Does Update Message have any unpatched vulnerabilities?

No. All known vulnerabilities in Update Message have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Update Message compatible with WordPress 4.5.33?

According to WordPress.org data, Update Message 1.3.7 has been tested up to WordPress 4.5.33. Check the plugin's changelog for the latest compatibility information.

How often is Update Message updated?

Update Message was last updated on Apr 20, 2016. Frequent updates are generally a positive security signal.

What is Update Message's security score?

Update Message has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Update Message Security & Risk Analysis

wordpress.org/plugins/update-message

Add an update box in posts.

10 active installs v1.3.7 PHP + WP 3.0+ Updated Apr 20, 2016

messagepostpostsupdate

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Update Message Safe to Use in 2026?

Generally Safe

Score 85/100

Update Message has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The "update-message" plugin v1.3.7 exhibits a concerning security posture, primarily due to its large attack surface with a high number of unprotected entry points. Out of nine total entry points, a significant eight lack proper authentication checks, making them prime targets for unauthorized access and potential exploits. The presence of the `unserialize` function, a known risk for deserialization vulnerabilities, further elevates concerns, especially when combined with the lack of robust input sanitization and output escaping. The taint analysis, while not identifying critical or high-severity flows, indicates that all analyzed flows involve unsanitized paths, suggesting a general lack of careful input handling throughout the plugin's code. The plugin's vulnerability history is clean, with no recorded CVEs, which might suggest a lower likelihood of historically exploited weaknesses. However, this lack of history does not negate the immediate risks identified in the static analysis, particularly the unprotected AJAX handlers and the potential for `unserialize` to be exploited with crafted input. Overall, while the absence of known vulnerabilities is positive, the significant number of unprotected entry points and the risky functions present necessitate immediate attention to mitigate potential security risks.

Key Concerns

Unprotected AJAX handlers
Use of unserialize function
Low percentage of properly escaped output
All taint flows with unsanitized paths
Low percentage of prepared SQL statements
Limited nonce checks

Vulnerabilities

None known

Update Message Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Update Message Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

272

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$plugins = unserialize(@file_get_contents(dirname(__FILE__)."/data/SLFramework_OtherPlugins_".date('core\otherplugins.class.php:48

unserialize$res = unserialize($request['body']);core\otherplugins.class.php:128

unserialize$res = unserialize($request['body']);core\otherplugins.class.php:176

SQL Query Safety

57% prepared14 total queries

Output Escaping

4% escaped284 total outputs

Data Flows

10 unsanitized

Data Flow Analysis

10 flows10 with unsanitized paths

flush (core\admin_table.class.php:170)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

8 unprotected

Update Message Attack Surface

Entry Points9

Unprotected8

AJAX Handlers 8

authwp_ajax_translate_addcore.class.php:85

authwp_ajax_translate_modifycore.class.php:86

authwp_ajax_translate_createcore.class.php:87

authwp_ajax_send_translationcore.class.php:88

authwp_ajax_update_summarycore.class.php:89

authwp_ajax_del_paramcore.class.php:92

authwp_ajax_add_paramcore.class.php:93

authwp_ajax_send_feedbackcore.class.php:96

Shortcodes 1

[maj] update-message.php:43

WordPress Hooks 28

actioninitcore.class.php:50

actionparse_requestcore.class.php:51

actionadmin_menucore.class.php:53

filterplugin_row_metacore.class.php:54

filterplugin_action_linkscore.class.php:55

actioninitcore.class.php:56

actioninitcore.class.php:58

actionwp_enqueue_scriptscore.class.php:61

actionwp_enqueue_scriptscore.class.php:62

actionwp_enqueue_scriptscore.class.php:64

actionwp_enqueue_scriptscore.class.php:67

actionwp_enqueue_scriptscore.class.php:69

actionwp_enqueue_scriptscore.class.php:70

actionadmin_enqueue_scriptscore.class.php:73

actionadmin_enqueue_scriptscore.class.php:74

actionadmin_enqueue_scriptscore.class.php:76

actionadmin_enqueue_scriptscore.class.php:79

actionadmin_enqueue_scriptscore.class.php:81

actionadmin_enqueue_scriptscore.class.php:82

filterthe_contentcore.class.php:99

filterget_the_excerptcore.class.php:100

filterget_the_excerptcore.class.php:101

actionactivated_plugincore.class.php:104

filtermce_external_pluginscore.class.php:702

filtermce_buttonscore.class.php:703

filtertiny_mce_versioncore.class.php:704

actionsave_postupdate-message.php:41

actionadmin_menuupdate-message.php:42

Maintenance & Trust

Update Message Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33

Last updatedApr 20, 2016

PHP min version

Downloads8K

Community Trust

Rating100/100

Number of ratings3

Active installs10

Alternatives

Update Message Alternatives

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

post-expirator

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K 5 CVEs

Bulk Post Update Date

bulk-post-update-date

Change the Post Update date for all posts and pages in one click. This will help your blog in search engines and your blog will look alive.

10K No CVEs

Auto Update Post Date

auto-update-post-date

Keep your WordPress content evergreen with Auto Update Post Date – a FREE simple WP plugin designed to effortlessly update your posts and boost SEO

1K No CVEs

Post Updated Date

post-updated-date

100

Use Post Updated Date Plugin to display the Last Updated Date in WordPress Posts.

500 No CVEs

Gravity Forms: Post Updates

gravity-forms-post-updates

Allows you to use Gravity Forms to update any post on the front end.

300 No CVEs

Developer Profile

Update Message Developer Profile

KaizenCoders

14 plugins · 31K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

153 days

View full developer profile

Detection Fingerprints

How We Detect Update Message

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

HTML Comments

Plugin Name: My PluginPlugin Tag: tagDescription: <p>The description of the plugin on this line. </p>Version: 1.0.0+66 more

FAQ