Does Yappa Widget have any unpatched vulnerabilities?

No. All known vulnerabilities in Yappa Widget have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Yappa Widget compatible with WordPress 5.2.24?

According to WordPress.org data, Yappa Widget 1.4.0 has been tested up to WordPress 5.2.24. Check the plugin's changelog for the latest compatibility information.

Is Yappa Widget compatible with PHP 5.6+?

Yappa Widget requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Yappa Widget updated?

Yappa Widget was last updated on Jul 22, 2019. Frequent updates are generally a positive security signal.

What is Yappa Widget's security score?

Yappa Widget has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Yappa Widget Security & Risk Analysis

wordpress.org/plugins/yappa-widget

Yappa is the web's most popular comment system. Use Yappa to increase engagement, retain readers, and grow your audience.

10 active installs v1.4.0 PHP 5.6+ WP 4.4+ Updated Jul 22, 2019

commentsemailnotificationspamthreaded

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Yappa Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Yappa Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The "yappa-widget" plugin version 1.4.0 exhibits a generally good security posture, with no recorded vulnerabilities or critical findings in taint analysis. The static analysis indicates a small attack surface consisting of a single shortcode, and importantly, no unprotected entry points were identified. Furthermore, all detected SQL queries utilize prepared statements, which is a strong security practice. The absence of dangerous functions, file operations, external HTTP requests, and the lack of known CVEs are all positive indicators.

However, there are some areas for concern. A significant weakness is the complete lack of output escaping on all identified output points. This means that any data displayed by the plugin could potentially be vulnerable to Cross-Site Scripting (XSS) attacks if that data originates from an untrusted source or user input. Additionally, the absence of nonce checks and capability checks, even with no unprotected entry points currently identified, represents a potential future risk. If any new entry points are introduced or if the existing shortcode's functionality evolves to handle user-provided data, these missing checks could be exploited.

In conclusion, while the plugin benefits from a clean vulnerability history and secure SQL practices, the critical flaw of unescaped output introduces a significant risk. The lack of robust input validation and authorization checks (nonces and capabilities) also leaves room for improvement and potential future vulnerabilities. Addressing the unescaped output is paramount.

Key Concerns

Output not properly escaped
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

Yappa Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Yappa Widget Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped2 total outputs

Attack Surface

Yappa Widget Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[yappa-widget] yappa-widget.php:30

WordPress Hooks 5

actionadmin_menuyappa-settings-page.php:12

actionadmin_print_stylesyappa-settings-page.php:14

actionadmin_print_scriptsyappa-settings-page.php:16

actionadmin_inityappa-settings-page.php:18

filterthe_contentyappa-widget.php:28

Maintenance & Trust

Yappa Widget Maintenance & Trust

Maintenance Signals

WordPress version tested5.2.24

Last updatedJul 22, 2019

PHP min version5.6

Downloads2K

Community Trust

Rating100/100

Number of ratings4

Active installs10

Alternatives

Yappa Widget Alternatives

Disqus Comment System

disqus-comment-system

Disqus is the web's most popular comment system. Use Disqus to increase engagement, retain readers, and grow your audience.

40K 5 CVEs

bbPress Notify (No-Spam)

bbpress-notify-nospam

Powerful, customizable email notifications for bbPress and BuddyBoss forums — without the spam.

3K 2 CVEs

Comment Email Reply

comment-email-reply

Simply notifies comment-author via email if someone replies to his comment. Zero Configuration.

600 No CVEs

WP Comment Notification

wp-comment-notification

Send email notification to predefined email ids when someone comments on your blog.

500 No CVEs

Comment Experience by Progress Planner

yoast-comment-hacks

100

Make comments management easier by applying the simple hacks Joost has gathered over the years.

500 No CVEs

Developer Profile

Yappa Widget Developer Profile

yappaworld

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Yappa Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/yappa-widget/js/yappaScript.js

Script Paths

https://use.fontawesome.com/releases/v5.6.3/css/all.css

HTML / DOM Fingerprints

CSS Classes

yappa-settings-wrappertitle-registerspinner-containersetting-checkboxsetting-labelyappa-comments-frame

Data Attributes

data-titledata-urldata-id

JS Globals

yappaScript

Shortcode Output

<div id='yappa-comments-frame'<script type='text/javascript' src='https://comments.yappaapp.com/embed/yappa-comments.js'

FAQ