WP-Safety

Image Replacement Security & Risk Analysis

wordpress.org/plugins/wp-imagereplacement

Use javascript to replace html tags with images to create image headlines.

10 active installs v1.1 PHP + WP + Updated Mar 23, 2006
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Image Replacement Safe to Use in 2026?

Generally Safe

Score 85/100

Image Replacement has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 20yr ago
Risk Assessment

The "wp-imagereplacement" v1.1 plugin exhibits a mixed security posture. On one hand, the plugin demonstrates excellent practices by avoiding known dangerous functions, utilizing prepared statements for all SQL queries, and having no recorded vulnerability history. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the attack surface. However, a major concern arises from the static analysis revealing that 100% of output has no proper escaping. This could lead to Cross-Site Scripting (XSS) vulnerabilities if user-controlled data is ever displayed without sanitization. Furthermore, the taint analysis identified two flows with unsanitized paths, indicating potential risks of directory traversal or similar path manipulation issues, even though they are not classified as critical or high severity. While the plugin has no recorded CVEs and no critical issues from the taint analysis, the lack of output escaping is a significant weakness that needs immediate attention.

Key Concerns

  • 0% of output is properly escaped
  • 2 flows with unsanitized paths
Vulnerabilities
None known

Image Replacement Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Image Replacement Release Timeline

v1.1Current
v1.0
vbeta
Code Analysis
Analyzed Mar 16, 2026

Image Replacement Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
65
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
9
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped65 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
options_page (wp-imagereplacement.php:220)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Image Replacement Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
actionadmin_menuwp-imagereplacement.php:27
actionwp_headwp-imagereplacement.php:28
actionwp_footerwp-imagereplacement.php:29
Maintenance & Trust

Image Replacement Maintenance & Trust

Maintenance Signals

WordPress version tested
Last updatedMar 23, 2006
PHP min version
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Image Replacement Alternatives

No alternatives data available yet.

Developer Profile

Image Replacement Developer Profile

dalziel

6 plugins · 80 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Image Replacement

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Script Paths
/wp-content/plugins/wp-imagereplacement/wp-imagereplacement.php
Version Parameters
wp-imagereplacement/wp-imagereplacement.php?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Props to Dustin Diaz: http://www.dustindiaz.com/getelementsbyclass/ -->
Data Attributes
data-wp-imagereplacement-textdata-wp-imagereplacement-classdata-wp-imagereplacement-backgrounddata-wp-imagereplacement-colourdata-wp-imagereplacement-ypaddata-wp-imagereplacement-size+4 more
JS Globals
wp_imagereplacement_initwp_imagereplacement_traversewp_imagereplacement_swapwp_imagereplacement_replacegetElementsByClass
FAQ

Frequently Asked Questions about Image Replacement