Does WP Update Message have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Update Message have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Update Message compatible with WordPress 2.8?

According to WordPress.org data, WP Update Message 1.2 has been tested up to WordPress 2.8. Check the plugin's changelog for the latest compatibility information.

How often is WP Update Message updated?

WP Update Message was last updated on Jul 26, 2009. Frequent updates are generally a positive security signal.

What is WP Update Message's security score?

WP Update Message has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Update Message Security & Risk Analysis

wordpress.org/plugins/wp-update-message

Add a short note about the latest changes in the current post or page.

10 active installs v1.2 PHP + WP 2.6+ Updated Jul 26, 2009

adminmessagepagepostupdate

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP Update Message Safe to Use in 2026?

Generally Safe

Score 85/100

WP Update Message has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 16yr ago

Risk Assessment

The "wp-update-message" v1.2 plugin exhibits a generally positive security posture, particularly concerning its limited attack surface and the absence of known vulnerabilities. The plugin correctly avoids using dangerous functions and all SQL queries are secured with prepared statements. Furthermore, it implements nonce and capability checks, which are essential for protecting against unauthorized actions.

However, a significant concern arises from the output escaping analysis. With 8 total outputs and 0% properly escaped, this indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities. Any user-supplied or dynamic data displayed by the plugin without proper sanitization could be leveraged by attackers to inject malicious scripts. The taint analysis also revealed one flow with an unsanitized path, which, while not classified as critical or high, warrants attention as it suggests a potential vector for unexpected behavior or exploitation if not properly handled downstream.

The plugin's vulnerability history shows no recorded CVEs, which is a strong indicator of good security practices in the past. Despite the concerning output escaping, the lack of historical vulnerabilities suggests that developers have been attentive to security. Overall, the plugin is strong in its architectural defenses and lack of historical issues, but the complete lack of output escaping is a critical weakness that needs immediate remediation.

Key Concerns

0% output escaping
1 unsanitized path flow

Vulnerabilities

None known

WP Update Message Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

WP Update Message Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped8 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

wpudma_options (wp-update-message.php:156)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Update Message Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionadmin_menuwp-update-message.php:11

actionsave_postwp-update-message.php:12

filterthe_contentwp-update-message.php:13

actionwp_headwp-update-message.php:14

Maintenance & Trust

WP Update Message Maintenance & Trust

Maintenance Signals

WordPress version tested2.8

Last updatedJul 26, 2009

PHP min version

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

WP Update Message Alternatives

WP Quick Update Featured Image

wp-quick-update-featured-image

Adds ability to make available payment method according IP address.

0 No CVEs

Reveal IDs

reveal-ids-for-wp-admin-25

100

What this plugin does is to reveal most removed IDs on admin pages, as it was in versions prior to 2.5.

40K No CVEs

WP Admin UI Customize

wp-admin-ui-customize

Customize the management screen UI.

30K 2 CVEs

Last Modified Timestamp

last-modified-timestamp

100

Adds the last modified time to the admin interface as well as a [last-modified] shortcode to use on the front-end.

8K No CVEs

Admin Collapse Subpages

admin-collapse-subpages

Using this plugin one can easily collapse/expand pages with children and grand children.

4K No CVEs

Developer Profile

WP Update Message Developer Profile

Jenst

7 plugins · 280 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Update Message

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-update-message/style-themes/green.css/wp-content/plugins/wp-update-message/style-themes/blue.css/wp-content/plugins/wp-update-message/style-themes/red.css/wp-content/plugins/wp-update-message/style-themes/orange.css

HTML / DOM Fingerprints

CSS Classes

update_message

HTML Comments

Shortcode Output

<div class="update_message">
			<small>Updated: %ud%</small>
			<p>%ut%</p>
		</div>

FAQ