Does Wordless have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Wordless compatible with WordPress 6.2.9?

According to WordPress.org data, Wordless 6.0.3 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

How often is Wordless updated?

Wordless was last updated on Apr 28, 2023. Frequent updates are generally a positive security signal.

What is Wordless's security score?

Wordless has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Wordless Security & Risk Analysis

wordpress.org/plugins/wordless

Wordless is a junction between a WordPress plugin and a theme boilerplate that dramatically speeds up and enhances your custom theme creation.

100 active installs v6.0.3 PHP + WP 5.5.1+ Updated Apr 28, 2023

npmpugscsswebpackyarn

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Wordless Safe to Use in 2026?

Generally Safe

Score 85/100

Wordless has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The static analysis of the "wordless" v6.0.3 plugin reveals a generally strong security posture, with no identified entry points like AJAX handlers, REST API routes, or shortcodes that are exposed without authentication. The plugin also demonstrates good practice by using prepared statements for all SQL queries and performing a significant number of file operations. However, the analysis does flag a concern regarding output escaping, with only 50% of identified outputs being properly escaped. This indicates a potential for cross-site scripting (XSS) vulnerabilities if user-supplied data is not adequately sanitized before being displayed.

The lack of any recorded vulnerabilities or CVEs in the plugin's history is a positive indicator, suggesting a history of secure development and maintenance. The absence of any identified taint flows further supports this, implying that data is not being passed through the system in an unsanitized manner that could lead to exploitable conditions. Despite these strengths, the partially unescaped output remains a point of caution. The plugin benefits from a clean record and robust SQL handling, but the output escaping deficiency requires attention to mitigate potential XSS risks.

Key Concerns

50% of outputs not properly escaped

Vulnerabilities

None known

Wordless Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Wordless Release Timeline

v6.0.3Current

v6.0.2

v6.0.1

v5.1.2

v5.1.1

v5.1.0

v5.0.0

v5.0.0-beta

v4.1.0

v4.0.0

v3.0.1

v3.0.0

v2.3.2

v2.3.1

v2.3.0

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.3

Code Analysis

Analyzed Mar 16, 2026

Wordless Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

50% escaped6 total outputs

Attack Surface

Wordless Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 12

actionacf/initwordless\theme_builder\vanilla_theme\config\initializers\custom_gutenberg_acf_blocks.php:48

actioninitwordless\theme_builder\vanilla_theme\config\initializers\custom_post_types.php:21

actioninitwordless\theme_builder\vanilla_theme\config\initializers\custom_post_types.php:22

actionwp_enqueue_scriptswordless\theme_builder\vanilla_theme\config\initializers\default_hooks.php:10

actionwp_enqueue_scriptswordless\theme_builder\vanilla_theme\config\initializers\default_hooks.php:20

actionafter_setup_themewordless\theme_builder\vanilla_theme\config\initializers\default_hooks.php:29

actioninitwordless\theme_builder\vanilla_theme\config\initializers\menus.php:16

actioninitwordless\theme_builder\vanilla_theme\config\initializers\shortcodes.php:23

actionphpmailer_initwordless\theme_builder\vanilla_theme\config\initializers\smtp.php:3

actionafter_setup_themewordless\theme_builder\vanilla_theme\config\initializers\thumbnail_sizes.php:19

actionafter_setup_themewordless\theme_builder\vanilla_theme\config\initializers\thumbnail_sizes.php:20

actioninitwordless\wordless.php:84

Maintenance & Trust

Wordless Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedApr 28, 2023

PHP min version

Downloads9K

Community Trust

Rating0/100

Number of ratings0

Active installs100

Alternatives

Wordless Alternatives

WP-SCSS

wp-scss

100

Compiles .scss files to .css and enqueues them.

40K No CVEs

WP-LESS

wp-less

Implementation of LESS (Leaner CSS) in order to make themes development easier.

10K 1 CVE

CodeKit – Custom Codes Editor

custom-codes

100

Your custom SASS, CSS, JS, PHP and HTML customizations in same directory.

4K No CVEs

Instant CSS

instant-css

Write your styles beautifully with the power of Visual Studio Code

4K 2 CVEs

SCSS WP Editor

scss-wp-editor

Easily Add, Compile and Optimize your SCSS to CSS within WordPress Admin.

1K 1 unpatched

Developer Profile

Wordless Developer Profile

welaika

3 plugins · 130 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Wordless

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wordless/theme_builder/vanilla_theme/public/css/main.css/wp-content/plugins/wordless/theme_builder/vanilla_theme/public/js/main.js

Script Paths

/wp-content/plugins/wordless/theme_builder/vanilla_theme/public/js/main.js

HTML / DOM Fingerprints

HTML Comments

+6 more

FAQ