevate rankings and Boost CTR. Supports different types of content and works well with Google, Bing, Yahoo, and Facebook.

30K 2 CVEs
Local Business Schema (JSON-LD) Lite

Local Business Schema (JSON-LD) Lite

wpspeed-localbusiness-schema

A
100

Boost Local SEO with Smart Local Business Schema JSON-LD

3K No CVEs
Websitescanner Custom Schema

Websitescanner Custom Schema

websitescanner-custom-schema

A
85

Adds custom field to the post & pages editor for custom JSON-ld schema markup also known as structured data.

600 No CVEs
SCHEMA for Article

SCHEMA for Article

schema-for-article

A
85

SCHEMA for Article is simply the easiest solution to add valid schema.org as a JSON script in the head of blog posts or articles.

300 No CVEs
SchemaSense – Smart Structured Data

SchemaSense – Smart Structured Data

schemasense-smart-structured-data

A
100

Auto-detects FAQ content and generates valid JSON-LD schema for LLMs, GEO (Generative Engine Optimization), and SEO.

300 No CVEs
Developer Profile

Schema Scalpel Developer Profile

Kevin Gillispie

1 plugin · 90 total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Schema Scalpel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/schema-scalpel/admin/css/bootstrap.min.css/wp-content/plugins/schema-scalpel/admin/css/prism.css/wp-content/plugins/schema-scalpel/admin/css/scsc-admin.css
Version Parameters
schema-scalpel/admin/css/bootstrap.min.css?ver=schema-scalpel/admin/css/prism.css?ver=schema-scalpel/admin/css/scsc-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
scsc-schema-editorscsc-editor-toolbarscsc-editor-fieldscsc-editor-actionsscsc-field-labelscsc-field-inputscsc-schema-type-selectorscsc-schema-field-wrapper+4 more
HTML Comments
<!-- Schema Scalpel Metabox Start --><!-- Schema Scalpel Metabox End --><!-- Schema Editor Toolbar --><!-- Schema Editor Fields -->+5 more
Data Attributes
data-scsc-schema-iddata-scsc-schema-typedata-scsc-field-namedata-scsc-field-path
JS Globals
SchemaScalpelAdmin
REST Endpoints
/wp-json/schema-scalpel/v1/schemas/wp-json/schema-scalpel/v1/schema
FAQ

Frequently Asked Questions about Schema Scalpel