Does Wave have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Wave compatible with WordPress 4.9.29?

According to WordPress.org data, Wave 1.1.1 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

Is Wave compatible with PHP 7.0.15+?

Wave requires PHP 7.0.15 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Wave updated?

Wave was last updated on Apr 15, 2019. Frequent updates are generally a positive security signal.

What is Wave's security score?

Wave has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Wave Security & Risk Analysis

wordpress.org/plugins/wave-for-wp

Wave by Codox enables teams to real-time co-edit and co-iterate posts directly in your WordPress site.

0 active installs v1.1.1 PHP 7.0.15+ WP 3.7+ Updated Apr 15, 2019

co-editingcollaborationcollaborative-editingreal-timerealtime

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Wave Safe to Use in 2026?

Generally Safe

Score 85/100

Wave has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The plugin "wave-for-wp" v1.1.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices in handling SQL queries, exclusively using prepared statements, and has no recorded vulnerability history (CVEs), suggesting a generally stable and secure codebase over time. The absence of file operations and external HTTP requests further reduces potential attack vectors.

However, significant concerns arise from the static analysis. The presence of one unprotected AJAX handler represents a direct entry point into the plugin without any authentication or authorization checks, which is a critical security oversight. Additionally, the use of the `create_function` is a known security risk, as it can be exploited for code injection if user-supplied data is not meticulously sanitized before being passed to it. While no critical taint flows were detected, this specific dangerous function usage bypasses the typical taint analysis reporting and requires manual scrutiny.

Overall, while the lack of historical vulnerabilities is reassuring, the identified immediate risks, particularly the unprotected AJAX endpoint and the `create_function` usage, necessitate immediate attention. The plugin's attack surface is small, but the unprotected entry point is a significant weakness that could be exploited. Addressing these points would greatly improve the plugin's security.

Key Concerns

Unprotected AJAX handler
Use of dangerous function (create_function)
Unescaped output present

Vulnerabilities

None known

Wave Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Wave Release Timeline

v1.1.1Current

v1.0.6

v1.0.5

v1.0.4

Code Analysis

Analyzed Apr 16, 2026

Wave Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter( 'wp_default_editor', create_function('', 'return "tinymce";') );php/wave.php:55

Bundled Libraries

TinyMCE

Output Escaping

67% escaped3 total outputs

Attack Surface

1 unprotected

Wave Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_save_wave_apikeyphp/options.php:25

WordPress Hooks 25

actionadmin_menuphp/options.php:23

actionadmin_initphp/options.php:24

filterplugin_action_linksphp/wave.php:22

actionactivated_pluginphp/wave.php:24

actionadmin_noticesphp/wave.php:26

actionadmin_head-edit.phpphp/wave.php:29

filterpost_row_actionsphp/wave.php:30

filterpage_row_actionsphp/wave.php:31

filterbulk_actions-edit-postphp/wave.php:32

filterbulk_actions-edit-pagephp/wave.php:33

actionadmin_head-post.phpphp/wave.php:36

actionbefore_delete_postphp/wave.php:38

actionload-post.phpphp/wave.php:40

actionload-edit.phpphp/wave.php:41

actionadmin_print_scriptsphp/wave.php:43

actionadmin_print_stylesphp/wave.php:44

filtertiny_mce_before_initphp/wave.php:49

filtertiny_mce_before_initphp/wave.php:50

filtertiny_mce_before_initphp/wave.php:51

actionafter_wp_tiny_mcephp/wave.php:52

actionafter_wp_tiny_mcephp/wave.php:53

filterwp_default_editorphp/wave.php:55

filterget_sample_permalink_htmlphp/wave.php:58

filtershow_post_locked_dialogphp/wave.php:373

filterwp_check_post_lock_windowphp/wave.php:374

Maintenance & Trust

Wave Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedApr 15, 2019

PHP min version7.0.15

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Wave Alternatives

Participad

participad

Realtime collaborative editing for WordPress content, powered by Etherpad Lite.

10 No CVEs

heatmap for WordPress – Realtime analytics

heatmap-for-wp

Real-time analytics and event tracking for your WordPress sites.

1K No CVEs

Docs

docs

100

Create and share documents with WordPress!

50 No CVEs

Realtime Comments

realtime-comments

Accepted comments from users are added to pages in real-time, without need to refresh. Makes comments section work interactively, like a chatroom.

10 No CVEs

WordSocket

wordsocket

100

WordSocket is the official WordPress plugin for WPSignal (wpsignal.io), a third-party WebSocket/SSE delivery service.

0 No CVEs

Developer Profile

Wave Developer Profile

sundayfanz

10 plugins · 2K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Wave

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wave-for-wp/assets

Script Paths

https://app.codox.io/plugins/wave.client.jshttps://cdn1.codox.io/lib/css/wave.client.csshttps://cdn2.codox.io/wordpressplugin/js/options.jshttps://cdn2.codox.io/wordpressplugin/js/templates.js

HTML / DOM Fingerprints

Data Attributes

data-wp-learn-more

JS Globals

wp_vars

REST Endpoints

/wp-json/wave-wp/v1/settings

FAQ

Wave Security & Risk Analysis

Is Wave Safe to Use in 2026?

Generally Safe

Key Concerns

Wave Security Vulnerabilities

Wave Release Timeline

Wave Code Analysis

Dangerous Functions Found

Bundled Libraries

Output Escaping

Wave Attack Surface

AJAX Handlers 1

Wave Maintenance & Trust

Maintenance Signals

Community Trust

Wave Alternatives

Participad

heatmap for WordPress – Realtime analytics

Docs

Realtime Comments

WordSocket

Wave Developer Profile

How We Detect Wave

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Wave