Does Zotpress have any unpatched vulnerabilities?

No. All known vulnerabilities in Zotpress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Zotpress compatible with WordPress 6.8.5?

According to WordPress.org data, Zotpress 7.4.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Zotpress updated?

Zotpress was last updated on Oct 19, 2025. Frequent updates are generally a positive security signal.

What is Zotpress's security score?

Zotpress has a WP-Safety security score of 87/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Zotpress Security & Risk Analysis

wordpress.org/plugins/zotpress

Zotpress displays your Zotero citations on WordPress.

2K active installs v7.4.2 PHP + WP 3.5+ Updated Oct 19, 2025

academic-bloggingbibliographycitation-managerpublicationszotero

A · Safe

CVEs total8

Unpatched0

Last CVEJun 10, 2025

Plugin page Download

Safety Verdict

Is Zotpress Safe to Use in 2026?

Generally Safe

Score 87/100

Zotpress has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jun 10, 2025Updated 5mo ago

Risk Assessment

The zotpress plugin v7.4.2 exhibits a concerning security posture, despite some positive code signals. While the static analysis reports no dangerous functions, 100% prepared SQL statements, and 100% properly escaped output, these are overshadowed by significant concerns regarding its attack surface and vulnerability history. The presence of one unprotected AJAX handler represents a direct entry point that could be exploited without proper authentication, posing a risk of unauthorized actions. Furthermore, the plugin has a substantial history of known vulnerabilities, including 8 CVEs, with 2 classified as critical. The common types of past vulnerabilities like Cross-site Scripting, Improper Access Control, and SQL Injection suggest recurring weaknesses in input sanitization and access control mechanisms. The fact that the last vulnerability was dated 2025-06-10, only a day prior to this analysis, is particularly alarming and indicates a pattern of ongoing security issues. While the current version may not have unpatched critical vulnerabilities, the historical data strongly suggests a need for extreme caution and thorough security reviews.

Key Concerns

Unprotected AJAX handler detected
History of 2 critical CVEs
History of 6 medium CVEs
Vulnerability pattern: XSS, Improper Access Control, SQLi
Recent vulnerability discovered

Vulnerabilities

Zotpress Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

2 CVEs in 2023

2023

4 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

8 total CVEs

CVE-2025-4666medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ZotPress <= 7.3.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'nickname'

Jun 10, 2025 Patched in 7.4 (148d)

CVE-2024-7429medium · 4.3Improper Access Control

Zotpress <= 7.3.12 - Missing Authorization

Nov 4, 2024 Patched in 7.3.13 (1d)

CVE-2024-47621medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Zotpress <= 7.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 7.3.11 (11d)

CVE-2024-34569medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Zotpress <= 7.3.9 - Authenticated (Contributor+) Cross-Site Scripting

May 7, 2024 Patched in 7.3.10 (9d)

CVE-2024-30488critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Zotpress <= 7.3.7 - Authenticated (Contributor+) SQL Injection

Mar 28, 2024 Patched in 7.3.8 (7d)

CVE-2023-46313medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Zotpress <= 7.3.4 - Reflected Cross-Site Scripting via 'PHP_SELF'

Sep 10, 2023 Patched in 7.3.5 (135d)

CVE-2023-32961medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Zotpress <= 7.3.3 - Reflected Cross-Site Scripting

May 16, 2023 Patched in 7.3.4 (252d)

CVE-2016-1000217critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Zotpress < 6.1.3 - SQL Injection

Oct 6, 2016 Patched in 6.1.3 (2665d)

Code Analysis

Analyzed Mar 16, 2026

Zotpress Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Attack Surface

1 unprotected

Zotpress Attack Surface

Entry Points5

Unprotected1

AJAX Handlers 1

authwp_ajax_zpNoticesViaAJAXzotpress.php:545

Shortcodes 4

[zotpress] zotpress.php:324

[zotpressInText] zotpress.php:325

[zotpressInTextBib] zotpress.php:326

[zotpressLib] zotpress.php:327

WordPress Hooks 23

actionplugins_loadedzotpress.php:100

actioninitzotpress.php:158

actionenqueue_block_editor_assetszotpress.php:175

actionadmin_enqueue_scriptszotpress.php:214

actionadmin_enqueue_scriptszotpress.php:259

actionadmin_menuzotpress.php:273

filterparent_filezotpress.php:285

actionwp_print_styleszotpress.php:301

filterhttp_request_timeoutzotpress.php:310

actionwp_enqueue_scriptszotpress.php:321

actionwidgets_initzotpress.php:328

actionwp_footerzotpress.php:348

actionwp_enqueue_scriptszotpress.php:370

actionwp_enqueue_scriptszotpress.php:390

actionwp_enqueue_scriptszotpress.php:410

actionwp_enqueue_scriptszotpress.php:431

actionwp_enqueue_scriptszotpress.php:464

actionadmin_enqueue_scriptszotpress.php:465

actionwp_enqueue_scriptszotpress.php:486

actionadmin_enqueue_scriptszotpress.php:487

filternonce_lifezotpress.php:497

actionin_plugin_update_message-zotpress/zotpress.phpzotpress.php:520

actionadmin_noticeszotpress.php:527

Maintenance & Trust

Zotpress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 19, 2025

PHP min version

Downloads132K

Community Trust

Rating98/100

Number of ratings66

Active installs2K

Alternatives

Zotpress Alternatives

teachPress

teachpress

Manage your publications with teachPress

2K 2 unpatched

Pure Feed Widget

pure-feed-widget

A widget for listing academic publications from Elsevier Pure in WordPress.

10 No CVEs

Footnotes Made Easy

footnotes-made-easy

Allows post authors to easily add and manage footnotes in posts.

2K 1 CVE

Academic Blogger's Toolkit

academic-bloggers-toolkit

A plugin extending the functionality of Wordpress for academic blogging.

300 No CVEs

Citations

citations

This Plugin introduces practical citation functionality to the WordPress Block Editor, aiming to streamline the process of adding references to your c …

200 No CVEs

Developer Profile

Zotpress Developer Profile

Katie

1 plugin · 2K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

404 days

View full developer profile

Detection Fingerprints

How We Detect Zotpress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/zotpress/css/zotpress.help.min.css/wp-content/plugins/zotpress/css/zotpress.shortcode.min.css/wp-content/plugins/zotpress/css/zotpress.admin.min.css/wp-content/plugins/zotpress/js/zotpress.gutenberg.min.js/wp-content/plugins/zotpress/js/jquery.dotimeout.min.js/wp-content/plugins/zotpress/js/jquery.livequery.min.js/wp-content/plugins/zotpress/js/zotpress.help.min.js/wp-content/plugins/zotpress/js/zotpress.admin.min.js

Script Paths

/wp-content/plugins/zotpress/js/zotpress.gutenberg.min.js/wp-content/plugins/zotpress/js/jquery.dotimeout.min.js/wp-content/plugins/zotpress/js/jquery.livequery.min.js/wp-content/plugins/zotpress/js/zotpress.help.min.js/wp-content/plugins/zotpress/js/zotpress.admin.min.js

Version Parameters

zotpress/css/zotpress.help.min.css?ver=zotpress/css/zotpress.shortcode.min.css?ver=zotpress/css/zotpress.admin.min.css?ver=zotpress/js/zotpress.gutenberg.min.js?ver=zotpress/js/jquery.dotimeout.min.js?ver=zotpress/js/jquery.livequery.min.js?ver=zotpress/js/zotpress.help.min.js?ver=zotpress/js/zotpress.admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

zp_used_cachezotpress-citationzotpress-bibliographyzotpress-citation-blockzotpress-bib-itemzotpress-entry-containerzotpress-tag-filterzotpress-tag-item

HTML Comments

+19 more

Data Attributes

data-zotpressdata-zotpress-citationdata-zotpress-bibliographydata-zotpress-citedata-zotpress-intextdata-zotpress-intextbib+2 more

JS Globals

zpTranslatezpAccountsAJAX

Shortcode Output

[zotpress][zotpress_citation][zotpress_bibliography][zotpress_cite]

FAQ