Does WP Feature Disable have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Feature Disable compatible with WordPress 2.8.6?

According to WordPress.org data, WP Feature Disable 1.0 has been tested up to WordPress 2.8.6. Check the plugin's changelog for the latest compatibility information.

How often is WP Feature Disable updated?

WP Feature Disable was last updated on Nov 26, 2009. Frequent updates are generally a positive security signal.

What is WP Feature Disable's security score?

WP Feature Disable has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Feature Disable Security & Risk Analysis

wordpress.org/plugins/wp-feature-disable

Disables a collection of WordPress features that can help your blog run more efficiently and smoother.

70 active installs v1.0 PHP + WP 2.8+ Updated Nov 26, 2009

disablefunctions

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP Feature Disable Safe to Use in 2026?

Generally Safe

Score 85/100

WP Feature Disable has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 16yr ago

Risk Assessment

The "wp-feature-disable" v1.0 plugin exhibits a mixed security posture. On the positive side, it has a very small attack surface with no detected AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, none of these entry points are left unprotected. The plugin also demonstrates good practices by using prepared statements for all SQL queries and makes no external HTTP requests or file operations. However, significant concerns arise from the use of the `create_function` dangerous function, which can be a vector for code injection if user-supplied data were to influence its execution, although no taint flows were detected in the analysis. Furthermore, the complete lack of output escaping for its single detected output point is a serious security flaw, leaving the plugin vulnerable to Cross-Site Scripting (XSS) attacks. The absence of any recorded vulnerability history is a positive indicator, suggesting a lack of past exploitable issues. Overall, while the plugin has a minimal attack surface and good data handling for SQL, the presence of a dangerous function and critical output escaping issues present immediate risks that need to be addressed.

Key Concerns

Dangerous function: create_function used
Output escaping is not used
No nonce checks on potential entry points
No capability checks on potential entry points

Vulnerabilities

None known

WP Feature Disable Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

WP Feature Disable Release Timeline

v1.0Current

Code Analysis

Analyzed Mar 16, 2026

WP Feature Disable Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter("pre_transient_update_core", create_function("$a", "return null;"));wp-feature-disable.php:228

Output Escaping

0% escaped1 total outputs

Attack Surface

WP Feature Disable Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actionadmin_initwp-feature-disable.php:68

actionadmin_menuwp-feature-disable.php:77

actionwp_print_scriptswp-feature-disable.php:186

filterget_comment_author_urlwp-feature-disable.php:206

filterthe_generatorwp-feature-disable.php:218

filterpre_transient_update_corewp-feature-disable.php:228

Maintenance & Trust

WP Feature Disable Maintenance & Trust

Maintenance Signals

WordPress version tested2.8.6

Last updatedNov 26, 2009

PHP min version

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs70

Alternatives

WP Feature Disable Alternatives

Classic Widgets

classic-widgets

100

Enables the previous "classic" widgets settings screens in Appearance - Widgets and the Customizer. Disables the block editor from managing widgets.

2.0M No CVEs

Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

disable-comments

Allows administrators to globally disable comments on their site. Comments can be disabled according to post type. Multisite friendly.

1.0M 1 CVE

Header Footer Code Manager

header-footer-code-manager

Easily add tracking code snippets, conversion pixels, or other scripts required by third party services for analytics, marketing, or chat features.

600K 4 CVEs

Easy Updates Manager

stops-core-theme-and-plugin-updates

100

Manage all your WordPress updates, including individual updates, automatic updates, logs, and loads more. This also works very well with WordPress Mul …

300K 1 CVE

Disable Comments

disable-comments-rb

100

Disable Comments - easy tool to disable comments for your blog posts, and pages. Admin can disable comments in just a few clicks.

100K No CVEs

Developer Profile

WP Feature Disable Developer Profile

GKauten

3 plugins · 90 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Feature Disable

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

updated

Data Attributes

name="wpfd_editorautosave"name="wpfd_postrevisions"name="wpfd_commentauthurl"name="wpfd_generatortag"name="wpfd_coreupdate"value="true" checked="checked"

FAQ