WP-Safety

WP Spell Check Security & Risk Analysis

wordpress.org/plugins/wp-spell-check

Proofread & Audit your WordPress website with One Click! Find & fix the errors and build a professional image for your business.

2K active installs v10.1 PHP 7.0+ WP 6.3+ Updated Feb 24, 2026
grammarproofreadingseoshortcodespell-check
96
A · Safe
CVEs total6
Unpatched0
Last CVEFeb 3, 2025
Download
Safety Verdict

Is WP Spell Check Safe to Use in 2026?

Generally Safe

Score 96/100

WP Spell Check has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Feb 3, 2025Updated 1mo ago
Risk Assessment

The "wp-spell-check" v10.1 plugin presents a mixed security posture. While it demonstrates strong output escaping (97%) and a good number of nonce and capability checks, significant concerns arise from its attack surface and taint analysis. The plugin exposes 23 AJAX handlers, with a concerning 21 lacking authentication checks, creating a large potential entry point for unauthorized actions. The taint analysis reveals 16 flows with unsanitized paths, all flagged as high severity, indicating a substantial risk of vulnerabilities like Cross-Site Scripting (XSS) or SQL injection if not handled carefully. The plugin's vulnerability history, with 6 past CVEs including one high-severity issue, and common types like XSS and CSRF, suggests a pattern of past weaknesses that, combined with the current high-severity taint flows, warrants significant caution. Despite positive aspects like proper output escaping and a lack of bundled libraries, the high number of unprotected AJAX endpoints and critical taint flows are primary areas of concern.

Key Concerns

  • High number of AJAX handlers without auth checks
  • High severity taint flows (unsanitized paths)
  • Past high-severity vulnerability
  • Dangerous function: preg_replace with /e modifier
  • Significant portion of SQL queries not prepared
Vulnerabilities
6

WP Spell Check Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2021
2021
2 CVEs in 2022
2022
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-25111medium · 4.3Cross-Site Request Forgery (CSRF)

WP Spell Check <= 9.21 - Cross-Site Request Forgery

Feb 3, 2025 Patched in 9.22 (366d)
CVE-2024-22143medium · 4.3Cross-Site Request Forgery (CSRF)

WP Spell Check <= 9.17 - Cross-Site Request Forgery

Jan 12, 2024 Patched in 9.18 (11d)
CVE-2022-2658medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Spell Check <= 9.12 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 23, 2022 Patched in 9.13 (396d)
WF-787a19cf-a553-4aec-96c5-978956826756-wp-spell-checkmedium · 5.4Cross-Site Request Forgery (CSRF)

WP Spell Check <= 9.12 - Cross-Site Request Forgery

Dec 23, 2022 Patched in 9.13 (396d)
WF-b28ba929-d057-43f9-b839-62347c06c1bd-wp-spell-checkmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Spell Check <= 9.2 - Reflected Cross-Site Scripting

Oct 25, 2021 Patched in 9.3 (820d)
CVE-2019-6027high · 8.8Cross-Site Request Forgery (CSRF)

WP Spell Check <= 7.1.9 - Cross-Site Request Forgery

Nov 26, 2019 Patched in 7.1.10 (1519d)
Code Analysis
Analyzed Mar 16, 2026

WP Spell Check Code Analysis

Dangerous Functions
1
Raw SQL Queries
286
266 prepared
Unescaped Output
15
528 escaped
Nonce Checks
48
Capability Checks
23
File Operations
3
External Requests
30
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace( '/(\[\/eadmin\grammar\grammar_framework.php:293

SQL Query Safety

48% prepared552 total queries

Output Escaping

97% escaped543 total outputs
Data Flows
16 unsanitized

Data Flow Analysis

24 flows16 with unsanitized paths
wpscx_dictionary_render (admin\class-wpsc-dictionary.php:247)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
21 unprotected

WP Spell Check Attack Surface

Entry Points23
Unprotected21

AJAX Handlers 23

authwp_ajax_results_scadmin\class-wpsc-interface.php:94
authwp_ajax_emptyresults_scadmin\class-wpsc-interface.php:95
authwp_ajax_wpscx_finish_scanadmin\class-wpsc-interface.php:96
authwp_ajax_finish_empty_scanadmin\class-wpsc-interface.php:97
authwp_ajax_results_hcadmin\class-wpsc-interface.php:99
authwp_ajax_finish_scan_hcadmin\class-wpsc-interface.php:100
authwp_ajax_wpsc_dismissadmin\class-wpsc-interface.php:102
authwp_ajax_wpscx_start_scanadmin\class-wpsc-interface.php:104
authwp_ajax_wpscx_start_scan_grammaradmin\class-wpsc-interface.php:105
authwp_ajax_wpscx_start_scan_bcadmin\class-wpsc-interface.php:106
authwp_ajax_wpscx_start_scan_emptyadmin\class-wpsc-interface.php:107
authwp_ajax_wpscx_display_resultsadmin\class-wpsc-interface.php:109
authwp_ajax_wpscx_get_statsadmin\class-wpsc-interface.php:110
authwp_ajax_wpscx_display_results_emptyadmin\class-wpsc-interface.php:112
authwp_ajax_wpscx_get_stats_emptyadmin\class-wpsc-interface.php:113
authwp_ajax_wpscx_display_results_grammaradmin\class-wpsc-interface.php:115
authwp_ajax_wpscx_get_stats_grammaradmin\class-wpsc-interface.php:116
authwp_ajax_wpscx_display_results_htmladmin\class-wpsc-interface.php:118
authwp_ajax_wpscx_get_stats_codeadmin\class-wpsc-interface.php:119
authwp_ajax_wpscx_ajax_fetch_custom_listadmin\class-wpsc-interface.php:121
authwp_ajax_wpscx_openAI_ajaxadmin\class-wpsc-interface.php:123
authwp_ajax_results_gcadmin\grammar\grammar_framework.php:728
authwp_ajax_finish_scan_gcadmin\grammar\grammar_framework.php:729
WordPress Hooks 66
actionadmin_print_scriptsadmin\class-deactive-survey.php:20
actionadmin_enqueue_scriptsadmin\class-deactive-survey.php:21
actionadmin_footeradmin\class-deactive-survey.php:22
actionadmin_enqueue_scriptsadmin\class-html-results.php:215
filteradmin_footer_textadmin\class-wpsc-admin.php:73
actionadmin_noticesadmin\class-wpsc-admin.php:74
actionquick_edit_custom_boxadmin\class-wpsc-dictionary.php:50
actionadmin_enqueue_scriptsadmin\class-wpsc-dictionary.php:245
actionadmin_menuadmin\class-wpsc-interface.php:21
actionadmin_menuadmin\class-wpsc-interface.php:22
actionadmin_menuadmin\class-wpsc-interface.php:23
actionadmin_menuadmin\class-wpsc-interface.php:24
actionadmin_menuadmin\class-wpsc-interface.php:25
actionadmin_menuadmin\class-wpsc-interface.php:26
actionadmin_menuadmin\class-wpsc-interface.php:27
actionnetwork_admin_menuadmin\class-wpsc-interface.php:29
actionadmin_headadmin\class-wpsc-interface.php:31
actionadmin_bar_menuadmin\class-wpsc-interface.php:34
actionwp_dashboard_setupadmin\class-wpsc-interface.php:45
actionadmin_noticesadmin\class-wpsc-interface.php:62
actionadmin_initadmin\class-wpsc-interface.php:63
actionadmin_initadmin\class-wpsc-interface.php:64
actionadmin_initadmin\class-wpsc-interface.php:65
actionadmin_headadmin\class-wpsc-interface.php:66
actionprofile_personal_optionsadmin\class-wpsc-interface.php:76
actionedit_user_profile_updateadmin\class-wpsc-interface.php:77
actionpersonal_options_updateadmin\class-wpsc-interface.php:78
actionwp_enqueue_scriptsadmin\class-wpsc-interface.php:79
actionadmin_enqueue_scriptsadmin\class-wpsc-interface.php:80
actionadmin_enqueue_scriptsadmin\class-wpsc-options.php:66
actionadmin_enqueue_scriptsadmin\class-wpsc-results.php:1663
filterthe_contentadmin\class-wpsc-utils.php:1461
actionadmin_enqueue_scriptsadmin\grammar\class-grammar-results.php:226
actionadmin_enqueue_scriptsadmin\grammar\grammar_framework.php:60
actionadmin_enqueue_scriptsadmin\grammar\grammar_framework.php:370
actionwpgcx_check_pagesadmin\grammar\grammar_framework.php:377
actionwpgcx_check_postsadmin\grammar\grammar_framework.php:384
actionwpgcx_scan_siteadmin\grammar\grammar_framework.php:397
actionwpgc_scan_siteadmin\grammar\grammar_framework.php:399
actionadd_meta_boxesadmin\grammar\grammar_framework.php:492
actionedit_form_after_editoradmin\grammar\grammar_framework.php:556
actionpost_submitbox_startadmin\grammar\grammar_framework.php:640
actionadmin_enqueue_scriptsadmin\wpsc-empty-results.php:29
actionadmincheckpagetitlesemptybaseadmin\wpsc-empty.php:35
actionadmincheckposttitlesemptybaseadmin\wpsc-empty.php:43
actionadmincheckauthorsemptyadmin\wpsc-empty.php:51
actionadminscansiteemptyadmin\wpsc-empty.php:275
actionadmincheckemptywpscadmin\wpsc-empty.php:281
actionadmincheckcodeadmin\wpsc-framework.php:497
actionadmincheckhtmladmin\wpsc-framework.php:508
actionadmincheckshortcodeadmin\wpsc-framework.php:519
actionadmincheckpagesadmin\wpsc-framework.php:526
actionadmincheckpostsadmin\wpsc-framework.php:533
actionadmincheckauthorsadmin\wpsc-framework.php:558
actionadmincheckcf7admin\wpsc-framework.php:565
actionwpscxscanalladmin\wpsc-framework.php:732
actionadminscansiteadmin\wpsc-framework.php:894
actioninitwpspellcheck.php:39
filterhttp_request_argswpspellcheck.php:45
actionadmin_initwpspellcheck.php:84
actioninitwpspellcheck.php:87
actionadmin_enqueue_scriptswpspellcheck.php:176
actionadmin_enqueue_scriptswpspellcheck.php:190
actionadmin_headwpspellcheck.php:225
actioninitwpspellcheck.php:438
filtercron_scheduleswpspellcheck.php:447
Maintenance & Trust

WP Spell Check Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.0
Downloads187K

Community Trust

Rating56/100
Number of ratings37
Active installs2K
Alternatives

WP Spell Check Alternatives

Perfect Tense – Spelling and Grammar Checker

Perfect Tense – Spelling and Grammar Checker

perfect-tense

A
85

Perfect Tense is an AI-powered, spelling and grammar corrector. Perfect Tense will automatically detect and fix mistakes, proofread entire blog posts, &hellip;

100 No CVEs
WProofreader spell & grammar check plugin for WordPress

WProofreader spell & grammar check plugin for WordPress

webspellchecker

A
100

WProofreader checks spelling, grammar, and style in real-time while editing in WordPress.

4K No CVEs
Qalam Arabic AI Writing Assistant Plugin | Qalam

Qalam Arabic AI Writing Assistant Plugin | Qalam

qalam

A
92

Qalam plugin for WordPress adds AI based grammar, spell check, and Tashkeel "Diacritization" capabilities to your website content in Arabic Language.

30 No CVEs
Spotfix – proofreading, spelling and grammar reviews by visitors

Spotfix – proofreading, spelling and grammar reviews by visitors

spotfix-content-review

A
100

Collect visitors’ questions and suggestions directly on your website pages. Make proofreading, spell checking, and grammar reviews easy.

0 No CVEs
Dynamic Month & Year into Posts

Dynamic Month & Year into Posts

dynamic-month-year-into-posts

A
100

Automate SEO and content with dynamic shortcodes for dates, years, months, age calculations, seasons and countdowns in content, titles and meta.

8K No CVEs
Developer Profile

WP Spell Check Developer Profile

WP Spell Check

1 plugin · 2K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
585 days
View full developer profile
Detection Fingerprints

How We Detect WP Spell Check

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-spell-check/css/global-admin-styles.css/wp-content/plugins/wp-spell-check/admin/css/uninstall-page.css
Version Parameters
wp-spell-check/css/global-admin-styles.css?ver=wp-spell-check/admin/css/uninstall-page.css?ver=

HTML / DOM Fingerprints

Shortcode Output
[wpsc_settings][wpsc_grammar][wpsc_dictionary][wpsc_ignore]
FAQ

Frequently Asked Questions about WP Spell Check