WP-Safety

xili-tidy-tags Security & Risk Analysis

wordpress.org/plugins/xili-tidy-tags

xili-tidy-tags is a tool for grouping tags by semantic groups or by language and for creating tidy tag clouds.

1K active installs v1.12.06 PHP + WP 4.6+ Updated Mar 24, 2025
multilingualpostsshortcodetagstaxonomy
46
D · High Risk
CVEs total4
Unpatched2
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is xili-tidy-tags Safe to Use in 2026?

High Risk

Score 46/100

xili-tidy-tags carries significant security risk with 4 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

4 known CVEs 2 unpatched Last CVE: Sep 22, 2025Updated 1yr ago
Risk Assessment

The xili-tidy-tags plugin exhibits a mixed security posture. On one hand, it demonstrates good practices by utilizing prepared statements for the vast majority of its SQL queries and includes a substantial number of nonce and capability checks, indicating an awareness of common WordPress security mechanisms. The static analysis reveals a relatively small attack surface with no immediately obvious unprotected entry points, and no critical or high-severity issues found in the taint analysis. However, a significant concern arises from its vulnerability history. With four known CVEs, two of which remain unpatched, and a recent vulnerability discovered in September 2025, this plugin has a recurring pattern of security flaws. The common vulnerability types noted (XSS and CSRF) suggest potential issues with input sanitization and state-changing actions. The moderate percentage of improperly escaped output also raises red flags for potential XSS vulnerabilities, even if not immediately identified as critical by the taint analysis.

Key Concerns

  • Unpatched CVEs (2)
  • Medium severity CVEs (4)
  • Significant portion of output not properly escaped
  • Bundled library (DataTables) may be outdated
Vulnerabilities
4 published

xili-tidy-tags Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-58240medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

xili-tidy-tags <= 1.12.06 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched
CVE-2025-47680medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

xili-tidy-tags <= 1.12.06 - Reflected Cross-Site Scripting

May 8, 2025Unpatched
CVE-2024-9357medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

xili-tidy-tags <= 1.12.04 - Reflected Cross-Site Scripting

Nov 11, 2024 Patched in 1.12.05 (1d)
CVE-2022-47448medium · 4.3Cross-Site Request Forgery (CSRF)

xili-tidy-tags <= 1.12.03 - Cross-Site Request Forgery

Mar 14, 2023 Patched in 1.12.04 (315d)
Version History

xili-tidy-tags Release Timeline

v1.12.06Current2 CVEs
CVE-2025-58240 CVE-2025-47680
v1.12.052 CVEs
CVE-2025-58240 CVE-2025-47680
v1.12.043 CVEs
CVE-2024-9357 CVE-2025-58240 CVE-2025-47680
v1.12.034 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.12.024 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.12.014 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.54 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.44 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.34 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.24 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.14 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.11.04 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.10.34 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.10.24 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.10.14 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.10.04 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.9.34 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.9.24 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.9.14 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
v1.9.04 CVEs
CVE-2024-9357 CVE-2022-47448 CVE-2025-58240 +1 more
Code Analysis
Analyzed Mar 16, 2026

xili-tidy-tags Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
14 prepared
Unescaped Output
119
105 escaped
Nonce Checks
13
Capability Checks
8
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

DataTables

SQL Query Safety

93% prepared15 total queries

Output Escaping

47% escaped224 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<class-xili-tidy-tags-admin> (xili-includes\class-xili-tidy-tags-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

xili-tidy-tags Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[xili-tidy-tags] xili-tidy-tags.php:756
WordPress Hooks 13
actionwp_headclass-xili-tidy-tags.php:81
actioninitclass-xili-tidy-tags.php:84
actionadmin_initxili-includes\class-xili-tidy-tags-admin.php:49
actionadmin_menuxili-includes\class-xili-tidy-tags-admin.php:50
actionsave_postxili-includes\class-xili-tidy-tags-admin.php:62
actioncreated_termxili-includes\class-xili-tidy-tags-admin.php:64
actionedited_termxili-includes\class-xili-tidy-tags-admin.php:65
filterplugin_action_linksxili-includes\class-xili-tidy-tags-admin.php:68
actioncontextual_helpxili-includes\class-xili-tidy-tags-admin.php:70
actionadmin_print_footer_scriptsxili-includes\class-xili-tidy-tags-admin.php:113
filterxtt_return_lang_of_tag_post_tagxili-tidy-tags.php:113
actionplugins_loadedxili-tidy-tags.php:126
actionwidgets_initxili-tidy-tags.php:1058
Maintenance & Trust

xili-tidy-tags Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedMar 24, 2025
PHP min version
Downloads50K

Community Trust

Rating90/100
Number of ratings8
Active installs1K
Alternatives

xili-tidy-tags Alternatives

Posts in Page

Posts in Page

posts-in-page

B
84

Easily add one or more posts to any page using simple shortcodes.

10K 1 CVE
Tags All In One

Tags All In One

tags-all-in-one

A
92

Display a customizable tag cloud from selected taxonomies with various sorting and styling options.

100 No CVEs
Pixel Clusters

Pixel Clusters

pixel-clusters

A
100

Create beautiful, responsive post clusters with shortcodes or Gutenberg blocks. Display posts, categories, tags, custom post types, and WooCommerce pr &hellip;

30 No CVEs
Archive Post Order Plus

Archive Post Order Plus

archive-post-order-plus

A
100

A plugin that sets the display order of posts. 投稿の表示順を設定するプラグイン。

10 No CVEs
Kntnt's Any Term for Beaver Builder Page Builder

Kntnt's Any Term for Beaver Builder Page Builder

kntnts-bb-any-term

A
85

WordPress plugin that adds special purpose term to every taxonomy (including categories and tags) that makes taxonomy filters in post modules of Beave &hellip;

10 No CVEs
Developer Profile

xili-tidy-tags Developer Profile

Michel - xiligroup dev

4 plugins · 2K total installs

66
trust score
Avg Security Score
69/100
Avg Patch Time
83 days
View full developer profile
Detection Fingerprints

How We Detect xili-tidy-tags

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/xili-tidy-tags/xili-tidy-tags.css/wp-content/plugins/xili-tidy-tags/xili-tidy-tags.js
Version Parameters
xili-tidy-tags/xili-tidy-tags.css?ver=xili-tidy-tags/xili-tidy-tags.js?ver=

HTML / DOM Fingerprints

CSS Classes
xili-tidy-tags-cloud-widget
Data Attributes
data-tt-widget-iddata-tt-post-iddata-tt-tag-iddata-tt-term-taxonomydata-tt-term-iddata-tt-tag-link+2 more
JS Globals
xili_tidy_tags_options
Shortcode Output
[xili_tidy_tags_cloud]
FAQ

Frequently Asked Questions about xili-tidy-tags