WP-Safety

All In One Favicon Security & Risk Analysis

wordpress.org/plugins/all-in-one-favicon

Easily add a Favicon to your site and the WordPress admin pages. Complete with upload functionality. Supports all three Favicon types (ico,png,gif).

70K active installs v4.8 PHP + WP 2.8+ Updated Aug 8, 2023
adminblogfaviconimagetheme
84
B · Generally Safe
CVEs total2
Unpatched0
Last CVEFeb 23, 2023
Plugin page Download
Safety Verdict

Is All In One Favicon Safe to Use in 2026?

Mostly Safe

Score 84/100

All In One Favicon is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved.

2 known CVEsLast CVE: Feb 23, 2023Updated 2yr ago
Risk Assessment

The 'all-in-one-favicon' plugin version 4.8 presents a mixed security posture. While it demonstrates some good practices, such as using prepared statements for all SQL queries and performing capability checks, significant concerns remain. The presence of two unprotected AJAX handlers creates a considerable attack surface, increasing the risk of unauthorized actions. Furthermore, the use of dangerous functions like `create_function` and `unserialize` raises red flags for potential code injection vulnerabilities. Taint analysis indicates two high-severity flows with unsanitized paths, suggesting a potential for directory traversal or similar exploits. The plugin's vulnerability history, despite having no currently unpatched CVEs, reveals a pattern of medium-severity vulnerabilities, including path traversal and cross-site scripting, in the past. This history, combined with the identified code signals and attack surface, indicates a need for caution and potential updates.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous 'create_function'
  • Use of dangerous 'unserialize'
  • High severity unsanitized path flows (2)
  • Low percentage of properly escaped output
  • History of medium vulnerabilities (2)
Vulnerabilities
2 published

All In One Favicon Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-24416medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

All In One Favicon <= 4.7 - Authenticated(Admin+) Directory Traversal

Feb 23, 2023 Patched in 4.8 (334d)
CVE-2018-13832medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All In One Favicon <= 4.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 10, 2018 Patched in 4.7 (2023d)
Version History

All In One Favicon Release Timeline

v4.8Current
v4.71 CVE
CVE-2023-24416
v4.62 CVEs
CVE-2023-24416 CVE-2018-13832
v4.52 CVEs
CVE-2023-24416 CVE-2018-13832
v4.42 CVEs
CVE-2023-24416 CVE-2018-13832
v4.2.12 CVEs
CVE-2023-24416 CVE-2018-13832
v4.12 CVEs
CVE-2023-24416 CVE-2018-13832
v4.02 CVEs
CVE-2023-24416 CVE-2018-13832
v3.12 CVEs
CVE-2023-24416 CVE-2018-13832
v3.02 CVEs
CVE-2023-24416 CVE-2018-13832
v2.12 CVEs
CVE-2023-24416 CVE-2018-13832
v2.02 CVEs
CVE-2023-24416 CVE-2018-13832
v1.02 CVEs
CVE-2023-24416 CVE-2018-13832
Code Analysis
Analyzed Mar 16, 2026

All In One Favicon Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
1 prepared
Unescaped Output
38
2 escaped
Nonce Checks
2
Capability Checks
4
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('admin_notices', create_function('', "echo '$message';"));includes\aio-favicon-backend.php:346
unserialize$response = unserialize($response);includes\donationloader.php:150

SQL Query Safety

100% prepared1 total queries

Output Escaping

5% escaped40 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths
getReturnLocation (includes\aio-favicon-backend.php:487)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

All In One Favicon Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_load-AIOFaviconTopDonationsincludes\donationloader.php:38
authwp_ajax_load-AIOFaviconLatestDonationsincludes\donationloader.php:39
WordPress Hooks 12
actioninitall-in-one-favicon.php:207
actionadmin_headincludes\aio-favicon-backend.php:59
actionadmin_menuincludes\aio-favicon-backend.php:62
actionadmin_post_aioFaviconDeleteSettingsincludes\aio-favicon-backend.php:64
actionadmin_post_aioFaviconUpdateSettingsincludes\aio-favicon-backend.php:65
actionadmin_enqueue_scriptsincludes\aio-favicon-backend.php:69
actionadmin_enqueue_scriptsincludes\aio-favicon-backend.php:70
actionadmin_menuincludes\aio-favicon-backend.php:73
actionadmin_initincludes\aio-favicon-backend.php:75
actionadmin_noticesincludes\aio-favicon-backend.php:346
actionwp_headincludes\aio-favicon-frontend.php:46
actionwp_metaincludes\aio-favicon-frontend.php:50
Maintenance & Trust

All In One Favicon Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedAug 8, 2023
PHP min version
Downloads1.5M

Community Trust

Rating90/100
Number of ratings82
Active installs70K
Alternatives

All In One Favicon Alternatives

PWD WP Favicon

PWD WP Favicon

pwd-wp-favicon

A
85

This plugin allows you to upload a custom favicon & Apple touch icon for your website and your WordPress Dashboard using API customizer.

800 No CVEs
Site Icon Pro

Site Icon Pro

site-icon-pro

A
85

Site Icon Pro gives you full control over the exact icons and HTML used to display the favicon and app icons on your Wordpress site!

70 No CVEs
Redux Framework

Redux Framework

redux-framework

A
89

Redux is a simple, truly extensible, and fully responsive options framework for WordPress themes and plugins. It ships with an integrated demo.

1.0M 6 CVEs
Cryout Serious Theme Settings

Cryout Serious Theme Settings

cryout-theme-settings

A
100

This plugin is designed to inter-operate with our Mantra, Parabola, Tempera, Nirvana themes to enable their settings pages.

40K No CVEs
WP Updates Notifier

WP Updates Notifier

wp-updates-notifier

A
85

Sends email to notify you if there are any updates for your WordPress site. Can notify about core, plugin and theme updates.

30K No CVEs
Developer Profile

All In One Favicon Developer Profile

Garrett Grimm

8 plugins · 111K total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
881 days
View full developer profile
Detection Fingerprints

How We Detect All In One Favicon

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/all-in-one-favicon/css//wp-content/plugins/all-in-one-favicon/js//wp-content/plugins/all-in-one-favicon/images/
Script Paths
/wp-content/plugins/all-in-one-favicon/js/aio-favicon-backend.js/wp-content/plugins/all-in-one-favicon/js/aio-favicon-frontend.js/wp-content/plugins/all-in-one-favicon/js/aio-favicon-debug.js
Version Parameters
all-in-one-favicon/css/aio-favicon-backend.css?ver=all-in-one-favicon/css/aio-favicon-frontend.css?ver=all-in-one-favicon/js/aio-favicon-backend.js?ver=all-in-one-favicon/js/aio-favicon-frontend.js?ver=all-in-one-favicon/js/aio-favicon-debug.js?ver=

HTML / DOM Fingerprints

CSS Classes
aio-favicon-settings-groupaio-favicon-upload-areaaio-favicon-image-previewaio-favicon-delete-buttonaio-favicon-save-buttonaio-favicon-cancel-buttonaio-favicon-tabsaio-favicon-tab-content
HTML Comments
<!-- START: All in one Favicon --><!-- END: All in one Favicon --><!-- All in one Favicon Admin Settings --><!-- All in one Favicon Front End Settings -->
Data Attributes
data-aio-favicon-actiondata-aio-favicon-type
JS Globals
window.aioFaviconSettingswindow.aioFaviconDefaultSettingswindow.aioFaviconBackendMapwindow.aioFaviconFrontendMapvar aioFaviconSettingsvar aioFaviconDefaultSettings+2 more
FAQ

Frequently Asked Questions about All In One Favicon