Does Textmetrics have any unpatched vulnerabilities?

Yes — Textmetrics currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Textmetrics compatible with WordPress 6.9.4?

According to WordPress.org data, Textmetrics 3.6.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Textmetrics updated?

Textmetrics was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is Textmetrics's security score?

Textmetrics has a WP-Safety security score of 74/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Textmetrics Security & Risk Analysis

wordpress.org/plugins/webtexttool

Textmetrics is the easiest way to create SEO proof content to rank higher and get more traffic. Realtime optimization, keyword research and more.

500 active installs v3.6.5 PHP + WP 3.5+ Updated Mar 12, 2026

content-analysiskeyword-analysisreadabilityseo-optimizationwriting-assistance

B · Generally Safe

CVEs total3

Unpatched1

Last CVEJan 21, 2026

Plugin page Download

Safety Verdict

Is Textmetrics Safe to Use in 2026?

Mostly Safe

Score 74/100

Textmetrics is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Jan 21, 2026Updated 22d ago

Risk Assessment

The webtexttool plugin v3.6.5 presents a mixed security posture. While the use of prepared statements for all SQL queries and the absence of dangerous functions are positive signs, significant concerns arise from its attack surface and historical vulnerabilities. The plugin exposes 11 AJAX handlers, all of which lack authentication checks, creating a substantial entry point for unauthenticated attackers. This is further exacerbated by the fact that there are 14 nonce checks but only 8 capability checks, indicating a potential imbalance in how different types of access are being validated.

The vulnerability history reveals a pattern of medium severity issues including Code Injection, Cross-site Scripting, and Missing Authorization. The presence of three known CVEs, with one currently unpatched, is a significant concern. The most recent vulnerability was in 2026, which is an unusual date for a historical vulnerability; assuming this is a typo and it refers to a past event, it still highlights a recurring security debt. The absence of critical or high severity taint flows suggests that currently, there are no obvious severe vulnerabilities in the analyzed code paths, but this does not mitigate the risks posed by the exposed AJAX endpoints and past unpatched issues.

In conclusion, while the plugin demonstrates good practices in database interaction and avoids certain dangerous functions, the unauthenticated AJAX endpoints and a history of medium-severity vulnerabilities, including an unpatched one, make it a notable security risk. The focus on capability checks is positive but insufficient if authorization is not robustly implemented on all entry points, especially the 11 unprotected AJAX handlers.

Key Concerns

Unprotected AJAX handlers
Unpatched CVE
Missing authorization on AJAX handlers
Medium severity vulnerability history (3 CVEs)
Lower percentage of properly escaped output

Vulnerabilities

Textmetrics Security Vulnerabilities

CVEs by Year

2 CVEs in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2026-24564medium · 5.4Improper Control of Generation of Code ('Code Injection')

Textmetrics <= 3.6.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Jan 21, 2026Unpatched

CVE-2025-46229medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Textmetrics <= 3.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 3.6.3 (9d)

CVE-2025-30824medium · 4.3Missing Authorization

Textmetrics <= 3.6.1 - Missing Authorization

Mar 27, 2025 Patched in 3.6.2 (7d)

Code Analysis

Analyzed Mar 16, 2026

Textmetrics Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

165 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared8 total queries

Output Escaping

65% escaped255 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

webtexttool_ajax (admin\class-webtexttool-admin.php:504)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

Textmetrics Attack Surface

Entry Points11

Unprotected11

AJAX Handlers 11

authwp_ajax_webtexttoolincludes\class-webtexttool.php:130

authwp_ajax_webtexttool_doctypesincludes\class-webtexttool.php:131

authwp_ajax_webtexttool_dismiss_wtt_noticeincludes\class-webtexttool.php:154

authwp_ajax_webtexttool_save_page_dataincludes\class-webtexttool.php:187

authwp_ajax_webtexttool_convert_divi_shortcodesincludes\class-webtexttool.php:188

authwp_ajax_webtexttool_search_postsincludes\class-webtexttool.php:189

authwp_ajax_webtexttool_convert_shortcodesincludes\class-webtexttool.php:190

authwp_ajax_webtexttool_do_blocksincludes\class-webtexttool.php:191

authwp_ajax_webtexttool_tve_editor_contentincludes\class-webtexttool.php:192

authwp_ajax_webtexttool_content_quality_suggestionsincludes\class-webtexttool.php:193

authwp_ajax_webtexttool_content_quality_settingsincludes\class-webtexttool.php:194

WordPress Hooks 31

filterthe_contentcore\class-webtexttool-core.php:917

actionafter_setup_themeincludes\class-webtexttool.php:58

actionplugins_loadedincludes\class-webtexttool.php:112

actionadmin_menuincludes\class-webtexttool.php:128

actionadmin_enqueue_scriptsincludes\class-webtexttool.php:133

actionadmin_enqueue_scriptsincludes\class-webtexttool.php:134

actionadmin_initincludes\class-webtexttool.php:136

actionadmin_enqueue_scriptsincludes\class-webtexttool.php:138

actioninitincludes\class-webtexttool.php:140

actioninitincludes\class-webtexttool.php:141

actioninitincludes\class-webtexttool.php:144

actionadmin_initincludes\class-webtexttool.php:147

actionadmin_initincludes\class-webtexttool.php:148

actionadmin_noticesincludes\class-webtexttool.php:151

actionadmin_enqueue_scriptsincludes\class-webtexttool.php:168

actionadmin_enqueue_scriptsincludes\class-webtexttool.php:169

actionadd_meta_boxesincludes\class-webtexttool.php:172

actionadd_meta_boxesincludes\class-webtexttool.php:173

actionedit_form_after_titleincludes\class-webtexttool.php:176

actionadmin_initincludes\class-webtexttool.php:179

actionsave_postincludes\class-webtexttool.php:182

actionedit_attachmentincludes\class-webtexttool.php:183

actionadd_attachmentincludes\class-webtexttool.php:184

actionrwmb_enqueue_scriptsincludes\class-webtexttool.php:195

actionwp_headincludes\class-webtexttool.php:210

filterpre_get_document_titleincludes\class-webtexttool.php:214

filterwp_titleincludes\class-webtexttool.php:215

actionsave_postincludes\class-webtexttool.php:219

actionsave_postincludes\class-webtexttool.php:221

actiontm_save_structured_dataincludes\class-webtexttool.php:222

actionplugins_loadedincludes\class-webtexttool.php:235

Maintenance & Trust

Textmetrics Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version

Downloads77K

Community Trust

Rating86/100

Number of ratings7

Active installs500

Alternatives

Textmetrics Alternatives

Yoast SEO – Advanced SEO with real-time guidance and built-in AI

wordpress-seo

Improve your SEO with real-time feedback, schema, and clear guidance. Upgrade for AI tools, Google Docs integration, and 24/7 support, no hidden fees.

10.0M 17 CVEs

BoldGrid Easy SEO – Simple and Effective SEO

boldgrid-easy-seo

Easy SEO helps you easily create keyword rich content and rank higher in the search engines.

50K 2 CVEs

Semrush SEO Writing Assistant

semrush-seo-writing-assistant

100

The Semrush SEO Writing Assistant provides instant recommendations for content optimization based on the best-performing articles in Google's top 10.

10K No CVEs

Topic SEO Content Optimization Tool

topic

100

Find and fix topical gaps in your SEO Content. Rank higher on search.

1K No CVEs

DELUCKS SEO

delucks-seo

The only SEO plugin from Germany for holistic search engine optimization with ChatGPT and Google APIs.

400 2 unpatched

Developer Profile

Textmetrics Developer Profile

Israpil

1 plugin · 500 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

8 days

View full developer profile

Detection Fingerprints

How We Detect Textmetrics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/webtexttool/css/style.css/wp-content/plugins/webtexttool/js/wtt-admin-script.js/wp-content/plugins/webtexttool/js/wtt-public-script.js/wp-content/plugins/webtexttool/css/wtt-admin.css

Script Paths

/wp-content/plugins/webtexttool/js/wtt-admin-script.js/wp-content/plugins/webtexttool/js/wtt-public-script.js

Version Parameters

webtexttool/css/style.css?ver=webtexttool/js/wtt-admin-script.js?ver=webtexttool/js/wtt-public-script.js?ver=webtexttool/css/wtt-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

wtt-admin-pagewtt-settings-pagewtt-social-pagewtt-tools-page

HTML Comments

<!-- The core plugin class that is used to define internationalization, admin-specific hooks, and core specific hooks. -->

+6 more

Data Attributes

wtt_manage_options_capabilitydata-wtt-plugin-namedata-wtt-plugin-version

JS Globals

Webtexttool

FAQ