WP-Safety

YouTube Comments Security & Risk Analysis

wordpress.org/plugins/youtube-comments

This plugin finds YouTube links in post content and imports the video comments.

10 active installs v1.2.1 PHP + WP 3.3+ Updated Nov 14, 2013
commentsgooglevideovideo-commentsyoutube
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is YouTube Comments Safe to Use in 2026?

Generally Safe

Score 85/100

YouTube Comments has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The "youtube-comments" v1.2.1 plugin presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and has no recorded vulnerability history, suggesting a potentially well-maintained codebase. The absence of taint flows with unsanitized paths and no critical or high-severity vulnerabilities in its history are also strong indicators of a generally secure foundation. However, significant concerns arise from the static analysis. The plugin exposes 7 entry points, with 2 AJAX handlers lacking authentication checks, creating a direct avenue for unauthorized actions. Furthermore, a substantial portion of its output (19 total outputs, 0% properly escaped) is unescaped, posing a high risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of the `unserialize` function also warrants caution, as it can be a vector for code injection if used with untrusted input.

Key Concerns

  • AJAX handlers without auth checks
  • Unescaped output
  • Dangerous function: unserialize
Vulnerabilities
None known

YouTube Comments Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

YouTube Comments Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
19
0 escaped
Nonce Checks
2
Capability Checks
1
File Operations
7
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserializereturn unserialize($ret['data']);google-api-php-client\src\cache\Google_ApcCache.php:79
unserialize$data = unserialize($data);google-api-php-client\src\cache\Google_FileCache.php:100

Output Escaping

0% escaped19 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<class-comments> (class-comments.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

YouTube Comments Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 6

authwp_ajax_get_commentsclass-comments.php:32
noprivwp_ajax_get_commentsclass-comments.php:33
authwp_ajax_post_commentclass-comments.php:34
noprivwp_ajax_post_commentclass-comments.php:35
authwp_ajax_post_logoffclass-comments.php:36
noprivwp_ajax_post_logoffclass-comments.php:37

Shortcodes 1

[youtube-comments] class-comments.php:38
WordPress Hooks 7
actionadmin_initclass-admin.php:27
actionadmin_menuclass-admin.php:28
actionwp_enqueue_scriptsclass-comments.php:31
filterthe_contentclass-comments.php:41
actiontemplate_redirectclass-comments.php:52
actionplugins_loadedyoutube-comments.php:35
actionplugins_loadedyoutube-comments.php:41
Maintenance & Trust

YouTube Comments Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedNov 14, 2013
PHP min version
Downloads5K

Community Trust

Rating88/100
Number of ratings5
Active installs10
Alternatives

YouTube Comments Alternatives

VideoNab

VideoNab

videonab

A
85

VideoNab is the best way to add videos to WordPress. Furthermore, VideoNab adds a fully responsive video stream to your website.

10 No CVEs
Import YouTube videos as WP Posts

Import YouTube videos as WP Posts

import-youtube-videos-as-wp-post

C
63

Import YouTube videos as WP Posts lets you search for Youtube videos and add them quickly to your Wordpress website.

90 1 unpatched
AutoTube

AutoTube

autotube

A
85

ENGLISH: It scans for the best matching video in the whole YouTube archive with more than 100 Million videos. You can either specify a search term or &hellip;

10 No CVEs
Live Video Annotation

Live Video Annotation

live-video-annotation

A
85

The Live Video Annotation plugin allows you to add timed footnotes to a YouTube video. Visitors can see these notes later while watching the video.

10 No CVEs
CIO Multimedia Comments

CIO Multimedia Comments

multimedia-comments

A
85

Upload media files to comments, add custom fields, interact with readers. Conditional display by page or post, access control by field group*.

10 No CVEs
Developer Profile

YouTube Comments Developer Profile

sydcode

3 plugins · 360 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect YouTube Comments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/youtube-comments/style.css/wp-content/plugins/youtube-comments/script.js
Script Paths
/wp-content/plugins/youtube-comments/script.js
Version Parameters
youtube-comments/style.css?ver=youtube-comments/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
youtube-comments-containeryoutube-comments-post-comment
Data Attributes
data-video-iddata-ajax-urldata-results
JS Globals
youtubeComments
Shortcode Output
[youtube-comments]
FAQ

Frequently Asked Questions about YouTube Comments