Does searchReplace have any unpatched vulnerabilities?

No. All known vulnerabilities in searchReplace have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is searchReplace compatible with WordPress 6.7.5?

According to WordPress.org data, searchReplace 1.2.2 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is searchReplace updated?

searchReplace was last updated on Dec 31, 2024. Frequent updates are generally a positive security signal.

What is searchReplace's security score?

searchReplace has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

searchReplace Security & Risk Analysis

wordpress.org/plugins/searchreplace

SearchReplace checks for and replaces content in your posts, pages and/or comments. Fully configurable.

20 active installs v1.2.2 PHP + WP 2.9.1+ Updated Dec 31, 2024

commentspostsregular-expressionreplacesearch

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is searchReplace Safe to Use in 2026?

Generally Safe

Score 92/100

searchReplace has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The searchreplace plugin v1.2.2 exhibits a mixed security posture. On one hand, it shows strong adherence to secure coding practices by exclusively using prepared statements for SQL queries and demonstrating no known historical vulnerabilities (CVEs). The absence of a significant attack surface, including no AJAX handlers, REST API routes, shortcodes, or cron events, is also a positive indicator, reducing the potential for direct exploitation.

However, the static analysis reveals critical weaknesses. The presence of the `unserialize` function, especially without any apparent capability or nonce checks, is a significant concern. This function is notoriously dangerous as it can lead to Remote Code Execution (RCE) if an attacker can control the data being unserialized. Furthermore, the taint analysis indicates two flows with unsanitized paths, although they are not classified as critical or high severity. The most alarming finding is that 100% of the output is not properly escaped, presenting a clear Cross-Site Scripting (XSS) risk.

In conclusion, while the plugin benefits from a small attack surface and a clean vulnerability history, the identified risks associated with `unserialize`, unsanitized taint flows, and particularly unescaped output represent substantial security concerns that require immediate attention. The lack of observed protection mechanisms like nonce and capability checks around dangerous functions amplifies these risks.

Key Concerns

Dangerous function 'unserialize' used without apparent checks
2 flows with unsanitized paths identified
100% of output not properly escaped
No nonce checks detected
No capability checks detected

Vulnerabilities

None known

searchReplace Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

searchReplace Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$searchReplace_options = unserialize($searchReplaceInit);searchReplace.php:184

Output Escaping

0% escaped1 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

searchReplace_option_page (searchReplace.php:43)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

searchReplace Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionadmin_menusearchReplace.php:208

actionthe_contentsearchReplace.php:209

actioncomment_textsearchReplace.php:210

Maintenance & Trust

searchReplace Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 31, 2024

PHP min version

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs20

Alternatives

searchReplace Alternatives

Search Regex

search-regex

100

Search Regex adds a powerful set of search and replace functions to WordPress posts, pages, custom post types, and other data.

100K No CVEs

LJ user ex

lj-user-ex

Replaces <lj user="username"/> and <lj comm="community"/> with correct HTML code.

10 No CVEs

SEO Comment Paging

seo-comment-paging

100

El objetivo de este plugin es mejorar el posicionamiento de buscadores colocando las etiquetas meta noindex y nofollow en la paginacion de comentarios (disponibles en WordPress 2.7+) evitando de esta manera el duplicado de contenidos, se aplica a todas las paginas individuales de nuestro blog.

10 No CVEs

Better Search Replace

better-search-replace

A simple plugin to update URLs or other text in a database.

1.0M 2 CVEs

Search & Replace

search-and-replace

Search & Replace data in your database with WordPress admin, replace domains/URLs of your WordPress installation.

100K 2 CVEs

Developer Profile

searchReplace Developer Profile

Joost

2 plugins · 30 total installs

trust score

Avg Security Score

96/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect searchReplace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ