Does ShoutOut have any unpatched vulnerabilities?

Yes — ShoutOut currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is ShoutOut compatible with WordPress 5.7.15?

According to WordPress.org data, ShoutOut 4.0.2 has been tested up to WordPress 5.7.15. Check the plugin's changelog for the latest compatibility information.

Is ShoutOut compatible with PHP 7.0+?

ShoutOut requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is ShoutOut updated?

ShoutOut was last updated on Jul 3, 2021. Frequent updates are generally a positive security signal.

What is ShoutOut's security score?

ShoutOut has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ShoutOut Security & Risk Analysis

wordpress.org/plugins/shoutout

ShoutOut is a software as a service (SaaS) and is a popular affiliate and multi level marketing solution that allows tracking of affiliates.

30 active installs v4.0.2 PHP 7.0+ WP 4.4+ Updated Jul 3, 2021

affiliate-marketingwoocommerce-affiliate-marketingwoocommerce-mlmwoocommerce-multi-level-marketingwordpress-mlm

C · Use Caution

CVEs total1

Unpatched1

Last CVEJan 19, 2026

Plugin page Download

Safety Verdict

Is ShoutOut Safe to Use in 2026?

Use With Caution

Score 63/100

ShoutOut has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jan 19, 2026Updated 4yr ago

Risk Assessment

The "shoutout" plugin v4.0.2 exhibits a concerning security posture, despite some positive indicators. While the plugin avoids dangerous functions, raw SQL queries, and file operations, it suffers from significant vulnerabilities in its attack surface and input handling. The presence of a REST API route without permission callbacks presents a direct entry point for unauthorized actions or information disclosure. Furthermore, the taint analysis revealing a flow with unsanitized paths, even if not critical, highlights potential for injection vulnerabilities that were not properly mitigated.

The vulnerability history is a major red flag. The plugin has a known medium-severity CVE, which is currently unpatched, and the common vulnerability type being Cross-site Scripting suggests a recurring issue with how user input is handled. The fact that the last vulnerability was in 2026 is highly unusual and likely an error in the provided data, but it emphasizes the historical presence of security flaws. The combination of an unprotected REST API endpoint and a known, unpatched XSS vulnerability points to a plugin that requires immediate attention and updates.

In conclusion, "shoutout" v4.0.2 is a high-risk plugin. While it demonstrates some good coding practices by using prepared statements for SQL and having few external requests, the critical weaknesses in its attack surface and historical vulnerability record, particularly the unpatched XSS flaw, outweigh these positives. Users should be strongly advised to disable or remove this plugin until these security issues are addressed and verified.

Key Concerns

Unpatched CVE (medium severity)
REST API route without permission callbacks
Flow with unsanitized paths
Lack of nonce checks
Lack of capability checks
Low percentage of properly escaped output

Vulnerabilities

ShoutOut Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-68894medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShoutOut <= 4.0.2 - Reflected Cross-Site Scripting

Jan 19, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

ShoutOut Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

40% escaped5 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<shoutout-global-setting-form> (includes\admin\form\shoutout-global-setting-form.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

ShoutOut Attack Surface

Entry Points1

Unprotected1

REST API Routes 1

POST/wp-json/so_discount/v1/add_discount/includes\class-shoutout-global-public.php:31

WordPress Hooks 9

actionadmin_menuincludes\admin\class-shoutout-global-admin.php:59

actionrest_api_initincludes\class-shoutout-global-public.php:23

actionwoocommerce_order_details_after_order_tableincludes\class-shoutout-global-public.php:335

actionadmin_enqueue_scriptsincludes\class-shoutout-global-scripts.php:103

actionwp_enqueue_scriptsincludes\class-shoutout-global-scripts.php:104

actionplugins_loadedshoutout.php:149

actionadmin_initshoutout.php:168

actionadmin_noticesshoutout.php:190

actionwpmu_new_blogshoutout.php:246

Maintenance & Trust

ShoutOut Maintenance & Trust

Maintenance Signals

WordPress version tested5.7.15

Last updatedJul 3, 2021

PHP min version7.0

Downloads3K

Community Trust

Rating100/100

Number of ratings2

Active installs30

Alternatives

ShoutOut Alternatives

AffiliateX – Amazon Affiliate Plugin

affiliatex

AffiliateX is the best WordPress Amazon Affiliate Plugin. Create professional affiliate websites with customizable WordPress Amazon Affiliate Blocks.

10K 3 CVEs

Content Egg – Affiliate Product Importer & Price Comparison

content-egg

Import affiliate products, compare prices, sync to WooCommerce, and auto-generate SEO content with AI — all in one toolkit.

10K 3 CVEs

Affiliates Manager

affiliates-manager

Affiliates Manager plugin can help you manage an affiliate marketing program to drive more traffic and more sales to your site.

9K 12 CVEs

YITH WooCommerce Affiliates

yith-woocommerce-affiliates

YITH WooCommerce Affiliates allows you to create affiliate profiles and grant your affiliates earnings each time someone purchases from their link.

7K 1 CVE

Goaffpro Affiliate Marketing

goaffpro

100

The complete affiliate marketing solution for your WordPress and WooCommerce website.

5K No CVEs

Developer Profile

ShoutOut Developer Profile

shoutoutglobal

1 plugin · 30 total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ShoutOut

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/shoutout/assets/css/shoutout-global-admin.css/wp-content/plugins/shoutout/assets/css/shoutout-global-public.css/wp-content/plugins/shoutout/assets/js/shoutout-global-admin.js/wp-content/plugins/shoutout/assets/js/shoutout-global-public.js

Script Paths

/wp-content/plugins/shoutout/assets/js/shoutout-global-admin.js/wp-content/plugins/shoutout/assets/js/shoutout-global-public.js

Version Parameters

shoutout/assets/css/shoutout-global-admin.css?ver=shoutout/assets/css/shoutout-global-public.css?ver=shoutout/assets/js/shoutout-global-admin.js?ver=shoutout/assets/js/shoutout-global-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

shoutout-global-admin-wrapshoutout-global-public-wrap

HTML Comments

Data Attributes

data-shoutout-global-user-iddata-shoutout-global-api-url

JS Globals

shoutout_global_public_varsshoutout_global_admin_vars

REST Endpoints

/wp-json/shoutout-global/v1/track/wp-json/shoutout-global/v1/user

Shortcode Output

[shoutout_form][shoutout_dashboard]

FAQ