WP-Safety

4bzCore Security & Risk Analysis

wordpress.org/plugins/4bzcore

A collection of shortcodes, widgets, a shortcode builder, multiple featured images, a related posts module, and much more.

10 active installs v1.0.5 PHP + WP 3.8+ Updated Sep 14, 2015
contact-formfeatured-postspopular-postsrecent-postsrelated-posts
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is 4bzCore Safe to Use in 2026?

Generally Safe

Score 85/100

4bzCore has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The 4bzcore plugin v1.0.5 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and has no recorded vulnerability history (CVEs). The taint analysis also shows no critical or high-severity unsanitized flows, indicating a lack of exploitable injection vulnerabilities through the analyzed paths.

However, concerns arise from the static analysis. The plugin has an unprotected AJAX handler, presenting a direct entry point that could be exploited without proper authentication. Furthermore, the presence of the `unserialize` function, a known risky function, is a potential area of concern if not handled with extreme caution, especially when dealing with user-supplied input. While the overall output escaping is only 45% properly escaped, the taint analysis suggests this may not be leading to exploitable vulnerabilities in the analyzed flows, though it still represents a weakness.

In conclusion, while the plugin benefits from a clean vulnerability history and secure SQL handling, the unprotected AJAX endpoint and the use of `unserialize` necessitate attention. The moderate output escaping rate also suggests potential for vulnerabilities if user input is not handled carefully across all contexts. The plugin's security is decent but has specific, exploitable weaknesses that need addressing.

Key Concerns

  • Unprotected AJAX handler
  • Use of dangerous function (unserialize)
  • Low output escaping rate (45%)
Vulnerabilities
None known

4bzCore Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

4bzCore Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
2 prepared
Unescaped Output
145
119 escaped
Nonce Checks
4
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$results = $this->db->get_posts( unserialize( $atts['query'] ) );includes\class-4bzcore-shortcodes.php:98
unserializeunserialize( $results['fourbzcore_options'] ) :includes\class-4bzcore-shortcodes.php:409

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared2 total queries

Output Escaping

45% escaped264 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
plugin_options (4bzcore.php:770)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

4bzCore Attack Surface

Entry Points15
Unprotected1

AJAX Handlers 2

authwp_ajax_display_shortcode_builder4bzcore.php:322
noprivwp_ajax_display_shortcode_builder4bzcore.php:323

Shortcodes 13

[4bzcore_recent_posts] includes\class-4bzcore-shortcodes.php:66
[4bzcore_related_posts] includes\class-4bzcore-shortcodes.php:67
[4bzcore_featured_posts] includes\class-4bzcore-shortcodes.php:68
[4bzcore_popular_posts] includes\class-4bzcore-shortcodes.php:69
[4bzcore_contact_form] includes\class-4bzcore-shortcodes.php:70
[4bzcore_contact_info] includes\class-4bzcore-shortcodes.php:71
[4bzcore_slideshow] includes\class-4bzcore-shortcodes.php:72
[4bzcore_progressbars] includes\class-4bzcore-shortcodes.php:73
[4bzcore_facebook_comments] includes\class-4bzcore-shortcodes.php:74
[4bzcore_flickr_photos] includes\class-4bzcore-shortcodes.php:75
[4bzcore_image_text] includes\class-4bzcore-shortcodes.php:76
[4bzcore_author_bio] includes\class-4bzcore-shortcodes.php:77
[4bzcore_column] includes\class-4bzcore-shortcodes.php:78
WordPress Hooks 17
actioninit4bzcore.php:292
actionplugins_loaded4bzcore.php:295
actionadmin_menu4bzcore.php:298
actionadmin_enqueue_scripts4bzcore.php:301
filtertiny_mce_before_init4bzcore.php:304
actioninit4bzcore.php:307
actionwidgets_init4bzcore.php:310
actionadd_meta_boxes4bzcore.php:313
actionsave_post4bzcore.php:314
actionshow_user_profile4bzcore.php:317
actionedit_user_profile4bzcore.php:318
actionprofile_update4bzcore.php:319
actionwp_enqueue_scripts4bzcore.php:328
actionwp_footer4bzcore.php:329
filtermce_external_plugins4bzcore.php:1729
filtermce_buttons4bzcore.php:1732
filterposts_whereincludes\class-4bzcore-database.php:27
Maintenance & Trust

4bzCore Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34
Last updatedSep 14, 2015
PHP min version
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

4bzCore Alternatives

Launchpad Popular Posts

Launchpad Popular Posts

launchpad-popular-posts

A
85

This is a very simple, easy to use plugin which creates a widget that can be used to display Popular Posts, Related Posts, Featured Posts, Recent Post …

10 No CVEs
Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft

Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft

relevant

A
99

Add related, featured, latest, and popular posts to your WordPress website. Connect your blog readers with a relevant content.

900 2 CVEs
Advance Widget Pack

Advance Widget Pack

advance-widget-pack

A
92

This plugin displays the featured posts, recent posts, recent comments, popular posts, author details and author list.

10 No CVEs
Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts

Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts

post-carousel

A
96

Display posts, pages, and taxonomies in beautiful carousel, slider, and grid layouts with advanced filtering. Customizable, Developer-friendly.

20K 4 CVEs
Social LikeBox & Feed

Social LikeBox & Feed

facebook-by-weblizar

A
99

Display your FaceBook Feed and Like box on your website with this outstanding plugin. It is completely customizable, responsive and the code is search …

10K 1 CVE
Developer Profile

4bzCore Developer Profile

4bzthemes

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect 4bzCore

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/4bzcore/css/bootstrap.css/wp-content/plugins/4bzcore/css/editor.css/wp-content/plugins/4bzcore/css/flexslider.css/wp-content/plugins/4bzcore/css/style.css/wp-content/plugins/4bzcore/js/admin-script.js/wp-content/plugins/4bzcore/js/bootstrap.min.js/wp-content/plugins/4bzcore/js/editor-plugin.js/wp-content/plugins/4bzcore/js/flexslider.js+2 more
Script Paths
/wp-content/plugins/4bzcore/js/admin-script.js/wp-content/plugins/4bzcore/js/bootstrap.min.js/wp-content/plugins/4bzcore/js/editor-plugin.js/wp-content/plugins/4bzcore/js/flexslider.js/wp-content/plugins/4bzcore/js/tinymce-button.js/wp-content/plugins/4bzcore/js/tinymce-popup.js
Version Parameters
4bzcore/css/bootstrap.css?ver=4bzcore/css/editor.css?ver=4bzcore/css/flexslider.css?ver=4bzcore/css/style.css?ver=4bzcore/js/admin-script.js?ver=4bzcore/js/bootstrap.min.js?ver=4bzcore/js/editor-plugin.js?ver=4bzcore/js/flexslider.js?ver=4bzcore/js/tinymce-button.js?ver=4bzcore/js/tinymce-popup.js?ver=

HTML / DOM Fingerprints

CSS Classes
fourbzcore_container
HTML Comments
Copyright 2015 4bzthemes (email : 4bzthemes@gmail.com)
JS Globals
fourbzcore_tiny_mce_popup
FAQ

Frequently Asked Questions about 4bzCore