Does VR-Frases have any unpatched vulnerabilities?

No. All known vulnerabilities in VR-Frases have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is VR-Frases compatible with WordPress 6.8.5?

According to WordPress.org data, VR-Frases 4.1.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is VR-Frases compatible with PHP 7.2+?

VR-Frases requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is VR-Frases updated?

VR-Frases was last updated on Oct 17, 2025. Frequent updates are generally a positive security signal.

What is VR-Frases's security score?

VR-Frases has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

VR-Frases Security Review — Score 98/100 (safe)

Safety Verdict

Is VR-Frases Safe to Use in 2026?

Generally Safe

Score 98/100

VR-Frases has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 29, 2025Updated 5mo ago

Risk Assessment

The 'vr-frases' v4.1.0 plugin exhibits a mixed security posture. While it demonstrates good practices by properly escaping a high percentage of outputs and utilizing prepared statements for a majority of its SQL queries, there are notable areas of concern. The taint analysis revealed a significant number of flows with unsanitized paths, including three of high severity, indicating potential vulnerabilities related to improper input handling that could lead to security issues if exploited. Furthermore, the plugin has a history of three medium-severity vulnerabilities, specifically SQL Injection and Cross-Site Scripting, with the last recorded in early 2025. Although there are currently no unpatched CVEs, this historical pattern suggests that the plugin's developers may struggle with consistently sanitizing user input effectively. The large number of AJAX handlers, even with authorization checks present, contributes to a broad attack surface.

Key Concerns

High severity unsanitized taint flows
Medium severity historical vulnerabilities
Significant number of unsanitized path flows
Bundled outdated library (Select2)

Vulnerabilities

3

VR-Frases Security Vulnerabilities

CVEs by Year

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3

3 total CVEs

CVE-2025-0860medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VR-Frases (collect & share quotes) <= 3.0.1 - Reflected Cross-Site Scripting

Jan 29, 2025 Patched in 4.0 (176d)

CVE-2025-0861medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

VR-Frases (collect & share quotes) <= 3.0.1 - Authenticated (Admin+) SQL Injection

Jan 29, 2025 Patched in 4.0 (176d)

CVE-2024-13626medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VR Frases <= 3.0.1 - Reflected Cross-Site Scripting

Jan 27, 2025 Patched in 4.0 (179d)

Code Analysis

Analyzed Mar 16, 2026

VR-Frases Code Analysis

Dangerous Functions

0

Raw SQL Queries

43

152 prepared

Unescaped Output

43

674 escaped

Nonce Checks

25

Capability Checks

17

File Operations

6

External Requests

1

Bundled Libraries

1

Bundled Libraries

Select2

SQL Query Safety

78% prepared195 total queries

Output Escaping

94% escaped717 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

17 flows7 with unsanitized paths

vr_frases_display_imported_data (admin\vr-frases-import.php:399)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

VR-Frases Attack Surface

Entry Points22

Unprotected0

AJAX Handlers 18

authwp_ajax_get_autor_dataadmin\vr-frases-autores.php:584

authwp_ajax_vrfr_add_autoradmin\vr-frases-autores.php:741

authwp_ajax_vr_frases_quick_edit_autoresadmin\vr-frases-autores.php:827

authwp_ajax_vrfr_add_claseadmin\vr-frases-clases.php:336

authwp_ajax_vr_frases_quick_edit_clasesadmin\vr-frases-clases.php:394

authwp_ajax_vrfr_add_fraseadmin\vr-frases-frases.php:648

authwp_ajax_vr_frases_quick_edit_frasesadmin\vr-frases-frases.php:731

authwp_ajax_vr_frases_get_frase_dataadmin\vr-frases-frases.php:791

authwp_ajax_vr_frases_save_frase_dataadmin\vr-frases-frases.php:910

authwp_ajax_vr_frases_delete_itemadmin\vr-frases-functions-ajax.php:88

authwp_ajax_vr_frases_delete_multiple_itemsadmin\vr-frases-functions-ajax.php:163

authwp_ajax_vr_frases_delete_itemadmin\vr-frases-functions-ajax.php:175

authwp_ajax_vr_frases_delete_multiple_itemsadmin\vr-frases-functions-ajax.php:176

authwp_ajax_search_wikipediaadmin\vr-frases-functions-ajax.php:344

authwp_ajax_vr_frases_import_filesadmin\vr-frases-import.php:345

authwp_ajax_vr_frases_save_importadmin\vr-frases-import.php:715

authwp_ajax_vrfr_add_temaadmin\vr-frases-temas.php:347

authwp_ajax_vr_frases_quick_edit_temasadmin\vr-frases-temas.php:405

Shortcodes 4

[vrfrases] admin\vr-frases-shortcodes.php:32

[randomfrase] admin\vr-frases-shortcodes.php:46

[frasescount] admin\vr-frases-shortcodes.php:60

[autorescount] admin\vr-frases-shortcodes.php:74

WordPress Hooks 19

actioninitadmin\vr-frases-functions-ajax.php:178

actionadmin_post_vr_frases_exportar_csvadmin\vr-frases-import.php:780

actionadmin_noticesadmin\vr-frases-options.php:70

actionwp_enqueue_scriptsadmin\vr-frases-template.php:462

actionwp_enqueue_scriptsadmin\vr-frases-template.php:483

actionwidgets_initadmin\vr-frases-widgets.php:52

actionwp_dashboard_setupadmin\vr-frases-widgets.php:73

actionplugins_loadedincludes\vr-frases-activation.php:140

actioninitincludes\vr-frases-activation.php:175

actionadmin_initincludes\vr-frases-database.php:647

actionadmin_noticesincludes\vr-frases-database.php:708

actionvr_frases_after_upgradeincludes\vr-frases-database.php:749

actionadmin_enqueue_scriptsincludes\vr-frases-enqueue.php:75

actionadmin_enqueue_scriptsincludes\vr-frases-enqueue.php:271

actionwp_enqueue_scriptsincludes\vr-frases-enqueue.php:344

actionadmin_initincludes\vr-frases-loader.php:72

actionadmin_menuincludes\vr-frases-menu.php:123

filterplugin_action_linksincludes\vr-frases-menu.php:155

actionadmin_noticesvr-frases.php:53

Maintenance & Trust

VR-Frases Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 17, 2025

PHP min version7.2

Downloads9K

Community Trust

Rating100/100

Number of ratings1

Active installs40

Alternatives

VR-Frases Alternatives

Easy Quotes

easy-quotes

A

97

Collect and show your favorite Quotes / Reviews / Testimonials or any other short snippet of Text.

700 2 CVEs

Easy Random Quotes

easy-random-quotes

A

85

Insert quotes and pull them randomly into your pages and posts (via shortcodes) or your template (via template tags).

500 No CVEs

XV Random Quotes

xv-random-quotes

C

54

Display and rotate quotes anywhere on your WordPress site. Fully integrated with WordPress Custom Post Types, Gutenberg blocks, and REST API.

300 2 unpatched

mg Quotes

mg-quotes

A

85

Manage and publish your favorite quotes with WordPress

100 No CVEs

Nice Quotes Rotator

nice-quotes-rotator

A

85

Allows display of random quotes via shortcode, a sidebar widget, and/or on the admin page. Quotes can be user-entered, post excerpts or links.

90 No CVEs

Developer Profile

VR-Frases Developer Profile

Vicente Ruiz Gálvez

2 plugins · 120 total installs

73

trust score

Avg Security Score

92/100

Avg Patch Time

177 days

View full developer profile

Detection Fingerprints

How We Detect VR-Frases

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/vr-frases/css/vr-frases-frontend.css/wp-content/plugins/vr-frases/css/vr-frases-admin.css/wp-content/plugins/vr-frases/js/vr-frases-frontend.js

Version Parameters

vr-frases/css/vr-frases-frontend.css?ver=vr-frases/css/vr-frases-admin.css?ver=vr-frases/js/vr-frases-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

vr_frases_preferences_barvr_frases_search_inputvr_frases_quote_cardvr_frases_author_infovr_frases_pagination

HTML Comments

+3 more

Data Attributes

data-vr-frases-styledata-vr-frases-font-sizedata-vr-frases-num-inputs

JS Globals

window.vr_frases_localize

Shortcode Output

<div id="vr_frases_frontend_wrapper"><div class="vr_frases_preferences_bar"><div class="vr_frases_search_bar"><div class="vr_frases_quote_grid">

FAQ

VR-Frases Security & Risk Analysis

Is VR-Frases Safe to Use in 2026?

Generally Safe

Key Concerns

VR-Frases Security Vulnerabilities

CVEs by Year

Severity Breakdown

VR-Frases Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

VR-Frases Attack Surface

AJAX Handlers 18

Shortcodes 4

VR-Frases Maintenance & Trust

Maintenance Signals

Community Trust

VR-Frases Alternatives

Easy Quotes

Easy Random Quotes

XV Random Quotes

mg Quotes

Nice Quotes Rotator

VR-Frases Developer Profile

How We Detect VR-Frases

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about VR-Frases