TTC User Comments Security & Risk Analysis

wordpress.org/plugins/ttc-user-comment-count

This plugin creates a page under 'Manage'. On this page is two lists, one for users who've registered and never commented.

10 active installs v2.21 PHP + WP 2.5+ Updated May 24, 2008
commentsdatelast-commentregistrationusers
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is TTC User Comments Safe to Use in 2026?

Generally Safe

Score 85/100

TTC User Comments has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 18yr ago
Risk Assessment

The ttcm-user-comment-count plugin version 2.21 exhibits a generally good security posture from a static analysis perspective, with no identified critical or high-severity vulnerabilities in taint analysis and a clean vulnerability history. The plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for all its SQL queries and not making any external HTTP requests. However, there are significant concerns regarding output escaping, with 100% of the identified outputs not being properly escaped. This could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is incorporated into these outputs without sanitization.

While the attack surface is zero, which is commendable, the complete lack of capability checks and nonce checks, combined with the unescaped outputs, presents a notable risk. The absence of these fundamental security mechanisms means that even if no direct vulnerabilities are immediately apparent in the static analysis, there's a higher susceptibility to exploitation if an attacker can manipulate inputs that lead to unescaped output. The plugin's history of no recorded vulnerabilities is a positive indicator, but it does not negate the risks identified in the current code analysis, particularly concerning output sanitization and authorization.

Key Concerns

  • Unescaped output detected
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

TTC User Comments Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

TTC User Comments Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

TTC User Comments Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
2
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

0% escaped2 total outputs
Attack Surface

TTC User Comments Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 1
actionadmin_menuttc_user_comments.php:15
Maintenance & Trust

TTC User Comments Maintenance & Trust

Maintenance Signals

WordPress version tested2.5.1
Last updatedMay 24, 2008
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

TTC User Comments Developer Profile

ljmacphee

6 plugins · 80 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect TTC User Comments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about TTC User Comments