Does Webmention have any unpatched vulnerabilities?

No. All known vulnerabilities in Webmention have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Webmention compatible with WordPress 6.9.4?

According to WordPress.org data, Webmention 5.6.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Webmention compatible with PHP 7.2+?

Webmention requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Webmention updated?

Webmention was last updated on Jan 1, 2026. Frequent updates are generally a positive security signal.

What is Webmention's security score?

Webmention has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Webmention Security & Risk Analysis

wordpress.org/plugins/webmention

Enable conversation across the web.

900 active installs v5.6.2 PHP 7.2+ WP 6.2+ Updated Jan 1, 2026

indieweblinkbackpingbacktrackbackwebmention

A · Safe

CVEs total1

Unpatched0

Last CVEMar 8, 2023

Plugin page Download

Safety Verdict

Is Webmention Safe to Use in 2026?

Generally Safe

Score 100/100

Webmention has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 8, 2023Updated 3mo ago

Risk Assessment

The 'webmention' plugin version 5.6.2 presents a mixed security posture. While it demonstrates good practices such as avoiding dangerous functions, file operations, and generally utilizing prepared statements for SQL, there are significant areas of concern. The plugin has 2 REST API routes exposed without permission callbacks, creating a notable attack surface that is unprotected. Additionally, only 42% of output is properly escaped, leaving a substantial portion vulnerable to cross-site scripting (XSS) attacks. The plugin's vulnerability history shows 1 medium severity CVE for Improper Neutralization of Input During Web Page Generation, which aligns with the output escaping concerns. This indicates a recurring potential for XSS vulnerabilities.

Overall, the plugin's security is hampered by the lack of robust authorization checks on its REST API endpoints and insufficient output escaping. While the absence of critical taint flows and a lack of critical or high severity unpatched CVEs are positive signs, the identified weaknesses present exploitable entry points. Users should exercise caution due to the unescaped output and unprotected REST API routes, especially given the past XSS vulnerability.

Key Concerns

REST API routes without permission callbacks
Low percentage of properly escaped output
No nonce checks on entry points
Past medium severity CVE (XSS)

Vulnerabilities

Webmention Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

WF-3d12d692-231b-4e15-a119-80fd74566af4-webmentionmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webmention <= 4.0.8 - Reflected Cross-Site Scripting via 'replytocom'

Mar 8, 2023 Patched in 4.0.9 (321d)

Code Analysis

Analyzed Mar 16, 2026

Webmention Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

80% prepared10 total queries

Output Escaping

42% escaped65 total outputs

Attack Surface

2 unprotected

Webmention Attack Surface

Entry Points2

Unprotected2

REST API Routes 2

GET/wp-json/webmention/1.0/endpointincludes\class-receiver.php:172

GET/wp-json/webmention/1.0/parseincludes\class-tools.php:41

WordPress Hooks 47

actioncomment_postincludes\class-avatar-store.php:16

actionedit_commentincludes\class-avatar-store.php:17

filterpre_get_avatar_dataincludes\class-avatar.php:15

filterget_avatar_comment_typesincludes\class-avatar.php:19

filterwp_list_comments_argsincludes\class-comment-walker.php:17

actionpre_get_commentsincludes\class-comment-walker.php:21

actioncomment_form_beforeincludes\class-comment-walker.php:24

actioncomment_form_comments_closedincludes\class-comment-walker.php:25

filtercomment_textincludes\class-comment-walker.php:112

filterquery_varsincludes\class-comment.php:17

filtertemplate_includeincludes\class-comment.php:20

filterget_comment_linkincludes\class-comment.php:22

filterget_default_comment_statusincludes\class-comment.php:25

actioncomment_form_afterincludes\class-comment.php:27

actioncomment_form_comments_closedincludes\class-comment.php:28

actionwp_headincludes\class-discovery.php:17

actiontemplate_redirectincludes\class-discovery.php:18

filterhost_metaincludes\class-discovery.php:19

filterwebfinger_user_dataincludes\class-discovery.php:20

filterwebfinger_post_dataincludes\class-discovery.php:21

filternodeinfo_dataincludes\class-discovery.php:23

filternodeinfo2_dataincludes\class-discovery.php:24

actiontemplate_redirectincludes\class-http-gone.php:17

actionrest_api_initincludes\class-receiver.php:25

filterrest_pre_serve_requestincludes\class-receiver.php:27

filterduplicate_comment_idincludes\class-receiver.php:29

filterwebmention_comment_dataincludes\class-receiver.php:32

filterwebmention_comment_dataincludes\class-receiver.php:33

filterwebmention_comment_dataincludes\class-receiver.php:36

filterpre_comment_approvedincludes\class-receiver.php:38

actionwebmention_data_errorincludes\class-receiver.php:41

actionwebmention_process_scheduleincludes\class-receiver.php:44

filterpre_comment_contentincludes\class-receiver.php:447

filterpre_comment_contentincludes\class-receiver.php:449

actioncheck_comment_floodincludes\class-receiver.php:480

actionsend_webmentionincludes\class-sender.php:20

actiondo_pingsincludes\class-sender.php:23

actionwp_trash_postincludes\class-sender.php:33

actionuntrash_postincludes\class-sender.php:34

actioncomment_postincludes\class-sender.php:36

actionwebmention_deleteincludes\class-sender.php:39

filterpre_get_postsincludes\class-sender.php:383

actionadmin_menuincludes\class-tools.php:19

actionrest_api_initincludes\class-tools.php:20

actioninitincludes\class-upgrade.php:19

filterwebmention_comment_dataincludes\class-vouch.php:19

filterhttp_request_argsincludes\debug.php:17

Scheduled Events 4

webmention_process_schedule

do_pings

webmention_delete

do_pings

Maintenance & Trust

Webmention Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 1, 2026

PHP min version7.2

Downloads59K

Community Trust

Rating100/100

Number of ratings8

Active installs900

Alternatives

Webmention Alternatives

No Self Ping

no-self-ping

100

Keeps WordPress from sending pings to your own site.

10K No CVEs

IndieWeb

indieweb

IndieWeb for WordPress!

600 1 CVE

Hide Trackbacks

hide-trackbacks

100

Prevents trackbacks and pingbacks from showing up as comments on posts.

400 No CVEs

Really Simple Disable Comments

really-simple-disable-comments

100

Effortlessly disable all comments and trackback functionality across your entire WordPress site by activating this plugin.

200 No CVEs

IndieBlocks

indieblocks

Use blocks, and, optionally, "short-form" post types to easily "IndieWebify" your WordPress site.

100 2 CVEs

Developer Profile

Webmention Developer Profile

Matthias Pfefferle

8 plugins · 3K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

321 days

View full developer profile

Detection Fingerprints

How We Detect Webmention

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/webmention/build/editor-plugin/plugin.js/wp-content/plugins/webmention/css/webmention-admin.css/wp-content/plugins/webmention/css/webmention-public.css

Script Paths

/wp-content/plugins/webmention/js/webmention.js

Version Parameters

webmention/css/webmention-admin.css?ver=webmention/css/webmention-public.css?ver=webmention/js/webmention.js?ver=webmention/build/editor-plugin/plugin.js?ver=

HTML / DOM Fingerprints

CSS Classes

webmentionwebmention-postwebmention-comment

Data Attributes

data-webmention-targetdata-webmention-id

JS Globals

Webmention

REST Endpoints

/wp-json/webmention/1.0/

FAQ