PLUGIN SECURITY
Is Anycomment safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Anycomment WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
anycomment - Requires PHP: 5.4+
- Max supported PHP (analyzed): <8.0
Known vulnerabilities
- AnyComment [anycomment] < 0.2.18 [CVE-2022-0134, WordPress AnyComment plugin <= 0.2.17 - Arbitrary HyperComments Import/Revert via CSRF vulnerability, AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF, AnyComment <= 0.2.17 - Cross-Site Request Forgery]
- AnyComment [anycomment] < 0.2.18 [CVE-2022-0279, WordPress AnyComment plugin <= 0.2.17 - Comment Rating Increase/Decrease via Race Condition vulnerability, AnyComment < 0.2.18 - Comment Rating Increase/Decrease via Race Condition, AnyComment <= 0.2.17 - Race Condition]
- AnyComment [anycomment] < 0.3.5 [CVE-2021-24838, WordPress AnyComment plugin <= 0.3.4 - Open Redirect vulnerability, AnyComment <= 0.3.1 - Open Redirect, AnyComment <= 0.3.4 - Open Redirect via redirect parameter]
- AnyComment [anycomment] < 0.0.33 [CVE-2018-21001, Anycomment < 0.0.33 - XSS, AnyComment <= 0.0.32 - Cross-Site Scripting]
- AnyComment [anycomment] < 0.0.99 [CVE-2023-33999, WordPress AnyComment Plugin <= 0.0.98 is vulnerable to Cross Site Scripting (XSS), Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting]
+ 3 more known vulnerabilities
- AnyComment [anycomment] <= 0.3.6 (unfixed) [CVE-2025-48091, WordPress AnyComment Plugin <= 0.3.6 is vulnerable to SQL Injection, AnyComment <= 0.3.6 - Authenticated (Subscriber+) SQL Injection, EUVD-2025-35568]
- AnyComment [anycomment] <= 0.3.6 (unfixed) [CVE-2025-60240, AnyComment <= 0.3.6 - Unauthenticated Local File Inclusion]
- AnyComment [anycomment] <= 0.3.6 (unfixed) [WordPress AnyComment plugin <= 0.3.6 - Broken Access Control vulnerability, AnyComment <= 0.3.6 - Missing Authorization]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Comments – wpDiscuz — 70000+ active installs — max PHP 8.4
- DCO Comment Attachment — 5000+ active installs — max PHP 8.4
- Bulk Delete Comments — 5000+ active installs — max PHP 8.4
- Comments Like Dislike — 5000+ active installs
- One Click Close Comments — 4000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.