Does URL Replace have any unpatched vulnerabilities?

No. All known vulnerabilities in URL Replace have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is URL Replace compatible with WordPress 6.8.5?

According to WordPress.org data, URL Replace 1.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is URL Replace compatible with PHP 7.0+?

URL Replace requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is URL Replace updated?

URL Replace was last updated on May 20, 2025. Frequent updates are generally a positive security signal.

What is URL Replace's security score?

URL Replace has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

URL Replace Security & Risk Analysis

wordpress.org/plugins/url-replace

A lightweight and powerful plugin to search and replace old URLs with new ones in your WordPress database.

70 active installs v1.0 PHP 7.0+ WP 5.0+ Updated May 20, 2025

database-urlssearch-and-replaceupdate-linksurl-migrationwordpress-migration

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is URL Replace Safe to Use in 2026?

Generally Safe

Score 100/100

URL Replace has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10mo ago

Risk Assessment

The "url-replace" plugin v1.0 exhibits a generally strong security posture based on the provided static analysis. The absence of any identified vulnerabilities in its history, coupled with the code signals, indicates good development practices. Specifically, the 100% proper output escaping and the use of prepared statements for a significant portion of SQL queries are commendable. The plugin also implements nonce checks, which is a positive sign for security.

However, the complete lack of capability checks is a notable concern. While the attack surface appears minimal with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without authentication, the absence of capability checks means that any authenticated user, regardless of their role, could potentially interact with plugin functionality if any were to be exposed in future versions or through indirect means. The taint analysis showing no unsanitized paths is reassuring, but the zero capability checks leave a potential loophole that could be exploited if further attack vectors are discovered or introduced.

In conclusion, "url-replace" v1.0 appears secure against common vulnerability types and has a clean vulnerability history. Its strengths lie in its minimal attack surface, proper output handling, and the presence of nonce checks. The primary weakness is the complete absence of capability checks, which, while not currently exploited due to the limited attack surface, represents a risk for future extensibility and broader security. This suggests a need for developers to consider role-based access control for any plugin functionalities.

Key Concerns

No capability checks implemented

Vulnerabilities

None known

URL Replace Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

URL Replace Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

75% prepared4 total queries

Output Escaping

100% escaped11 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

url_replace_page (admin-page.php:15)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

URL Replace Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 1

actionadmin_menuadmin-page.php:13

Maintenance & Trust

URL Replace Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 20, 2025

PHP min version7.0

Downloads667

Community Trust

Rating100/100

Number of ratings2

Active installs70

Alternatives

URL Replace Alternatives

Better Search Replace

better-search-replace

A simple plugin to update URLs or other text in a database.

1.0M 2 CVEs

OCSR ( OneClick search & replace ) OCSR URLs

better-search-and-replace

100

Updates all urls and content links in your website.

10 No CVEs

Quick Search Replace

quick-search-replace

100

A simple and powerful tool to run search and replace queries on your WordPress database, with full serialization and multisite support.

0 No CVEs

Go Live Update Urls

go-live-update-urls

100

Change the domain on your site with one click.

80K No CVEs

Real-Time Find and Replace

real-time-find-and-replace

Set up find and replace rules that are executed AFTER a page is generated by WordPress, but BEFORE it is sent to a user's browser.

80K 2 CVEs

Developer Profile

URL Replace Developer Profile

Vipul Bokarvadiya

1 plugin · 70 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect URL Replace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/url-replace/admin.css/wp-content/plugins/url-replace/admin.js

Script Paths

/wp-content/plugins/url-replace/admin.js

Version Parameters

url-replace/admin.css?ver=url-replace/admin.js?ver=

HTML / DOM Fingerprints

FAQ