Does WP Edit have any unpatched vulnerabilities?

Yes — WP Edit currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Edit compatible with WordPress 4.9.29?

According to WordPress.org data, WP Edit 4.0.4 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is WP Edit updated?

WP Edit was last updated on Oct 15, 2018. Frequent updates are generally a positive security signal.

What is WP Edit's security score?

WP Edit has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Edit Security & Risk Analysis

wordpress.org/plugins/wp-edit

Take complete control over the WordPress content editor.

40K active installs v4.0.4 PHP + WP 3.9+ Updated Oct 15, 2018

buttonbuttonseditorwp-editwpedit

C · Use Caution

CVEs total1

Unpatched1

Last CVEJun 27, 2025

Plugin page Download

Safety Verdict

Is WP Edit Safe to Use in 2026?

Use With Caution

Score 63/100

WP Edit has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 27, 2025Updated 7yr ago

Risk Assessment

The "wp-edit" plugin v4.0.4 presents a mixed security posture. While it demonstrates some good practices with a significant number of nonce and capability checks, and no external HTTP requests or file operations identified in the static analysis, there are notable areas of concern. The presence of the `create_function` dangerous function is a red flag, as it can be a source of vulnerabilities if not handled with extreme care. Furthermore, the taint analysis reveals two flows with unsanitized paths, which, although not flagged as critical or high severity in this instance, indicate potential avenues for malicious input to reach sensitive parts of the application. The SQL query practices are moderately concerning, with 57% of queries not using prepared statements, increasing the risk of SQL injection.

The plugin's vulnerability history is a significant concern. With one known medium-severity CVE that is currently unpatched, and a history of Cross-site Scripting vulnerabilities, this indicates a pattern of introducing or failing to address input sanitization issues. The fact that the last vulnerability was so recent (2025-06-27) and remains unpatched suggests an ongoing security maintenance problem. While the attack surface is currently reported as having no unprotected entry points, the combination of these code-level issues and the unpatched historical vulnerability warrants caution. The low percentage of properly escaped output (11%) is particularly worrying and strongly correlates with the historical XSS vulnerabilities.

In conclusion, while the plugin has some strengths in its structured use of security checks, the identified dangerous function, unsanitized taint flows, high proportion of unescaped output, and critically, the unpatched historical vulnerability, collectively point to a moderate to high risk. The unpatched CVE is a critical indicator of potential exploitation. Recommendations would focus on immediate patching of known vulnerabilities and a thorough review and remediation of output escaping and input sanitization practices.

Key Concerns

Unpatched CVE (medium severity)
Flows with unsanitized paths (2)
Dangerous function detected (create_function)
SQL queries not using prepared statements (57%)
Low percentage of properly escaped output (11%)
History of XSS vulnerabilities

Vulnerabilities

WP Edit Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-53253medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Edit <= 4.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 27, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP Edit Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter( 'wp_default_editor', create_function('', 'return "tmce";') );includes\functions.php:772

Bundled Libraries

TinyMCE

SQL Query Safety

43% prepared7 total queries

Output Escaping

11% escaped98 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

wp_edit_user_specific_init (includes\functions.php:681)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Edit Attack Surface

Entry Points24

Unprotected0

Shortcodes 24

[break] includes\functions.php:131

[one_third] includes\functions.php:302

[one_third_last] includes\functions.php:304

[two_third] includes\functions.php:306

[two_third_last] includes\functions.php:308

[one_half] includes\functions.php:310

[one_half_last] includes\functions.php:312

[one_fourth] includes\functions.php:314

[one_fourth_last] includes\functions.php:316

[three_fourth] includes\functions.php:318

[three_fourth_last] includes\functions.php:320

[one_fifth] includes\functions.php:322

[one_fifth_last] includes\functions.php:324

[two_fifth] includes\functions.php:326

[two_fifth_last] includes\functions.php:328

[three_fifth] includes\functions.php:330

[three_fifth_last] includes\functions.php:332

[four_fifth] includes\functions.php:334

[four_fifth_last] includes\functions.php:336

[one_sixth] includes\functions.php:338

[one_sixth_last] includes\functions.php:340

[five_sixth] includes\functions.php:342

[five_sixth_last] includes\functions.php:344

[signoff] includes\functions.php:672

WordPress Hooks 77

actionadmin_bar_menuincludes\functions.php:20

actionadmin_bar_initincludes\functions.php:22

filterwidget_textincludes\functions.php:137

filterthe_excerptincludes\functions.php:143

actionadmin_initincludes\functions.php:153

actioninitincludes\functions.php:175

actionadmin_initincludes\functions.php:180

actionadmin_initincludes\functions.php:206

actionshow_user_profileincludes\functions.php:254

actionedit_user_profileincludes\functions.php:255

actionadmin_headincludes\functions.php:276

filterenter_title_hereincludes\functions.php:295

actionwp_print_stylesincludes\functions.php:351

actionadmin_initincludes\functions.php:365

actionadmin_initincludes\functions.php:366

actionadd_meta_boxesincludes\functions.php:367

actionsave_postincludes\functions.php:368

actionthe_postincludes\functions.php:369

actionloop_endincludes\functions.php:370

filterpost_classincludes\functions.php:372

actionpost_submitbox_misc_actionsincludes\functions.php:465

filterthe_contentincludes\functions.php:507

filterthe_excerptincludes\functions.php:510

filterthe_contentincludes\functions.php:517

filterthe_excerptincludes\functions.php:520

filterwp_revisions_to_keepincludes\functions.php:547

filterwp_revisions_to_keepincludes\functions.php:560

actionpre_get_postsincludes\functions.php:577

actionpre_get_postsincludes\functions.php:594

filterbbp_after_get_the_content_parse_argsincludes\functions.php:614

filterbbp_kses_allowed_tagsincludes\functions.php:652

filtermanage_posts_columnsincludes\functions.php:693

filtermanage_pages_columnsincludes\functions.php:694

actionmanage_posts_custom_columnincludes\functions.php:700

actionmanage_pages_custom_columnincludes\functions.php:701

actionafter_theme_setupincludes\functions.php:720

filtermanage_posts_columnsincludes\functions.php:740

actionmanage_posts_custom_columnincludes\functions.php:741

filtermanage_pages_columnsincludes\functions.php:744

actionmanage_pages_custom_columnincludes\functions.php:745

filteradmin_headincludes\functions.php:757

filterwp_default_editorincludes\functions.php:767

filterwp_default_editorincludes\functions.php:772

actionwp_dashboard_setupincludes\functions.php:779

actionadmin_headincludes\functions.php:858

actioninitincludes\functions.php:862

filtertiny_mce_before_initincludes\style_formats.php:4

actionplugins_loadedmain.php:107

actionadmin_initmain.php:111

actionadmin_menumain.php:113

actionadmin_initmain.php:114

actionadmin_initmain.php:115

actionadmin_initmain.php:116

actionadmin_enqueue_scriptsmain.php:118

actionbefore_wp_tiny_mcemain.php:120

filtertiny_mce_before_initmain.php:121

actioninitmain.php:122

filterformat_for_editormain.php:124

actionadmin_footermain.php:130

actionadmin_noticesmain.php:272

actionadmin_noticesmain.php:307

actionadmin_noticesmain.php:2049

actionadmin_noticesmain.php:2101

actionadmin_noticesmain.php:2182

actionadmin_noticesmain.php:2260

actionadmin_noticesmain.php:2295

actionadmin_noticesmain.php:2348

actionadmin_noticesmain.php:2412

actionadmin_noticesmain.php:2435

actionadmin_noticesmain.php:2468

actionadmin_noticesmain.php:2497

actionadmin_noticesmain.php:2542

filtermce_external_pluginsmain.php:2884

filtermce_buttonsmain.php:2891

filtermce_buttons_2main.php:2892

actionadmin_enqueue_scriptsmain.php:3170

actionadmin_print_footer_scriptsmain.php:3177

Maintenance & Trust

WP Edit Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedOct 15, 2018

PHP min version

Downloads1.6M

Community Trust

Rating80/100

Number of ratings160

Active installs40K

Alternatives

WP Edit Alternatives

Frontier Buttons

frontier-buttons

Full control of your WP editor toolbars. Adds Table, Search/Replace, Preview & Code sample tinymce plugins. Enable visual editor for comments.

50 No CVEs

AddQuicktag

addquicktag

This plugin makes it easy to add Quicktags to the html - and visual-editor.

100K No CVEs

Visual Editor Custom Buttons

visual-editor-custom-buttons

Visual Editor Custom Buttons lets you add custom buttons to the Wordpress Visual Editor.

4K No CVEs

Post Editor Buttons Fork

post-editor-buttons-fork

This plugin allows you add your own buttons to the post editor's TEXT mode toolbar.

800 No CVEs

Manage TinyMCE Editor

manage-tinymce-editor

Add buttons to TinyMCE, WordPress' default visual editor.

200 No CVEs

Developer Profile

WP Edit Developer Profile

Josh

5 plugins · 41K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Edit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-edit/admin/assets/css/wp-edit.css/wp-content/plugins/wp-edit/admin/assets/js/wp-edit.js

Version Parameters

wp-edit/admin/assets/css/wp-edit.css?ver=wp-edit/admin/assets/js/wp-edit.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-edit-wrap

HTML Comments

JS Globals

wp_edit_script_vars

FAQ

WP Edit Security & Risk Analysis

Is WP Edit Safe to Use in 2026?

Use With Caution

Key Concerns

WP Edit Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Edit Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Edit Attack Surface

Shortcodes 24

WP Edit Maintenance & Trust

Maintenance Signals

Community Trust

WP Edit Alternatives

Frontier Buttons

AddQuicktag

Visual Editor Custom Buttons

Post Editor Buttons Fork

Manage TinyMCE Editor

WP Edit Developer Profile

How We Detect WP Edit

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Edit