Does Simple Spoiler have any unpatched vulnerabilities?

No. All known vulnerabilities in Simple Spoiler have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Simple Spoiler compatible with WordPress 6.8.5?

According to WordPress.org data, Simple Spoiler 1.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Simple Spoiler compatible with PHP 7.0+?

Simple Spoiler requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Simple Spoiler updated?

Simple Spoiler was last updated on Jun 19, 2025. Frequent updates are generally a positive security signal.

What is Simple Spoiler's security score?

Simple Spoiler has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Simple Spoiler Security & Risk Analysis

wordpress.org/plugins/simple-spoiler

The plugin allows to create simple spoilers with shortcode.

2K active installs v1.5 PHP 7.0+ WP 4.6+ Updated Jun 19, 2025

spoiler

A · Safe

CVEs total3

Unpatched0

Last CVEApr 9, 2025

Plugin page Download

Safety Verdict

Is Simple Spoiler Safe to Use in 2026?

Generally Safe

Score 96/100

Simple Spoiler has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Apr 9, 2025Updated 9mo ago

Risk Assessment

The simple-spoiler plugin exhibits a concerning security posture despite a low current attack surface and good output escaping practices. The absence of nonce checks and capability checks on its single shortcode entry point is a significant weakness. Furthermore, the plugin's vulnerability history reveals a pattern of serious security flaws, including cross-site scripting and code injection, with a high-severity vulnerability last appearing in 2025. While the static analysis did not uncover any directly exploitable code execution or cross-site scripting in this specific version, the historical trend of these critical vulnerability types, coupled with the lack of basic security checks on its entry points, suggests a high risk of future exploitation if vulnerabilities are introduced or reintroduced. The presence of SQL queries without prepared statements also introduces a potential for SQL injection, albeit with a lower detected risk in this analysis.

Key Concerns

No capability checks on shortcode
No nonce checks on shortcode
SQL queries not using prepared statements
History of high severity vulnerabilities
History of XSS and Code Injection vulnerabilities

Vulnerabilities

Simple Spoiler Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-31020medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Spoiler <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 9, 2025 Patched in 1.5 (78d)

CVE-2024-8479high · 7.3Improper Control of Generation of Code ('Code Injection')

Simple Spoiler 1.2 - 1.3 - Unauthenticated Arbitrary Shortcode Execution

Sep 13, 2024 Patched in 1.4 (1d)

CVE-2024-35639medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Spoiler <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting

May 30, 2024 Patched in 1.3 (107d)

Code Analysis

Analyzed Mar 16, 2026

Simple Spoiler Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

92% escaped12 total outputs

Attack Surface

Simple Spoiler Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[spoiler] simple-spoiler.php:99

WordPress Hooks 6

actionadmin_menusimple-spoiler.php:18

actionadmin_noticessimple-spoiler.php:46

actionadmin_initsimple-spoiler.php:53

filtercomment_textsimple-spoiler.php:118

actionwp_enqueue_scriptssimple-spoiler.php:129

actionwp_headsimple-spoiler.php:147

Maintenance & Trust

Simple Spoiler Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 19, 2025

PHP min version7.0

Downloads18K

Community Trust

Rating90/100

Number of ratings6

Active installs2K

Alternatives

Simple Spoiler Alternatives

Inline Spoilers

inline-spoilers

The plugin allows to create content spoilers with Guttenberg block or simple shortcode.

1K No CVEs

Advanced Spoiler

advanced-spoiler

Show or hide contents(text, image etc.) with animated effects wrapped by spoiler markup tag([spoiler][/spoiler]).

600 No CVEs

OtFm Gutenberg Spoiler – (or FAQ) collapse block

otfm-gutenberg-spoiler

The plugin provides in the block editor 2 types of spoilers. Need FAQ or Spoiler?

600 No CVEs

wpSpoiler

wpspoiler

A plugin designed to protect the reader against spoilers.

400 No CVEs

Simple Accessible Spoilers

simple-accessible-spoilers

100

Create fully accessible content spoilers or accordions with a shortcode.

100 No CVEs

Developer Profile

Simple Spoiler Developer Profile

Webliberty

2 plugins · 3K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

62 days

View full developer profile

Detection Fingerprints

How We Detect Simple Spoiler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/simple-spoiler/css/simple-spoiler.min.css/wp-content/plugins/simple-spoiler/js/simple-spoiler.min.js

Script Paths

/wp-content/plugins/simple-spoiler/js/simple-spoiler.min.js

Version Parameters

simple-spoiler/css/simple-spoiler.min.css?ver=1.5simple-spoiler/js/simple-spoiler.min.js?ver=1.5

HTML / DOM Fingerprints

CSS Classes

spoiler-wrapspoiler-headspoiler-bodyfolded

Data Attributes

data-settings-updated

Shortcode Output

<div class="spoiler-wrap"><div class="spoiler-head folded"></div><div class="spoiler-body">

FAQ