WP-Safety

Text Control Security & Risk Analysis

wordpress.org/plugins/text-control-2

Text Control will allow you to choose from a variety of formatting syntaxes and encoding options. You can choose between Markdown, Textile 1, Textile …

100 active installs v2.3.1 PHP + WP 1.5+ Updated Oct 31, 2013
encodingformatformattingpost
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Text Control Safe to Use in 2026?

Generally Safe

Score 85/100

Text Control has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The "text-control-2" v2.3.1 plugin presents a mixed security picture. On one hand, the absence of known vulnerabilities in its history and a robust approach to SQL queries (100% prepared statements) are positive indicators. The plugin also has a very small attack surface with no AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks.

However, the static analysis reveals several significant concerns. The presence of dangerous functions like `preg_replace(/e)` and `create_function` warrants careful scrutiny, as these are common sources of remote code execution vulnerabilities if not handled with extreme care. While no critical or high severity taint flows were detected, one flow with an unsanitized path indicates a potential weakness where user-supplied data might not be adequately validated before being used in a sensitive operation. Furthermore, the output escaping is only 55% proper, meaning a significant portion of output could be vulnerable to cross-site scripting (XSS) attacks.

The plugin's lack of vulnerability history could be interpreted positively as a sign of good security practices, or it could simply mean that the plugin has not been thoroughly scrutinized or targeted. Despite the strengths in SQL handling and attack surface, the identified dangerous functions and the unsanitized taint flow, coupled with insufficient output escaping, suggest a moderate to high risk. Further investigation into the specific implementations of these dangerous functions and the unsanitized taint flow is strongly recommended to determine the actual exploitability.

Key Concerns

  • Dangerous functions present (preg_replace(/e), create_function)
  • Unsanitized taint flow detected
  • Insufficient output escaping (55% proper)
  • No nonce checks on entry points
Vulnerabilities
None known

Text Control Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Text Control Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
0 prepared
Unescaped Output
5
6 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace('/\&\#(\d+);/e'text-control\textile2.php:1492
create_function$text = (($f = create_function('$text, $param', $filters[$filter])) ? $f($text, $param) : $text);text-control\textile2.php:2628
create_functionreturn create_function('$m', '$me =& Textile::_current(); return ' . $function . ';');text-control\textile2.php:3247

Output Escaping

55% escaped11 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
tc_post_option_page (text-control.php:149)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Text Control Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 10
filterplugin_action_linkstext-control.php:69
filterdbx_post_advancedtext-control.php:336
actioninittext-control.php:472
actionadmin_menutext-control.php:473
actionadmin_menutext-control.php:474
filteredit_posttext-control.php:475
filterpublish_posttext-control.php:476
filterthe_contenttext-control.php:480
filterthe_excerpttext-control.php:484
filtercomment_texttext-control.php:488
Maintenance & Trust

Text Control Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedOct 31, 2013
PHP min version
Downloads15K

Community Trust

Rating94/100
Number of ratings3
Active installs100
Alternatives

Text Control Alternatives

Markdown for WordPress and bbPress

Markdown for WordPress and bbPress

markdown-for-wordpress-and-bbpress

A
85

A text-to-HTML conversion tool for web writers

60 No CVEs
Advanced Excerpt

Advanced Excerpt

advanced-excerpt

A
85

Control the appearance of WordPress post excerpts

80K No CVEs
Raw HTML

Raw HTML

raw-html

A
92

Lets you use raw HTML or any other code in your posts. You can also disable smart quotes and other automatic formatting on a per-post basis.

10K No CVEs
Toggle wpautop

Toggle wpautop

toggle-wpautop

A
85

Easily disable the default wpautop filter on a post by post basis.

10K No CVEs
WP Typograph Lite

WP Typograph Lite

wp-russian-typograph

A
85

Russian typography for Wordpress. Lite version.

2K No CVEs
Developer Profile

Text Control Developer Profile

Frank Bueltge

5 plugins · 101K total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Text Control

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/text-control-2/text-control/textile1.php/wp-content/plugins/text-control-2/text-control/textile2.php/wp-content/plugins/text-control-2/text-control/markdown.php/wp-content/plugins/text-control-2/text-control/smartypants.php

HTML / DOM Fingerprints

Data Attributes
name="tc_post_format"name="tc_post_encoding"name="tc_comment_format"name="tc_comment_encoding"
FAQ

Frequently Asked Questions about Text Control