WP-hResume Security & Risk Analysis

wordpress.org/plugins/wp-hresume

Include any hResume encoded resume in any Wordpress page and style it how you like including Stack Overflow Careers and LinkedIn.

10 active installs v1.0 PHP + WP 2.0.0+ Updated Jan 25, 2010
hresumelinkedinmicroformatresumestackoverflow
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is WP-hResume Safe to Use in 2026?

Generally Safe

Score 85/100

WP-hResume has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 16yr ago
Risk Assessment

The wp-hresume plugin v1.0 exhibits a concerning security posture despite its limited attack surface and lack of recorded vulnerabilities. While the code analysis shows no raw SQL queries or external HTTP requests, and a lack of taint flows, significant weaknesses are present. Notably, all output is unescaped, presenting a high risk of Cross-Site Scripting (XSS) vulnerabilities if any user-provided data is displayed on the front-end. The presence of the `exec` function is a critical red flag, as it can be exploited for Remote Code Execution (RCE) if any untrusted input is passed to it. Furthermore, the absence of nonce and capability checks for its single shortcode means that any user, regardless of their role, could potentially trigger its functionality, further increasing the risk of exploitation if the `exec` function or unescaped output is involved.

Key Concerns

  • 0% output escaping
  • Presence of dangerous function: exec
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

WP-hResume Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WP-hResume Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

WP-hResume Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
16
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

execexec("tidy -utf8 -indent -asxhtml -numeric -bare -quiet $tmp_file", $tidy);hkit\hkit.class.php:312

Output Escaping

0% escaped16 total outputs
Attack Surface

WP-hResume Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wphres] wphres.php:86
Maintenance & Trust

WP-hResume Maintenance & Trust

Maintenance Signals

WordPress version tested2.9.2
Last updatedJan 25, 2010
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

WP-hResume Developer Profile

mithra62

3 plugins · 110 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP-hResume

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-hresume/wphres_template.php/wp-content/plugins/wp-hresume/hkit/hkit.class.php

HTML / DOM Fingerprints

Shortcode Output
<div class="hresume">
FAQ

Frequently Asked Questions about WP-hResume