Does wp-Monalisa have any unpatched vulnerabilities?

No. All known vulnerabilities in wp-Monalisa have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is wp-Monalisa compatible with WordPress 6.9.4?

According to WordPress.org data, wp-Monalisa 6.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is wp-Monalisa updated?

wp-Monalisa was last updated on Dec 6, 2025. Frequent updates are generally a positive security signal.

What is wp-Monalisa's security score?

wp-Monalisa has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

wp-Monalisa Security & Risk Analysis

wordpress.org/plugins/wp-monalisa

wp-monalisa is the plugin that smiles at you like monalisa does. place the smilies of your choice in posts, pages or comments.

800 active installs v6.6 PHP + WP 4.0+ Updated Dec 6, 2025

commentseditoremojiemoticonsmiley

A · Safe

CVEs total2

Unpatched0

Last CVEOct 9, 2024

Plugin page Download

Safety Verdict

Is wp-Monalisa Safe to Use in 2026?

Generally Safe

Score 99/100

wp-Monalisa has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 9, 2024Updated 3mo ago

Risk Assessment

The wp-monalisa v6.6 plugin presents a mixed security posture. While it demonstrates good practices in SQL query handling (100% prepared statements) and output escaping (99%), significant concerns arise from its attack surface. Two AJAX handlers are exposed without any authentication checks, creating direct entry points for potential attackers. Furthermore, the presence of 19 instances of the `unserialize` function is a notable risk, as improper handling of serialized data can lead to arbitrary code execution, though no critical or high severity taint flows were identified in the static analysis.

The plugin's vulnerability history, with two known medium severity CVEs (CSRF and XSS), reinforces the need for caution. While currently unpatched vulnerabilities are zero, the types of past vulnerabilities suggest a pattern of input validation and authorization issues. The most recent vulnerability being in October 2024 indicates active security attention but also that these types of issues have occurred recently. Overall, the plugin has strengths in data sanitization and query security, but the unprotected AJAX endpoints and the `unserialize` function introduce substantial risks that require mitigation.

Key Concerns

2 AJAX handlers without auth checks
Dangerous function: unserialize (19 instances)
2 medium CVEs, recent vulnerability history
0 Capability checks

Vulnerabilities

wp-Monalisa Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-48038medium · 4.3Cross-Site Request Forgery (CSRF)

wp-Monalisa <= 6.4 - Cross-Site Request Forgery

Oct 9, 2024 Patched in 6.5 (8d)

WF-6619b370-dd2a-4945-a776-1fecf407119e-wp-monalisamedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wp-Monalisa <= 6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 28, 2022 Patched in 6.2 (482d)

Code Analysis

Analyzed Mar 16, 2026

wp-Monalisa Code Analysis

Dangerous Functions

Raw SQL Queries

66 prepared

Unescaped Output

72 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wp-monalisa.php:67

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wp-monalisa.php:246

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-admin.php:85

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-comment.php:38

unserialize$excludes = unserialize( get_option( 'wpml_excludes' ) );wpml-comment.php:131

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-comment.php:144

unserialize$excludes = unserialize( get_option( 'wpml_excludes' ) );wpml-edit.php:36

unserialize$av = unserialize( get_blog_option( get_current_blog_id(), 'wpml-opts' ) );wpml-edit.php:84

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-edit.php:87

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-edit.php:125

unserialize$av = unserialize( get_blog_option( get_current_blog_id(), 'wpml-opts' ) );wpml-edit.php:129

unserialize$excludes = unserialize( get_option( 'wpml_excludes' ) );wpml-edit.php:136

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-export.php:35

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-func.php:67

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-func.php:271

unserialize$av = unserialize( get_blog_option( get_current_blog_id(), 'wpml-opts' ) );wpml-func.php:275

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-import.php:36

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-import.php:93

unserialize$av = unserialize( get_option( 'wpml-opts' ) );wpml-setup.php:127

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared66 total queries

Output Escaping

99% escaped73 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

wpml_admin (wpml-admin.php:74)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

wp-Monalisa Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_wpml_import_ajaxwp-monalisa.php:72

authwp_ajax_wpml_edit_disable_comments_ajaxwp-monalisa.php:73

WordPress Hooks 67

filtermce_buttonswp-monalisa.php:92

filtermce_external_pluginswp-monalisa.php:93

actionwp_enqueue_scriptswp-monalisa.php:102

actionadmin_print_styleswp-monalisa.php:103

actioninitwp-monalisa.php:111

actionenqueue_block_editor_assetswp-monalisa.php:119

filtertiny_mce_pluginswp-monalisa.php:134

filterbp_activity_comment_contentwp-monalisa.php:259

filterbp_get_activity_actionwp-monalisa.php:261

filterbp_get_activity_content_bodywp-monalisa.php:262

filterbp_get_activity_contentwp-monalisa.php:263

filterbp_get_activity_parent_contentwp-monalisa.php:264

filterbp_get_activity_latest_updatewp-monalisa.php:265

filterbp_get_activity_latest_update_excerptwp-monalisa.php:266

filterbp_core_render_message_contentwp-monalisa.php:267

filterbp_get_the_topic_titlewp-monalisa.php:268

filterbp_get_the_topic_latest_post_excerptwp-monalisa.php:269

filterbp_get_the_topic_post_contentwp-monalisa.php:270

filterbp_get_group_descriptionwp-monalisa.php:271

filterbp_get_group_description_excerptwp-monalisa.php:272

filterbp_get_message_notice_subjectwp-monalisa.php:273

filterbp_get_message_notice_textwp-monalisa.php:274

filterbp_get_message_thread_subjectwp-monalisa.php:275

filterbp_get_message_thread_excerptwp-monalisa.php:276

filterbp_get_the_thread_message_contentwp-monalisa.php:277

filterbp_get_message_thread_contentwp-monalisa.php:278

filterbp_get_the_profile_field_valuewp-monalisa.php:279

filterbp_get_send_public_message_buttonwp-monalisa.php:285

filterbp_get_send_message_buttonwp-monalisa.php:286

filterinitwp-monalisa.php:290

filterbbp_get_reply_contentwp-monalisa.php:295

filterbbp_get_topic_contentwp-monalisa.php:296

filterwpforo_editor_settingswp-monalisa.php:301

filterwpforo_members_init_fields_tinymce_settingswp-monalisa.php:302

filtermce_external_pluginswp-monalisa.php:303

filterwpforo_content_afterwp-monalisa.php:304

actioninitwp-monalisa.php:319

actioninitwp-monalisa.php:321

actioninitwp-monalisa.php:323

actionadmin_menuwp-monalisa.php:326

actionadmin_menuwp-monalisa.php:328

filterinitwp-monalisa.php:331

filterthe_contentwp-monalisa.php:332

filterthe_excerptwp-monalisa.php:333

filtercomment_textwp-monalisa.php:334

actionadmin_enqueue_scriptswpml-admin.php:49

filterupgrader_pre_installwpml-autoupdate.php:116

filterupgrader_post_installwpml-autoupdate.php:117

actioncomment_formwpml-comment.php:50

filtercomment_form_defaultswpml-comment.php:55

actionbp_after_activity_post_formwpml-comment.php:61

actionbp_activity_entry_commentswpml-comment.php:62

actionbp_after_messages_compose_contentwpml-comment.php:64

actionbbp_theme_after_topic_form_contentwpml-comment.php:66

actionbbp_theme_after_reply_form_contentwpml-comment.php:67

actiongroups_forum_new_topic_afterwpml-comment.php:68

actiongroups_forum_new_reply_afterwpml-comment.php:69

actionbp_group_after_edit_forum_topicwpml-comment.php:70

actionbp_after_group_forum_post_newwpml-comment.php:71

actionbp_after_messages_compose_contentwpml-comment.php:73

actionbp_after_message_reply_boxwpml-comment.php:74

actionbp_group_after_edit_forum_postwpml-comment.php:76

filterbbp_user_edit_signature_infowpml-comment.php:80

actionrtmedia_add_comments_extrawpml-comment.php:86

actionbbp_theme_after_topic_form_contentwpml-comment.php:92

actionbbp_theme_after_reply_form_contentwpml-comment.php:93

filtersafe_style_csswpml-func.php:323

Maintenance & Trust

wp-Monalisa Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 6, 2025

PHP min version

Downloads100K

Community Trust

Rating96/100

Number of ratings25

Active installs800

Alternatives

wp-Monalisa Alternatives

Native Emoji

native-emoji

Insert emojis in your posts, pages, custom post types, and comments

5K No CVEs

Emoji Toolbar

emoji-toolbar

100

A simple Emoji picker that integrates in the rich-text block toolbar.

2K No CVEs

TinyMCE Smiley Button

tinymce-smiley-button

Add Smiley Button to TinyMCE.

700 No CVEs

Emoji Autocomplete Gutenberg

emoji-autocomplete-gutenberg

Just type : to get a popup of all available emojis (1719 different emojis!) and easily insert them in multiple Blocks.

600 No CVEs

Emoji Settings

emoji-settings

100

Emoji Settings adds an option to your Writing Settings page to toggle emoji conversion to images.

2K No CVEs

Developer Profile

wp-Monalisa Developer Profile

tuxlog

6 plugins · 6K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

660 days

View full developer profile

Detection Fingerprints

How We Detect wp-Monalisa

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-monalisa/wpml_script.js/wp-content/plugins/wp-monalisa/wpml_gutenberg.js

Script Paths

/wp-content/plugins/wp-monalisa/wpml_script.js/wp-content/plugins/wp-monalisa/wpml_gutenberg.js

HTML / DOM Fingerprints

JS Globals

window._wpml_richedit_smilieswindow._wpml_richedit_smiliesperrowwindow._wpml_richedit_maxwidthwindow._wpml_richedit_maxheight

FAQ

wp-Monalisa Security & Risk Analysis

Is wp-Monalisa Safe to Use in 2026?

Generally Safe

Key Concerns

wp-Monalisa Security Vulnerabilities

CVEs by Year

Severity Breakdown

wp-Monalisa Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

wp-Monalisa Attack Surface

AJAX Handlers 2

wp-Monalisa Maintenance & Trust

Maintenance Signals

Community Trust

wp-Monalisa Alternatives

Native Emoji

Emoji Toolbar

TinyMCE Smiley Button

Emoji Autocomplete Gutenberg

Emoji Settings

wp-Monalisa Developer Profile

How We Detect wp-Monalisa

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about wp-Monalisa