Does TinyMCE Spellcheck have any unpatched vulnerabilities?

No. All known vulnerabilities in TinyMCE Spellcheck have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is TinyMCE Spellcheck compatible with WordPress 4.0.38?

According to WordPress.org data, TinyMCE Spellcheck 1.3 has been tested up to WordPress 4.0.38. Check the plugin's changelog for the latest compatibility information.

How often is TinyMCE Spellcheck updated?

TinyMCE Spellcheck was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is TinyMCE Spellcheck's security score?

TinyMCE Spellcheck has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

TinyMCE Spellcheck Security & Risk Analysis

wordpress.org/plugins/tinymce-spellcheck

TinyMCE Spellcheck adds the spellcheck button back to the editor in WordPress 3.6 and up.

3K active installs v1.3 PHP + WP 3.6+ Updated Nov 28, 2017

grammarspellspellcheckerspellingwriting

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is TinyMCE Spellcheck Safe to Use in 2026?

Generally Safe

Score 85/100

TinyMCE Spellcheck has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago

Risk Assessment

The tinymce-spellcheck v1.3 plugin exhibits a mixed security posture. While it demonstrates good practices in handling SQL queries with prepared statements and has no recorded vulnerabilities or CVEs, significant concerns arise from its attack surface. All three identified AJAX handlers lack authentication checks, presenting a direct pathway for unauthorized actions if these handlers can be triggered by unauthenticated users. Furthermore, the taint analysis revealed two flows with unsanitized paths, indicating a potential for injection vulnerabilities, although these were not classified as critical or high. The plugin also shows a low percentage of properly escaped output, suggesting a risk of cross-site scripting (XSS) vulnerabilities, particularly when data processed by these unsanitized paths is later displayed.

The complete absence of known vulnerabilities is a strong positive, implying a history of relatively secure development or effective patching. However, this cannot entirely mitigate the risks identified in the static analysis. The critical weaknesses lie in the unprotected entry points and the unsanitized data flows. These could be exploited to execute arbitrary code, manipulate data, or compromise user sessions. Therefore, while the plugin has a clean vulnerability history, the current code analysis highlights areas requiring immediate attention to prevent potential security incidents.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Low percentage of properly escaped output
Bundled outdated library (TinyMCE v1.0)

Vulnerabilities

None known

TinyMCE Spellcheck Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

TinyMCE Spellcheck Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE1.0

Output Escaping

20% escaped15 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

TSpell_redirect_call (includes\proxy.php:41)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

TinyMCE Spellcheck Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_proxy_atdtinymce-spellcheck.php:266

authwp_ajax_atd_ignoretinymce-spellcheck.php:267

authwp_ajax_atd_settingstinymce-spellcheck.php:268

WordPress Hooks 13

actionadmin_print_scriptsincludes\atd-l10n.php:40

filtermce_external_pluginstinymce-spellcheck.php:76

filtermce_buttonstinymce-spellcheck.php:77

actionpersonal_options_updatetinymce-spellcheck.php:80

actionpersonal_options_updatetinymce-spellcheck.php:81

actionprofile_personal_optionstinymce-spellcheck.php:82

filterwp_fullscreen_buttonstinymce-spellcheck.php:248

filtertiny_mce_before_inittinymce-spellcheck.php:255

actionadmin_print_scriptstinymce-spellcheck.php:258

actionadmin_print_scriptstinymce-spellcheck.php:259

actionadmin_print_stylestinymce-spellcheck.php:260

actioninittinymce-spellcheck.php:263

actionplugins_loadedtinymce-spellcheck.php:274

Maintenance & Trust

TinyMCE Spellcheck Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38

Last updatedNov 28, 2017

PHP min version

Downloads52K

Community Trust

Rating76/100

Number of ratings12

Active installs3K

Alternatives

TinyMCE Spellcheck Alternatives

WProofreader spell & grammar check plugin for WordPress

webspellchecker

100

WProofreader checks spelling, grammar, and style in real-time while editing in WordPress.

4K No CVEs

Webmaster Spelling Notifications

gourl-spelling-notifications

Plugin allows site visitors to send reports to the webmaster/owner about any spelling or grammatical errors. Spelling checker on your website.

100 No CVEs

Perfect Tense – Spelling and Grammar Checker

perfect-tense

Perfect Tense is an AI-powered, spelling and grammar corrector. Perfect Tense will automatically detect and fix mistakes, proofread entire blog posts, …

100 No CVEs

FLiP – Portuguese Proofing Tools

flip

IMPORTANT: The free version of the plugin only checks the spelling of the texts in the pre 1990 Spelling Reform and doesn’t present any suggestions fo …

90 No CVEs

Qalam Arabic AI Writing Assistant Plugin | Qalam

qalam

Qalam plugin for WordPress adds AI based grammar, spell check, and Tashkeel "Diacritization" capabilities to your website content in Arabic Language.

30 No CVEs

Developer Profile

TinyMCE Spellcheck Developer Profile

Matthew Muro

4 plugins · 23K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

1663 days

View full developer profile

Detection Fingerprints

How We Detect TinyMCE Spellcheck

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tinymce-spellcheck/js/atd.core.js/wp-content/plugins/tinymce-spellcheck/js/atd-nonvis-editor-plugin.js/wp-content/plugins/tinymce-spellcheck/js/jquery.atd.js/wp-content/plugins/tinymce-spellcheck/js/atd-autoproofread.js/wp-content/plugins/tinymce-spellcheck/css/atd.css

Script Paths

/wp-content/plugins/tinymce-spellcheck/tinymce/plugin.js/wp-content/plugins/tinymce-spellcheck/tinymce/editor_plugin.js

Version Parameters

tinymce-spellcheck/js/atd.core.js?ver=tinymce-spellcheck/js/atd-nonvis-editor-plugin.js?ver=tinymce-spellcheck/js/jquery.atd.js?ver=tinymce-spellcheck/js/atd-autoproofread.js?ver=tinymce-spellcheck/css/atd.css?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

data-atd-autoproofread

JS Globals

AtD.rpcAtD.api_keyAtD.setIgnoreStringsAtD.showTypesAtD.rpc_ignoreTSpell_check_when

REST Endpoints

/wp-json/tinymce-spellcheck/v1/settings

FAQ