Does WP-SCSS have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-SCSS compatible with WordPress 6.8.5?

According to WordPress.org data, WP-SCSS 4.0.8 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WP-SCSS compatible with PHP 7.2+?

WP-SCSS requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP-SCSS updated?

WP-SCSS was last updated on Mar 2, 2026. Frequent updates are generally a positive security signal.

What is WP-SCSS's security score?

WP-SCSS has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-SCSS Security & Risk Analysis

wordpress.org/plugins/wp-scss

Compiles .scss files to .css and enqueues them.

40K active installs v4.0.8 PHP 7.2+ WP 3.0.1+ Updated Mar 2, 2026

csssassscssscssphp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP-SCSS Safe to Use in 2026?

Generally Safe

Score 100/100

WP-SCSS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The wp-scss v4.0.8 plugin exhibits a strong security posture in several key areas, particularly regarding its attack surface and SQL query handling. The absence of AJAX handlers, REST API routes, shortcodes, and cron events with unprotected entry points is a significant strength. Furthermore, all SQL queries utilize prepared statements, eliminating a common vector for SQL injection vulnerabilities. The high percentage of properly escaped output is also a positive indicator of secure coding practices.

However, the static analysis reveals potential concerns. A large number of dangerous functions, including `assert` and `unserialize`, are present in the codebase. While the taint analysis shows no current unsanitized flows, the presence of functions like `unserialize` can be a significant risk if not handled with extreme care, especially in conjunction with user-supplied input. The complete lack of nonce checks and capability checks on any potential entry points, combined with 16 file operations and no explicit authorization checks indicated, suggests a potential for unauthorized actions or information disclosure if a vulnerable entry point were to exist or be introduced. The vulnerability history being clean is reassuring, but the codebase's inherent characteristics warrant vigilance.

In conclusion, while the plugin demonstrates good practices in its limited attack surface and data handling for SQL, the presence of dangerous functions and a lack of explicit authorization checks on file operations and potential entry points present a latent risk. The plugin's security relies heavily on the fact that there are currently no identifiable unprotected entry points, but any future additions or modifications must be thoroughly audited for proper authentication and sanitization, especially concerning the `unserialize` function.

Key Concerns

Presence of dangerous functions (unserialize, assert)
Missing nonce checks
Missing capability checks
File operations without explicit auth checks indicated

Vulnerabilities

None known

WP-SCSS Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

WP-SCSS Release Timeline

v4.0.8Current

v4.0.7

v4.0.6

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.0.1

v3.0.0

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.0

v2.1.6

Code Analysis

Analyzed Mar 16, 2026

WP-SCSS Code Analysis

Dangerous Functions

105

Raw SQL Queries

0 prepared

Unescaped Output

26 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

assertassert($this->indexInParent !== null);scssphp\src\Ast\Css\ModifiableCssNode.php:80

assertassert($this->indexInParent !== null);scssphp\src\Ast\Css\ModifiableCssNode.php:133

assertassert($child->indexInParent !== null);scssphp\src\Ast\Css\ModifiableCssNode.php:140

assertassert($lastDollar !== false);scssphp\src\Ast\Sass\ArgumentDeclaration.php:159

assertassert($dot !== false);scssphp\src\Ast\Sass\ArgumentDeclaration.php:162

assertassert($keywordRest === null || $rest !== null);scssphp\src\Ast\Sass\ArgumentInvocation.php:62

unserialize$c = unserialize($c);scssphp\src\Cache.php:135

assertassert($this->scope !== null);scssphp\src\Compiler.php:407

assertassert($sourceMapGenerator !== null);scssphp\src\Compiler.php:425

assertassert($this->scope !== null);scssphp\src\Compiler.php:617

unserialize$value = unserialize($value);scssphp\src\Compiler.php:681

assertassert($block->parent !== null);scssphp\src\Compiler.php:699

assertassert($media instanceof MediaBlock);scssphp\src\Compiler.php:1166

assertassert($this->scope !== null);scssphp\src\Compiler.php:1172

assertassert($block instanceof AtRootBlock);scssphp\src\Compiler.php:1311

assertassert($selfParent !== null, 'at-root blocks must have a selfParent set.');scssphp\src\Compiler.php:1334

assertassert($this->scope !== null);scssphp\src\Compiler.php:1346

assertassert($this->scope !== null);scssphp\src\Compiler.php:1353

assertassert($this->rootBlock !== null);scssphp\src\Compiler.php:1378

assertassert($block instanceof DirectiveBlock || $block instanceof OutputBlock);scssphp\src\Compiler.php:1586

assertassert($this->scope->parent !== null);scssphp\src\Compiler.php:1657

assertassert($this->scope !== null);scssphp\src\Compiler.php:1662

assertassert($block instanceof NestedPropertyBlock);scssphp\src\Compiler.php:1679

assertassert($child[1] instanceof NestedPropertyBlock);scssphp\src\Compiler.php:1698

assertassert($this->scope->parent !== null);scssphp\src\Compiler.php:1720

assertassert($this->scope !== null);scssphp\src\Compiler.php:1754

assertassert($block->selectors !== null);scssphp\src\Compiler.php:1783

assertassert($this->scope !== null);scssphp\src\Compiler.php:1788

assertassert($block->selfParent !== null);scssphp\src\Compiler.php:1806

assertassert($this->scope !== null);scssphp\src\Compiler.php:1854

assertassert($block instanceof CallableBlock);scssphp\src\Compiler.php:2952

assertassert($selectors !== null);scssphp\src\Compiler.php:2980

assertassert($if instanceof IfBlock);scssphp\src\Compiler.php:3004

assertassert($each instanceof EachBlock);scssphp\src\Compiler.php:3022

assertassert($while instanceof WhileBlock);scssphp\src\Compiler.php:3057

assertassert($for instanceof ForBlock);scssphp\src\Compiler.php:3070

assertassert($mixin instanceof CallableBlock);scssphp\src\Compiler.php:3131

assertassert($env->block instanceof MediaBlock);scssphp\src\Compiler.php:4751

assertassert(!empty($parsedPrototypes));scssphp\src\Compiler.php:5825

assertassert(\is_string($arg[0][1]));scssphp\src\Compiler.php:6123

assertassert(\is_string($name));scssphp\src\Compiler.php:6148

assertassert($originalRestArgumentName !== null);scssphp\src\Compiler.php:6279

assertassert($default !== null);scssphp\src\Compiler.php:6300

assertassert(\is_array($value));scssphp\src\Compiler.php:6712

assertassert(\is_array($value));scssphp\src\Compiler.php:6787

assertassert(!empty($selectorsMap));scssphp\src\Compiler.php:9427

assertassert($component1 instanceof ComplexSelectorComponent);scssphp\src\Extend\ExtendUtil.php:531

assertassert($component2 instanceof ComplexSelectorComponent);scssphp\src\Extend\ExtendUtil.php:533

assertassert($combinator2 !== null);scssphp\src\Extend\ExtendUtil.php:609

assertassert(! empty($block->selectors));scssphp\src\Formatter\Compressed.php:70

assertassert($replacedLine !== null);scssphp\src\Formatter\Expanded.php:61

assertassert(! empty($block->selectors));scssphp\src\Formatter.php:162

assertassert($out !== false);scssphp\src\Formatter.php:292

assertassert($this->currentBlock->sourceLine !== null);scssphp\src\Formatter.php:335

assertassert($this->currentBlock->sourceName !== null);scssphp\src\Formatter.php:336

assertassert($this->currentBlock->sourceLine !== null);scssphp\src\Formatter.php:352

assertassert($this->currentBlock->sourceName !== null);scssphp\src\Formatter.php:353

assertassert($plain !== null); // CSS doesn't allow non-plain identifiersscssphp\src\Parser\CssParser.php:122

assertassert(\is_int($value));scssphp\src\Parser\Parser.php:582

assertassert($name->getAsPlain() !== 'not');scssphp\src\Parser\StylesheetParser.php:1401

assertassert($operands !== null);scssphp\src\Parser\StylesheetParser.php:1912

assertassert($operators !== null);scssphp\src\Parser\StylesheetParser.php:1913

assertassert($operator !== null, 'The list of operators must not be empty');scssphp\src\Parser\StylesheetParser.php:1915

assertassert($left !== null, 'The list of operands must not be empty');scssphp\src\Parser\StylesheetParser.php:1918

assertassert($singleExpression !== null);scssphp\src\Parser\StylesheetParser.php:2312

assertassert($singleExpression !== null);scssphp\src\Parser\StylesheetParser.php:2319

assertassert($beforeBracket !== null);scssphp\src\Parser\StylesheetParser.php:2322

assertassert($this->scanner->peekChar() === '#');scssphp\src\Parser\StylesheetParser.php:2573

assertassert($this->scanner->peekChar() === '+');scssphp\src\Parser\StylesheetParser.php:2686

assertassert($this->scanner->peekChar() === '-');scssphp\src\Parser\StylesheetParser.php:2701

assertassert($this->scanner->peekChar() === '!');scssphp\src\Parser\StylesheetParser.php:2720

assertassert($this->scanner->peekChar() === '(');scssphp\src\Parser\StylesheetParser.php:3203

assertassert($next !== null); // https://github.com/phpstan/phpstan/issues/5678scssphp\src\Parser\StylesheetParser.php:3442

assertassert($this->env !== null);scssphp\src\Parser.php:256

assertassert($if instanceof IfBlock);scssphp\src\Parser.php:729

assertassert($this->env !== null);scssphp\src\Parser.php:994

assertassert(\is_array($include));scssphp\src\Parser.php:1003

assertassert($this->env !== null);scssphp\src\Parser.php:1015

assertassert($this->env !== null);scssphp\src\Parser.php:1084

assertassert($this->env !== null);scssphp\src\Parser.php:1119

assertassert($this->env !== null);scssphp\src\Parser.php:1617

assertassert($this->env !== null);scssphp\src\Parser.php:1634

assertassert($this->env !== null);scssphp\src\Parser.php:1665

assertassert(\is_array($value) || $value instanceof Number);scssphp\src\Parser.php:2176

assertassert(\is_array($value));scssphp\src\Parser.php:2180

assertassert(\is_array($nextValue) || $nextValue instanceof Number);scssphp\src\Parser.php:2209

assertassert($minimumIndentation !== -1);scssphp\src\Serializer\SerializeVisitor.php:166

assertassert($value instanceof SassString);scssphp\src\Serializer\SerializeVisitor.php:363

assertassert($nodeValue instanceof SassString);scssphp\src\Serializer\SerializeVisitor.php:386

assertassert(Character::isWhitespace($scanner->peekChar(-1)));scssphp\src\Serializer\SerializeVisitor.php:465

assertassert($attribute->getOp() !== null);scssphp\src\Serializer\SerializeVisitor.php:1180

assertassert($jsonSourceMap !== false);scssphp\src\SourceMap\SourceMapGenerator.php:192

assertassert($this->cachedLine !== null);scssphp\src\SourceSpan\SourceFile.php:108

assertassert(\is_int($value));scssphp\src\Util\ParserUtil.php:53

assertassert($this->left instanceof Equatable);scssphp\src\Value\CalculationOperation.php:84

assertassert($this->right instanceof Equatable);scssphp\src\Value\CalculationOperation.php:85

assertassert(\count($numeratorUnits) > 1 || \count($denominatorUnits) > 0);scssphp\src\Value\ComplexSassNumber.php:42

assertassert($argument instanceof Equatable);scssphp\src\Value\SassCalculation.php:406

assertassert(!\is_null($this->red));scssphp\src\Value\SassColor.php:243

assertassert(!\is_null($this->green));scssphp\src\Value\SassColor.php:253

assertassert(!\is_null($this->blue));scssphp\src\Value\SassColor.php:263

assertassert(!\is_null($this->hue));scssphp\src\Value\SassColor.php:273

assertassert(!\is_null($this->saturation));scssphp\src\Value\SassColor.php:283

assertassert(!\is_null($this->lightness));scssphp\src\Value\SassColor.php:293

assertassert($other === null || ($other->getNumeratorUnits() === $newNumeratorUnits && $other->getDenominascssphp\src\Value\SassNumber.php:909

Output Escaping

81% escaped32 total outputs

Attack Surface

WP-SCSS Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 11

actionadmin_menuoptions.php:15

actionadmin_initoptions.php:16

filterplugin_action_linkswp-scss.php:88

filteroption_wpscss_optionswp-scss.php:112

actionadmin_noticeswp-scss.php:156

actionadmin_noticeswp-scss.php:176

actionadmin_noticeswp-scss.php:181

actionadmin_noticeswp-scss.php:190

actionwp_loadedwp-scss.php:237

actionwp_print_styleswp-scss.php:303

actionwp_enqueue_scriptswp-scss.php:347

Maintenance & Trust

WP-SCSS Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMar 2, 2026

PHP min version7.2

Downloads487K

Community Trust

Rating86/100

Number of ratings61

Active installs40K

Alternatives

WP-SCSS Alternatives

SCSS-4-WP

scss-4-wp

Use ScssPhp. to compile scss files on your wordpress install into a single lightweight CSS file. There is an included settings page for configuring d …

10 No CVEs

Instant CSS

instant-css

Write your styles beautifully with the power of Visual Studio Code

4K 2 CVEs

WP Compiler

wp-compiler

Harness the power of pre-processed CSS and minified JS in your theme or plugin, without any complicated installs or build tools.

1K 1 unpatched

Lenix scss compiler

lenix-scss-compiler

An excellent way to write Scss in wordpress

800 2 unpatched

Sass To CSS Compiler

sass-to-css-compiler

100

Compile Your Theme-Plugin Sass (.scss) files to .css on the fly.

20 No CVEs

Developer Profile

WP-SCSS Developer Profile

Connect Think

1 plugin · 40K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP-SCSS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-scss/scssphp/scss.inc.php/wp-content/plugins/wp-scss/class/class-wp-scss.php/wp-content/plugins/wp-scss/options.php

Version Parameters

wp-scss/style.css?ver=

HTML / DOM Fingerprints

FAQ