Does Word Balloon have any unpatched vulnerabilities?

No. All known vulnerabilities in Word Balloon have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Word Balloon compatible with WordPress 6.9.4?

According to WordPress.org data, Word Balloon 4.23.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Word Balloon compatible with PHP 5.3+?

Word Balloon requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Word Balloon updated?

Word Balloon was last updated on Jan 7, 2026. Frequent updates are generally a positive security signal.

What is Word Balloon's security score?

Word Balloon has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Word Balloon Security & Risk Analysis

wordpress.org/plugins/word-balloon

Support for Block editor(Gutenberg) & Classic Editor.You will easy to add speech balloon in your post.

10K active installs v4.23.1 PHP 5.3+ WP 3.9.3+ Updated Jan 7, 2026

balloonbubblechatcomicspeech

A · Safe

CVEs total3

Unpatched0

Last CVEJun 19, 2024

Plugin page Download

Safety Verdict

Is Word Balloon Safe to Use in 2026?

Generally Safe

Score 97/100

Word Balloon has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jun 19, 2024Updated 2mo ago

Risk Assessment

The 'word-balloon' plugin v4.23.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in output escaping, with 96% of outputs properly handled, and a strong emphasis on nonce checks and capability checks, indicating an awareness of common WordPress security vulnerabilities. The absence of file operations and external HTTP requests further mitigates certain risk vectors. However, the presence of one unprotected AJAX handler represents a significant concern, as it could be exploited by unauthenticated users to trigger plugin functionality. Additionally, the vulnerability history of this plugin is a notable weakness, with three past CVEs, including one high-severity vulnerability related to Remote File Inclusion. This history, coupled with the current unprotected entry point, suggests a recurring pattern of security oversight that requires attention.

Key Concerns

Unprotected AJAX handler detected
Past high severity vulnerability (RFI)
Past medium severity vulnerabilities (CSRF, XSS)
SQL queries partially un-prepared
Taint flows with unsanitized paths

Vulnerabilities

Word Balloon Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2024-35781high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Word Balloon <= 4.21.1 - Authenticated (Contributor+) Local File Inclusion

Jun 19, 2024 Patched in 4.22.0 (20d)

CVE-2023-5884medium · 4.3Cross-Site Request Forgery (CSRF)

Word Balloon <= 4.20.2 - Cross-Site Request Forgery

Nov 13, 2023 Patched in 4.20.3 (71d)

CVE-2022-4751medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Word Balloon <= 4.19.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 28, 2022 Patched in 4.19.3 (391d)

Code Analysis

Analyzed Mar 16, 2026

Word Balloon Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

276 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

43% prepared7 total queries

Output Escaping

96% escaped288 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths

word_balloon_usage_environment (inc\admin\edit\admin_usage_environment.php:4)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Word Balloon Attack Surface

Entry Points8

Unprotected1

AJAX Handlers 2

authwp_ajax_word_balloon_nonce_action_centerinc\admin.php:42

authwp_ajax_word_balloon_call_ajaxinc\admin.php:568

Shortcodes 6

[word_balloon] inc\admin.php:347

[word_balloon_wallpaper] inc\admin.php:349

[word_balloon_side_by_side] inc\admin.php:351

[word_balloon] inc\shortcode.php:11

[word_balloon_wallpaper] inc\shortcode.php:19

[word_balloon_side_by_side] inc\shortcode.php:27

WordPress Hooks 22

actionadmin_footerinc\admin\admin_enqueue.php:168

actionadmin_print_footer_scriptsinc\admin\admin_enqueue.php:177

actionadmin_print_footer_scriptsinc\admin\admin_enqueue.php:180

actionadmin_menuinc\admin.php:20

actionenqueue_block_editor_assetsinc\admin.php:85

actionadmin_enqueue_scriptsinc\admin.php:90

filtermce_buttonsinc\admin.php:101

filtermce_external_pluginsinc\admin.php:102

actionadmin_initinc\admin.php:105

actionadmin_print_footer_scriptsinc\admin.php:148

actionenqueue_block_editor_assetsinc\admin.php:223

filtertiny_mce_before_initinc\admin.php:232

filterplugin_action_linksinc\admin.php:245

actionplugins_loadedinc\admin.php:334

actionplugins_loadedinc\admin.php:340

actioncustomize_controls_enqueue_scriptsinc\admin.php:571

actioncustomize_controls_print_scriptsinc\admin.php:576

actioncustomize_registerinc\admin.php:583

filterthe_postsinc\enqueue.php:166

filterthe_contentinc\enqueue.php:168

actionwp_enqueue_scriptsinc\enqueue.php:169

filterthe_contentinc\shortcode.php:41

Maintenance & Trust

Word Balloon Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 7, 2026

PHP min version5.3

Downloads365K

Community Trust

Rating100/100

Number of ratings8

Active installs10K

Alternatives

Word Balloon Alternatives

WP-Speech-Balloon

wp-speech-balloon

WordPress の記事内で簡単に吹き出し会話を使えるプラグインです。AMPページでも通常ページと同じように吹き出し会話を使えます。 This is a plugin that makes it easy to use balloon conversation with WordPress.

400 No CVEs

Speech Balloon Maker （ふきだしメーカー）

speech-balloon-maker

You can make speech balloon as you like.

200 No CVEs

Conversation Viewer – Display Chat Bubbles

conversation-viewer-display-chat-bubbles

A plugin for displaying chat bubbles on your site, like in their original messaging apps.

30 No CVEs

Guten-bubble

guten-bubble

Displays a speech bubble like a chat conversation.

20 No CVEs

Hinagata Speech Balloon

hinagata-speech-balloon

100

Adds a highly customizable "Speech Balloon" block to the WordPress editor. Allows creating presets with avatars and inserting them as blocks.

0 No CVEs

Developer Profile

Word Balloon Developer Profile

YAHMAN

5 plugins · 72K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

161 days

View full developer profile

Detection Fingerprints

How We Detect Word Balloon

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/word-balloon/css/word_balloon_user.min.css/wp-content/plugins/word-balloon/js/word_balloon_block.min.js

Script Paths

/wp-content/plugins/word-balloon/js/word_balloon_block.min.js

Version Parameters

word-balloon/css/word_balloon_user.min.css?ver=word-balloon/js/word_balloon_block.min.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-word-balloon-block

JS Globals

word_balloon_block_balloonword_balloon_block_iconword_balloon_block_icon_positionword_balloon_block_effectword_balloon_block_filterword_balloon_block_in_view+4 more

FAQ