Does Tarot have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Tarot compatible with WordPress 5.0.25?

According to WordPress.org data, Tarot 1.0.1 has been tested up to WordPress 5.0.25. Check the plugin's changelog for the latest compatibility information.

Is Tarot compatible with PHP 5.2.4+?

Tarot requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Tarot updated?

Tarot was last updated on Nov 13, 2018. Frequent updates are generally a positive security signal.

What is Tarot's security score?

Tarot has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Tarot Security & Risk Analysis

wordpress.org/plugins/tarot

A fairly simple Tarot plugin. Generates a three-card spread in a Gutenberg Block.

20 active installs v1.0.1 PHP 5.2.4+ WP 4.9+ Updated Nov 13, 2018

fortune-tellinggutenbergtarot

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Tarot Safe to Use in 2026?

Generally Safe

Score 85/100

Tarot has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "tarot" plugin v1.0.1 exhibits a generally strong security posture based on the provided static analysis. The plugin effectively utilizes nonces and capability checks for its single AJAX entry point, and all SQL queries are properly prepared, which significantly mitigates common attack vectors. The high percentage of properly escaped output further demonstrates good security practices. The absence of any recorded vulnerabilities in its history also suggests a commitment to security or a lack of past exposure.

However, a deeper inspection of the static analysis reveals a potential, albeit minor, concern. The presence of a single file operation without explicit details on its context or whether it involves user-supplied input could, in a more complex scenario, present a risk. While the taint analysis shows no unsanitized paths, this could be due to the limited scope of the analysis or the specific nature of the file operation. Given the overall robust security practices and lack of historical issues, the risk associated with this single file operation is currently low, but it warrants a cautious approach for future development.

In conclusion, the "tarot" plugin v1.0.1 is well-secured with strong adherence to best practices like prepared statements and nonce/capability checks. The lack of historical vulnerabilities is a positive indicator. The only area for potential improvement, or at least further scrutiny, lies in the single file operation, which should be monitored to ensure it remains secure even if user-supplied data were to be involved in the future. The current risk is minimal.

Key Concerns

Single file operation without context

Vulnerabilities

None known

Tarot Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Tarot Release Timeline

v1.0.1Current

v1.0

v0.9.1

v0.9

Code Analysis

Analyzed Mar 16, 2026

Tarot Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

21 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

95% escaped22 total outputs

Attack Surface

Tarot Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_download-tarot-decktarot.php:21

WordPress Hooks 7

actioninitblocks\tarot.php:10

actionenqueue_block_editor_assetsblocks\tarot.php:29

filterupload_dirdecks\8bit.php:135

actionadmin_inittarot.php:20

actionadmin_menutarot.php:23

filtertarot_get_decktarot.php:30

actionplugins_loadedtarot.php:36

Maintenance & Trust

Tarot Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25

Last updatedNov 13, 2018

PHP min version5.2.4

Downloads3K

Community Trust

Rating40/100

Number of ratings1

Active installs20

Alternatives

Tarot Alternatives

Tarot, Oracle cards, Tarot readings, Tarokina

tarokina-free

100

The best tarot plugin for wordpress. Intuitive and easy to use. Provides accurate tarot readings.

300 No CVEs

Classic Editor

classic-editor

100

Enables the previous "classic" editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. Supports all plugins that extend this screen.

9.0M No CVEs

Starter Templates – AI-Powered Templates for Elementor & Gutenberg

astra-sites

The growing library of 300+ ready-to-use templates that work with all WordPress themes including Astra, Hello, OceanWP, GeneratePress and more

2.0M 7 CVEs

Classic Widgets

classic-widgets

100

Enables the previous "classic" widgets settings screens in Appearance - Widgets and the Customizer. Disables the block editor from managing widgets.

2.0M No CVEs

Advanced Editor Tools

tinymce-advanced

100

Extends and enhances the block editor (Gutenberg) and the classic editor (TinyMCE).

2.0M 1 CVE

Developer Profile

Tarot Developer Profile

George Stephanis

17 plugins · 16K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Tarot

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tarot/tarot.css

Version Parameters

tarot/tarot.css?ver=

HTML / DOM Fingerprints

CSS Classes

tarot-settings-sectiontarot-deckstarot-cardcard-arttarot-spread

Data Attributes

data-deckdata-dl-nonce

JS Globals

jQueryajaxurl

REST Endpoints

/wp-json/tarot/

Shortcode Output

<div class="tarot-spread three-card">

FAQ