Does Visual Link Preview have any unpatched vulnerabilities?

No. All known vulnerabilities in Visual Link Preview have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Visual Link Preview compatible with WordPress 6.9.4?

According to WordPress.org data, Visual Link Preview 2.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Visual Link Preview updated?

Visual Link Preview was last updated on Jan 19, 2026. Frequent updates are generally a positive security signal.

What is Visual Link Preview's security score?

Visual Link Preview has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Visual Link Preview Security & Risk Analysis

wordpress.org/plugins/visual-link-preview

Display a fully customizable visual link preview for any internal or external link.

10K active installs v2.3.0 PHP + WP 4.4+ Updated Jan 19, 2026

link-previewsnippetsummaryvisual-link

A · Safe

CVEs total3

Unpatched0

Last CVEJan 18, 2026

Plugin page Download

Safety Verdict

Is Visual Link Preview Safe to Use in 2026?

Generally Safe

Score 96/100

Visual Link Preview has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 18, 2026Updated 2mo ago

Risk Assessment

The static analysis of the 'visual-link-preview' plugin v2.3.0 reveals a generally good security posture, with no immediately apparent critical vulnerabilities in the current code. The plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks on all identified AJAX handlers and REST API routes. The absence of dangerous functions and file operations further contributes to its robust defense.

However, the plugin's vulnerability history presents a significant concern. With three previously discovered medium-severity CVEs, primarily related to missing authorization and basic XSS, there's a clear pattern of past weaknesses that could resurface. While there are currently no unpatched vulnerabilities, the existence of past issues indicates a need for continued vigilance and thorough auditing of future updates. The 70% output escaping rate, while not critically low, leaves room for improvement and represents a potential, albeit minor, avenue for certain types of injection attacks if not properly managed.

In conclusion, 'visual-link-preview' v2.3.0 has implemented several key security best practices, particularly regarding data handling and access control. Nevertheless, its past vulnerability record necessitates a cautious approach. The plugin is recommended for use with the understanding that ongoing monitoring and prompt patching of any new vulnerabilities are essential to maintain a secure environment.

Key Concerns

Past medium severity CVEs for missing authorization/XSS
Output escaping at 70%

Vulnerabilities

Visual Link Preview Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2026-24984medium · 4.3Missing Authorization

Visual Link Preview <= 2.2.9 - Missing Authorization

Jan 18, 2026 Patched in 2.3.0 (24d)

CVE-2025-11987medium · 6.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode

Nov 4, 2025 Patched in 2.2.8 (1d)

CVE-2021-24635medium · 5.4Improper Access Control

Visual Link Preview <= 2.2.2 - Unauthorised AJAX Calls

Aug 18, 2021 Patched in 2.2.3 (888d)

Code Analysis

Analyzed Mar 16, 2026

Visual Link Preview Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

42 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared7 total queries

Output Escaping

70% escaped60 total outputs

Attack Surface

Visual Link Preview Attack Surface

Entry Points11

Unprotected0

AJAX Handlers 5

authwp_ajax_vlp_search_postsincludes\admin\modal\class-vlp-modal.php:30

authwp_ajax_vlp_save_imageincludes\admin\modal\class-vlp-modal.php:31

authwp_ajax_vlp_get_post_contentincludes\admin\modal\class-vlp-modal.php:32

authwp_ajax_vlp_get_url_contentincludes\admin\modal\class-vlp-modal.php:33

authwp_ajax_vlp_get_templateincludes\public\class-vlp-template-manager.php:47

REST API Routes 5

GET/wp-json/visual-link-preview/v1/searchincludes\public\api\class-vlp-api-block.php:38

GET/wp-json/visual-link-preview/v1/templateincludes\public\api\class-vlp-api-template.php:38

POST/wp-json/visual-link-preview/v1/templateincludes\public\api\class-vlp-api-template.php:43

DELETE/wp-json/visual-link-preview/v1/templateincludes\public\api\class-vlp-api-template.php:48

POST/wp-json/visual-link-preview/v1/template/previewincludes\public\api\class-vlp-api-template.php:53

Shortcodes 1

[visual-link-preview] includes\public\class-vlp-shortcode.php:31

WordPress Hooks 23

actionadmin_enqueue_scriptsincludes\admin\class-vlp-assets.php:28

actionenqueue_block_editor_assetsincludes\admin\class-vlp-assets.php:29

actioninitincludes\admin\modal\class-vlp-button.php:28

filtermce_external_pluginsincludes\admin\modal\class-vlp-button.php:37

filtermce_buttonsincludes\admin\modal\class-vlp-button.php:38

actionadmin_footerincludes\admin\modal\class-vlp-modal.php:28

filtermce_external_pluginsincludes\admin\modal\class-vlp-shortcode-preview.php:28

actioninitincludes\class-vlp-i18n.php:31

actionrest_api_initincludes\public\api\class-vlp-api-block.php:28

actionrest_api_initincludes\public\api\class-vlp-api-template.php:28

actionelementor/editor/before_enqueue_scriptsincludes\public\class-vlp-compatibility.php:29

actionelementor/controls/registerincludes\public\class-vlp-compatibility.php:30

actionelementor/preview/enqueue_stylesincludes\public\class-vlp-compatibility.php:31

actionelementor/widgets/registerincludes\public\class-vlp-compatibility.php:32

actionelementor/elements/categories_registeredincludes\public\class-vlp-compatibility.php:33

actionwp_loadedincludes\public\class-vlp-settings.php:21

actionadmin_footer-settings_page_bv_settings_vlpincludes\public\class-vlp-settings.php:40

filterplugin_action_links_visual-link-preview/visual-link-preview.phpincludes\public\class-vlp-settings.php:41

actionadmin_noticesincludes\public\class-vlp-settings.php:42

actionwp_enqueue_scriptsincludes\public\class-vlp-shortcode.php:28

actioninitincludes\public\class-vlp-shortcode.php:29

actionadmin_menuincludes\public\class-vlp-template-editor.php:27

actionwp_footerincludes\public\class-vlp-template-manager.php:45

Maintenance & Trust

Visual Link Preview Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 19, 2026

PHP min version

Downloads159K

Community Trust

Rating90/100

Number of ratings36

Active installs10K

Alternatives

Visual Link Preview Alternatives

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs

Code Snippets

code-snippets

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs

Header Footer Code Manager

header-footer-code-manager

Easily add tracking code snippets, conversion pixels, or other scripts required by third party services for analytics, marketing, or chat features.

600K 4 CVEs

Insert PHP Code Snippet

insert-php-code-snippet

Add PHP code to your pages and posts easily using shortcodes.

100K 3 CVEs

Schema & Structured Data for WP & AMP

schema-and-structured-data-for-wp

Schema & Structured Data adds Google Rich Snippets markup according to Schema.org guidelines to structure your site for SEO.

100K 10 CVEs

Developer Profile

Visual Link Preview Developer Profile

Brecht

6 plugins · 79K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

104 days

View full developer profile

Detection Fingerprints

How We Detect Visual Link Preview

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/visual-link-preview/dist/admin-template.css/wp-content/plugins/visual-link-preview/dist/admin-template.js/wp-content/plugins/visual-link-preview/dist/admin.css/wp-content/plugins/visual-link-preview/dist/admin.js/wp-content/plugins/visual-link-preview/dist/blocks.js/wp-content/plugins/visual-link-preview/dist/blocks.css/wp-content/plugins/visual-link-preview/assets/js/other/elementor.js

Script Paths

/wp-content/plugins/visual-link-preview/dist/admin-template.js/wp-content/plugins/visual-link-preview/dist/admin.js/wp-content/plugins/visual-link-preview/dist/blocks.js/wp-content/plugins/visual-link-preview/assets/js/other/elementor.js

Version Parameters

visual-link-preview/dist/admin-template.css?ver=visual-link-preview/dist/admin-template.js?ver=visual-link-preview/dist/admin.css?ver=visual-link-preview/dist/admin.js?ver=visual-link-preview/dist/blocks.js?ver=visual-link-preview/dist/blocks.css?ver=visual-link-preview/assets/js/other/elementor.js?ver=

HTML / DOM Fingerprints

CSS Classes

vlp-template-editorvlp-admin-templatevlp-adminvlp-blocksvlp-elementor-control

Data Attributes

data-vlp-template

JS Globals

vlp_adminvlp_blocks

REST Endpoints

/visual-link-preview/v1/template

FAQ