Does tf Song List have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is tf Song List compatible with WordPress 3.9.40?

According to WordPress.org data, tf Song List 1.1.0 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is tf Song List updated?

tf Song List was last updated on Jul 16, 2014. Frequent updates are generally a positive security signal.

What is tf Song List's security score?

tf Song List has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

tf Song List Security & Risk Analysis

wordpress.org/plugins/tf-song-list

tf Song List is an easy-to-use song listing plugin for bands and solo musicians.

20 active installs v1.1.0 PHP + WP 3.0+ Updated Jul 16, 2014

bandsrepertoiresong-listsonglistsongs

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is tf Song List Safe to Use in 2026?

Generally Safe

Score 85/100

tf Song List has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The tf-song-list v1.1.0 plugin demonstrates a generally good security posture with several positive indicators. Notably, all SQL queries are prepared, and there are no identified critical or high severity taint flows. The absence of any recorded vulnerabilities, including critical or high severity ones, is a strong positive signal regarding its historical security. The presence of nonce and capability checks, along with no external HTTP requests, further contributes to its security. However, a significant concern arises from the output escaping, where only 25% of outputs are properly escaped. This suggests a risk of Cross-Site Scripting (XSS) vulnerabilities, particularly given that the plugin has one shortcode, which is a common vector for such attacks. While the attack surface is small and appears to have no direct unprotected entry points, the low rate of proper output escaping warrants attention.

Key Concerns

Low percentage of properly escaped output

Vulnerabilities

None known

tf Song List Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

tf Song List Release Timeline

No version history available.

Code Analysis

Analyzed Apr 16, 2026

tf Song List Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared13 total queries

Output Escaping

25% escaped56 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

4 flows

export (inc/import-export.php:156)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

tf Song List Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[tf_song_list] tf-song-list.php:97

WordPress Hooks 9

actioninittf-song-list.php:84

actionadmin_menutf-song-list.php:85

actionadmin_inittf-song-list.php:86

actionright_now_content_table_endtf-song-list.php:87

actionadmin_post_tfsl_exporttf-song-list.php:88

actionadmin_post_nopriv_tfsl_exporttf-song-list.php:89

actiontemplate_redirecttf-song-list.php:90

filterplugin_row_metatf-song-list.php:93

filterupload_mimestf-song-list.php:94

Maintenance & Trust

tf Song List Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedJul 16, 2014

PHP min version

Downloads5K

Community Trust

Rating94/100

Number of ratings3

Active installs20

Alternatives

tf Song List Alternatives

Bandsintown Events

bandsintown

Bandsintown's Events plugin for displaying your upcoming events.

4K 1 CVE

Simple Popup Plugin

simple-popup-plugin

This plugin makes it easy to create a simple, modifiable popup window.

1K 1 unpatched

Transcoder

transcoder

Transcoding services for ANY WordPress website. Convert audio/video files of any format to a web-friendly format (mp3/mp4).

500 2 CVEs

WP Chords

wp-chords

WP Chords allows you to format and display the chords on your blog including mobile friendly interface and AMP functionality.

200 No CVEs

Better Bandsintown

better-bandsintown

Embed Tour Dates from Bandsintown.com without having to deal with CSS (or an ugly widget).

100 No CVEs

Developer Profile

tf Song List Developer Profile

Thorsten Frommen

8 plugins · 2K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

2 days

View full developer profile

Detection Fingerprints

How We Detect tf Song List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tf-song-list/css/tf-song-list.css/wp-content/plugins/tf-song-list/js/tf-song-list.js

Script Paths

/wp-content/plugins/tf-song-list/js/tf-song-list.js

Version Parameters

tf-song-list/css/tf-song-list.css?ver=tf-song-list/js/tf-song-list.js?ver=

HTML / DOM Fingerprints

CSS Classes

tf_song_list_wrappertf_song_list_tabletf_song_list_headertf_song_list_rowtf_song_list_cell

JS Globals

tf_song_list_options

Shortcode Output

[tf_song_list]

FAQ