Does WP Simple HTML Sitemap have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Simple HTML Sitemap have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Simple HTML Sitemap compatible with WordPress 6.9.4?

According to WordPress.org data, WP Simple HTML Sitemap 3.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Simple HTML Sitemap compatible with PHP 7.4+?

WP Simple HTML Sitemap requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Simple HTML Sitemap updated?

WP Simple HTML Sitemap was last updated on Feb 25, 2026. Frequent updates are generally a positive security signal.

What is WP Simple HTML Sitemap's security score?

WP Simple HTML Sitemap has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Simple HTML Sitemap Security & Risk Analysis

wordpress.org/plugins/wp-simple-html-sitemap

Using Simple HTML Sitemap plugin, you can add HTML Sitemap anywhere on the website using Shortcode.

2K active installs v3.8 PHP 7.4+ WP 6.0+ Updated Feb 25, 2026

html-sitemap-pluginhtml-sitemap-shortcodepost-and-pages-sitemapsimple-html-sitemapsitemap

A · Safe

CVEs total6

Unpatched0

Last CVEApr 1, 2025

Plugin page Download

Safety Verdict

Is WP Simple HTML Sitemap Safe to Use in 2026?

Generally Safe

Score 94/100

WP Simple HTML Sitemap has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Apr 1, 2025Updated 1mo ago

Risk Assessment

The 'wp-simple-html-sitemap' plugin version 3.8 exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to WordPress security best practices, with all identified entry points (AJAX handlers and shortcodes) incorporating nonce and capability checks. Furthermore, a high percentage of SQL queries utilize prepared statements, and output escaping is robust. There are no reported file operations or external HTTP requests, and the plugin does not bundle any external libraries, reducing potential attack vectors from outdated dependencies.

However, the taint analysis raises significant concerns. Two flows were identified with unsanitized paths, and both are classified as high severity. This suggests potential vulnerabilities where user-supplied input could be used to manipulate file paths or other sensitive operations, even with the otherwise strong sanitization and authorization checks in place. The plugin's vulnerability history is also a notable red flag. With a total of six known CVEs, including one critical and five medium-severity vulnerabilities, it indicates a pattern of security weaknesses being introduced and discovered. The fact that there are currently no unpatched CVEs is positive, but the recurring nature of vulnerabilities and the types of past issues (Missing Authorization, SQL Injection, XSS) point to underlying coding practices that may still introduce risks. The most recent vulnerability was dated April 1st, 2025, which is in the future, suggesting either a hypothetical scenario or a data anomaly; if this reflects a real-world recent vulnerability, it's a serious concern.

In conclusion, while version 3.8 shows improvements in implementing security checks and sanitization, the high-severity taint flows and the plugin's history of numerous vulnerabilities, particularly SQL Injection and XSS, necessitate caution. The presence of unsanitized paths in taint flows is the most immediate code-level concern. Users should monitor for future updates and be aware of the plugin's past security incidents.

Key Concerns

High severity taint flows with unsanitized paths
1 critical CVE in vulnerability history
5 medium CVEs in vulnerability history
Past vulnerability types: SQL Injection, XSS

Vulnerabilities

WP Simple HTML Sitemap Security Vulnerabilities

CVEs by Year

3 CVEs in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

6 total CVEs

CVE-2025-31822medium · 5.3Missing Authorization

WP Simple HTML Sitemap <= 3.5 - Missing Authorization

Apr 1, 2025 Patched in 3.6 (294d)

CVE-2024-7385critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WordPress Simple HTML Sitemap <= 3.1 - Authenticated (Admin+) SQL Injection

Sep 24, 2024 Patched in 3.2 (1d)

CVE-2024-32574medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Simple HTML Sitemap <= 2.8 - Reflected Cross-Site Scripting

Apr 16, 2024 Patched in 2.9 (9d)

CVE-2023-49850medium · 5.3Missing Authorization

WP Simple HTML Sitemap <= 2.7 - Missing Authorization

Dec 7, 2023 Patched in 2.8 (113d)

CVE-2023-46627medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Simple HTML Sitemap <= 2.2 - Reflected Cross-Site Scripting via id

Oct 25, 2023 Patched in 2.3 (90d)

CVE-2023-45067medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Simple HTML Sitemap <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 3, 2023 Patched in 2.5 (112d)

Code Analysis

Analyzed Mar 16, 2026

WP Simple HTML Sitemap Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

378 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

86% prepared7 total queries

Output Escaping

98% escaped384 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths

wshs_disable_plugin_styles_ajax (inc\wshs_admin_view.php:481)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Simple HTML Sitemap Attack Surface

Entry Points8

Unprotected0

AJAX Handlers 7

authwp_ajax_wshs_get_posts_by_typeinc\wshs_admin_view.php:128

authwp_ajax_wshs_get_posts_by_taxonomyinc\wshs_admin_view.php:158

authwp_ajax_wshs_get_posts_by_taxonomy_postinc\wshs_admin_view.php:254

authwp_ajax_wshs_get_posts_by_taxonomy_termsinc\wshs_admin_view.php:288

authwp_ajax_wshs_get_posts_by_taxonomy_terms_postsinc\wshs_admin_view.php:407

authwp_ajax_wshs_disable_plugin_stylesinc\wshs_admin_view.php:501

authwp_ajax_wshs_save_shortcodeinc\wshs_saved.php:71

Shortcodes 1

[wshs_list] inc\wshs_front_view.php:210

WordPress Hooks 6

filterposts_whereinc\wshs_front_view.php:212

actionplugins_loadedwordpress_simple_html_sitemap.php:38

actionadmin_menuwordpress_simple_html_sitemap.php:58

actionadmin_enqueue_scriptswordpress_simple_html_sitemap.php:77

filterplugin_row_metawordpress_simple_html_sitemap.php:91

filterplugin_action_linkswordpress_simple_html_sitemap.php:106

Maintenance & Trust

WP Simple HTML Sitemap Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 25, 2026

PHP min version7.4

Downloads34K

Community Trust

Rating98/100

Number of ratings10

Active installs2K

Alternatives

WP Simple HTML Sitemap Alternatives

Yoast SEO – Advanced SEO with real-time guidance and built-in AI

wordpress-seo

Improve your SEO with real-time feedback, schema, and clear guidance. Upgrade for AI tools, Google Docs integration, and 24/7 support, no hidden fees.

10.0M 17 CVEs

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

all-in-one-seo-pack

AIOSEO is the most powerful WordPress SEO plugin. Improve SEO rankings and traffic with comprehensive SEO tools and smart AI SEO optimizations!

3.0M 26 CVEs

XML Sitemap Generator for Google

google-sitemap-generator

Generate multiple types of sitemaps to improve SEO and get your website indexed quickly.

1.0M 3 CVEs

SiteSEO – SEO Simplified

siteseo

SiteSEO is an easy, fast and powerful SEO plugin for WordPress. Unlock your Website's potential and Maximize your online visibility with our SiteSEO!

500K 4 CVEs

SureRank SEO – Smart Assistant with Meta Tags, Social Preview, XML Sitemap, and Schema

surerank

SureRank – SEO Assistant with Meta Tags, Social Preview, XML Sitemap, and Schema

300K 1 CVE

Developer Profile

WP Simple HTML Sitemap Developer Profile

Ashish Ajani

4 plugins · 3K total installs

trust score

Avg Security Score

77/100

Avg Patch Time

103 days

View full developer profile

Detection Fingerprints

How We Detect WP Simple HTML Sitemap

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-simple-html-sitemap/css/wshs_style.css/wp-content/plugins/wp-simple-html-sitemap/js/wshs_script.js/wp-content/plugins/wp-simple-html-sitemap/css/jquery.fancybox.css/wp-content/plugins/wp-simple-html-sitemap/js/jquery.fancybox.min.js

Script Paths

/wp-content/plugins/wp-simple-html-sitemap/js/wshs_script.js/wp-content/plugins/wp-simple-html-sitemap/js/jquery.fancybox.min.js

Version Parameters

wp-simple-html-sitemap/css/wshs_style.css?ver=wp-simple-html-sitemap/js/wshs_script.js?ver=wp-simple-html-sitemap/css/jquery.fancybox.css?ver=wp-simple-html-sitemap/js/jquery.fancybox.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wshs-admin-menu-wrap

Data Attributes

data-fancybox

JS Globals

wshs_ajax_object

FAQ