Does Show All Comments have any unpatched vulnerabilities?

Yes — Show All Comments currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Show All Comments compatible with WordPress 6.1.10?

According to WordPress.org data, Show All Comments 7.0.1 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

How often is Show All Comments updated?

Show All Comments was last updated on Dec 21, 2022. Frequent updates are generally a positive security signal.

What is Show All Comments's security score?

Show All Comments has a WP-Safety security score of 62/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Show All Comments Security & Risk Analysis

wordpress.org/plugins/show-all-comments-in-one-page

This plugin displays all the comments received on your various posts in a single page with filter, enabling the readers to read all the comments in a …

500 active installs v7.0.1 PHP + WP 3.6.1+ Updated Dec 21, 2022

all-comments-in-one-pagecomments-filtereazy-comments-managementmanage-all-comments-in-one-pageshow-all-comments

C · Use Caution

CVEs total2

Unpatched1

Last CVEMay 7, 2025

Download

Safety Verdict

Is Show All Comments Safe to Use in 2026?

Use With Caution

Score 62/100

Show All Comments has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: May 7, 2025Updated 3yr ago

Risk Assessment

The "show-all-comments-in-one-page" plugin version 7.0.1 presents a significant security risk. The static analysis reveals a concerning lack of input validation and authorization checks. Two AJAX handlers are exposed without any authentication, creating a direct attack vector. Furthermore, all three SQL queries are executed without prepared statements, leaving the plugin vulnerable to SQL injection attacks. The taint analysis also indicates flows with unsanitized paths, although no critical or high severity issues were found in this specific analysis. The plugin's vulnerability history is a major red flag, with two known CVEs, one of which remains unpatched. The prevalence of Cross-site Scripting vulnerabilities in its history suggests a pattern of insufficient output escaping and improper input neutralization.

Key Concerns

Unpatched CVE
AJAX handlers without auth checks
Raw SQL queries without prepare
Low percentage of properly escaped output
Missing nonce checks on AJAX
Missing capability checks
Flows with unsanitized paths

Vulnerabilities

Show All Comments Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-47607medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Show All Comments <= 7.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025Unpatched

CVE-2022-4295medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Show All Comments <= 7.0.0 - Reflected Cross-Site Scripting

Dec 23, 2022 Patched in 7.0.1 (396d)

Code Analysis

Analyzed Mar 16, 2026

Show All Comments Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared3 total queries

Output Escaping

36% escaped33 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

sac_post_type_call_callback (bt-comments.php:551)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Show All Comments Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 2

authwp_ajax_sac_post_type_callbt-comments.php:548

noprivwp_ajax_sac_post_type_callbt-comments.php:549

Shortcodes 1

[bt_comments] bt-comments.php:241

WordPress Hooks 5

actionadmin_menubt-comments.php:9

actionadmin_initbt-comments.php:17

filtercomments_clausesbt-comments.php:310

actionwp_enqueue_scriptsbt-comments.php:603

filterpre_option_page_commentsbt-comments.php:630

Maintenance & Trust

Show All Comments Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedDec 21, 2022

PHP min version

Downloads16K

Community Trust

Rating78/100

Number of ratings14

Active installs500

Alternatives

Show All Comments Alternatives

No alternatives data available yet.

Developer Profile

Show All Comments Developer Profile

AppJetty

8 plugins · 820 total installs

trust score

Avg Security Score

84/100

Avg Patch Time

396 days

View full developer profile

Detection Fingerprints

How We Detect Show All Comments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/show-all-comments-in-one-page/style.css/wp-content/plugins/show-all-comments-in-one-page/js/bt_script.js

Script Paths

/wp-content/plugins/show-all-comments-in-one-page/js/bt_script.js

Version Parameters

show-all-comments-in-one-page/style.css?ver=show-all-comments-in-one-page/js/bt_script.js?ver=

HTML / DOM Fingerprints

Data Attributes

name="bt_post_type[]"name="bt_pagination"name="bt_comments_per_page"name="bt_exclude_post"name="biztech_sac_avatar"name="biztech_show_date"+5 more

FAQ