Does SCSS WP Editor have any unpatched vulnerabilities?

Yes — SCSS WP Editor currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is SCSS WP Editor compatible with WordPress 6.9.4?

According to WordPress.org data, SCSS WP Editor 1.2.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is SCSS WP Editor compatible with PHP 7.4+?

SCSS WP Editor requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SCSS WP Editor updated?

SCSS WP Editor was last updated on Dec 22, 2025. Frequent updates are generally a positive security signal.

What is SCSS WP Editor's security score?

SCSS WP Editor has a WP-Safety security score of 79/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SCSS WP Editor Security & Risk Analysis

wordpress.org/plugins/scss-wp-editor

Easily Add, Compile and Optimize your SCSS to CSS within WordPress Admin.

1K active installs v1.2.1 PHP 7.4+ WP 6.0+ Updated Dec 22, 2025

csscss-editorscssscss-editorscss-to-css

B · Generally Safe

CVEs total1

Unpatched1

Last CVEApr 1, 2025

Plugin page Download

Safety Verdict

Is SCSS WP Editor Safe to Use in 2026?

Mostly Safe

Score 79/100

SCSS WP Editor is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 3mo ago

Risk Assessment

The SCSS WP Editor plugin v1.2.1 exhibits a mixed security posture. On one hand, it demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping all output. It also has a limited attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication checks. However, significant concerns arise from the presence of dangerous functions like `unserialize` and `assert`, and a notable lack of nonce checks and capability checks throughout the code. The taint analysis reveals flows with unsanitized paths, although currently classified as low severity. The plugin's vulnerability history is particularly worrying, with one unpatched medium-severity CVE related to Cross-Site Request Forgery (CSRF), and the fact that the last vulnerability was in the future (2025-04-01) suggests potential data inaccuracies or future known issues. While the plugin has strengths in data handling and output sanitization, the potential for arbitrary code execution via `unserialize` and the historical CSRF vulnerability, coupled with a general absence of authorization controls, necessitates caution.

Key Concerns

Unpatched CVE
Dangerous functions detected (unserialize, assert)
Flows with unsanitized paths
Zero nonce checks
Zero capability checks

Vulnerabilities

SCSS WP Editor Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-31808medium · 4.3Cross-Site Request Forgery (CSRF)

SCSS WP Editor <= 1.1.8 - Cross-Site Request Forgery

Apr 1, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

SCSS WP Editor Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$c = unserialize($c);admin\scssphp\src\Cache.php:136

unserialize$value = unserialize($value);admin\scssphp\src\Compiler.php:789

assertassert($selfParent !== null, 'at-root blocks must have a selfParent set.');admin\scssphp\src\Compiler.php:1438

assertassert($kebabCaseName !== null);admin\scssphp\src\Compiler.php:3868

assertassert(!empty($parsedPrototypes));admin\scssphp\src\Compiler.php:6348

assertassert(\is_string($arg[0][1]));admin\scssphp\src\Compiler.php:6646

assertassert(\is_string($name));admin\scssphp\src\Compiler.php:6671

assertassert($originalRestArgumentName !== null);admin\scssphp\src\Compiler.php:6803

assertassert($default !== null);admin\scssphp\src\Compiler.php:6824

assertassert(! empty($block->selectors));admin\scssphp\src\Formatter\Compressed.php:72

assertassert(! empty($block->selectors));admin\scssphp\src\Formatter\Crunched.php:74

assertassert(! empty($block->selectors));admin\scssphp\src\Formatter.php:168

Output Escaping

100% escaped9 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

swe_editor_page (admin\class-scss-wp-editor-admin.php:164)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

SCSS WP Editor Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 10

actionplugins_loadedincludes\class-scss-wp-editor.php:142

actionnetwork_admin_enqueue_scriptsincludes\class-scss-wp-editor.php:159

actionnetwork_admin_enqueue_scriptsincludes\class-scss-wp-editor.php:160

actionadmin_enqueue_scriptsincludes\class-scss-wp-editor.php:161

actionadmin_enqueue_scriptsincludes\class-scss-wp-editor.php:162

actionadmin_enqueue_scriptsincludes\class-scss-wp-editor.php:163

actionadmin_menuincludes\class-scss-wp-editor.php:164

actionnetwork_admin_menuincludes\class-scss-wp-editor.php:165

actionwp_enqueue_scriptsincludes\class-scss-wp-editor.php:180

actionwp_enqueue_scriptsincludes\class-scss-wp-editor.php:181

Maintenance & Trust

SCSS WP Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 22, 2025

PHP min version7.4

Downloads11K

Community Trust

Rating100/100

Number of ratings4

Active installs1K

Alternatives

SCSS WP Editor Alternatives

SiteOrigin CSS

so-css

100

Powerful, simple CSS editing for WordPress. Visual controls & real-time previews for effortless site customization.

100K No CVEs

WP-SCSS

wp-scss

100

Compiles .scss files to .css and enqueues them.

40K No CVEs

Visual CSS Style Editor

yellow-pencil-visual-theme-customizer

Style your WordPress site visually. Discover the most popular front-end design plugin! Try live demo.

40K 5 CVEs

WP-LESS

wp-less

Implementation of LESS (Leaner CSS) in order to make themes development easier.

10K 1 CVE

Blocks CSS: CSS Editor for Gutenberg Blocks

blocks-css

100

Blocks CSS allows you add custom CSS to your Blocks straight from the Block Editor (Gutenberg).

5K No CVEs

Developer Profile

SCSS WP Editor Developer Profile

IT Path Solutions

10 plugins · 11K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

77 days

View full developer profile

Detection Fingerprints

How We Detect SCSS WP Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/scss-wp-editor/admin/css/scss-wp-editor-admin.css/wp-content/plugins/scss-wp-editor/admin/js/scss-wp-editor-admin.js

Script Paths

/wp-content/plugins/scss-wp-editor/admin/js/scss-wp-editor-admin.js

Version Parameters

scss-wp-editor/admin/css/scss-wp-editor-admin.css?ver=scss-wp-editor/admin/js/scss-wp-editor-admin.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-codemirror-editor

JS Globals

cm_settings

FAQ