Does WebFinger have any unpatched vulnerabilities?

No. All known vulnerabilities in WebFinger have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WebFinger compatible with WordPress 6.9.4?

According to WordPress.org data, WebFinger 4.0.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WebFinger updated?

WebFinger was last updated on Dec 16, 2025. Frequent updates are generally a positive security signal.

What is WebFinger's security score?

WebFinger has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WebFinger Security & Risk Analysis

wordpress.org/plugins/webfinger

WebFinger for WordPress

1K active installs v4.0.1 PHP + WP 4.2+ Updated Dec 16, 2025

activitypubdiscoveryjrdostatuswebfinger

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WebFinger Safe to Use in 2026?

Generally Safe

Score 100/100

WebFinger has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The WebFinger plugin v4.0.1 exhibits a mixed security posture. The static analysis reveals a commendably small attack surface with zero identified entry points, which is a strong indicator of good security design. Furthermore, all SQL queries utilize prepared statements, mitigating the risk of SQL injection. The complete absence of known CVEs and vulnerability history suggests a historically stable and well-maintained plugin.

However, a significant concern arises from the complete lack of output escaping. With 10 total outputs analyzed and 0% properly escaped, this indicates a high risk of cross-site scripting (XSS) vulnerabilities. Any dynamic data rendered by this plugin without proper sanitization or escaping could be exploited by attackers to inject malicious scripts. The absence of nonce checks and capability checks, while not directly posing an immediate risk without identified entry points, would become critical vulnerabilities if any new entry points were introduced or if existing ones were overlooked in the static analysis.

Key Concerns

100% of outputs are not escaped
No nonce checks found
No capability checks found

Vulnerabilities

None known

WebFinger Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WebFinger Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared3 total queries

Output Escaping

0% escaped10 total outputs

Attack Surface

WebFinger Attack Surface

Entry Points0

Unprotected0

Maintenance & Trust

WebFinger Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 16, 2025

PHP min version

Downloads21K

Community Trust

Rating74/100

Number of ratings3

Active installs1K

Alternatives

WebFinger Alternatives

host-meta

100

host-meta for WordPress!

80 No CVEs

NodeInfo(2)

nodeinfo

100

NodeInfo and NodeInfo2 for WordPress!

1K No CVEs

Nostr Verify

nostr-verify

Verify yourself with Nostr, using NIP-05

60 No CVEs

ActivityPub

activitypub

Connect your site to the Open Social Web and let millions of users follow, share, and interact with your content from Mastodon, Pixelfed, and more.

6K 5 CVEs

Taboola

taboola

100

Use the Taboola plugin to generate revenue from native ads and drive engagement with editorial content.

3K 1 CVE

Developer Profile

WebFinger Developer Profile

Matthias Pfefferle

8 plugins · 3K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

321 days

View full developer profile

Detection Fingerprints

How We Detect WebFinger

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Data Attributes

webfinger_profile_noncewebfinger_resource

FAQ