WP-Safety

All-in-one Widget Security & Risk Analysis

wordpress.org/plugins/all-in-one-widget

Add fundamental functionality to your WordPress sidebars with a set of proper widgets.

100 active installs v1.1 PHP + WP 3.9+ Updated Feb 23, 2017
advertisingauthorpostsrecentsocial-profile
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is All-in-one Widget Safe to Use in 2026?

Generally Safe

Score 85/100

All-in-one Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The 'all-in-one-widget' plugin version 1.1 presents a mixed security posture. On the positive side, it exhibits strengths in its handling of SQL queries, utilizing prepared statements exclusively, and a clean vulnerability history with no recorded CVEs. The absence of bundled libraries and a generally low number of identified flows with unsanitized paths are also encouraging signs. However, significant concerns arise from the static analysis of its attack surface. A substantial number of AJAX handlers lack authentication checks, creating an easily exploitable entry point for attackers. The presence of dangerous functions like `create_function` and `unserialize` also raises red flags, as these can be misused in various injection attacks if not handled with extreme care. While taint analysis did not reveal critical or high severity flows, the identified flows with unsanitized paths, coupled with the unprotected AJAX endpoints, suggest a potential for vulnerabilities that may not have been fully captured by the static analysis alone.

The plugin's clean historical vulnerability record is a positive indicator, suggesting that past development efforts may have prioritized security. However, this should not be a sole basis for trust, especially given the identified weaknesses in the current version's code. The limited number of capability checks and nonces further exacerbates the risk posed by the unprotected AJAX handlers. In conclusion, while the plugin shows some good security practices, the significant number of unprotected AJAX endpoints and the use of dangerous functions create notable security risks that require immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous functions used (create_function, unserialize)
  • Low percentage of properly escaped output
  • Limited nonce checks
  • Limited capability checks
  • Flows with unsanitized paths detected
Vulnerabilities
None known

All-in-one Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

All-in-one Widget Release Timeline

v1.1Current
v1.0
Code Analysis
Analyzed Mar 16, 2026

All-in-one Widget Code Analysis

Dangerous Functions
15
Raw SQL Queries
0
2 prepared
Unescaped Output
445
350 escaped
Nonce Checks
2
Capability Checks
1
File Operations
1
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_Advert");widgets\widget-advert.php:120
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_ajaxsearch_widgewidgets\widget-ajaxsearch.php:234
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_Author");widgets\widget-author.php:114
create_functionadd_action( 'widgets_init', create_function( '', 'register_widget("Themeidol_Date_and_Time");' ) );widgets\widget-dataandtime.php:361
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("themeidol_facebook_widget"widgets\widget-facebook.php:254
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_Flickr");widgets\widget-flickr.php:93
unserializereturn unserialize( base64_decode( $instagram ) );widgets\widget-instagram.php:244
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_instagram_widgetwidgets\widget-instagram.php:261
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_RecentPoswidgets\widget-recent.php:107
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_rss_feed_widget"widgets\widget-rssfeed.php:761
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_QuoteOfDay_Site2widgets\widget-site2quotes.php:172
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_Social");widgets\widget-social.php:218
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_stylish_popular_widgets\widget-stylist.php:172
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Tab_widget");' )widgets\widget-tabs.php:592
create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget("Themeidol_Widget_Tweets");widgets\widget-tweet.php:420

SQL Query Safety

100% prepared2 total queries

Output Escaping

44% escaped795 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
<widget-site2quotes> (widgets\widget-site2quotes.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

All-in-one Widget Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 8

authwp_ajax_wpt_view_countall-in-one-widget.php:618
noprivwp_ajax_wpt_view_countall-in-one-widget.php:619
authwp_ajax_themeidol_dismiss_pointerall-in-one-widget.php:620
noprivwp_ajax_themeidol_dismiss_pointeall-in-one-widget.php:621
authwp_ajax_themeidolaswwidgets\widget-ajaxsearch.php:31
noprivwp_ajax_themeidolaswwidgets\widget-ajaxsearch.php:32
authwp_ajax_wpt_widget_contentwidgets\widget-tabs.php:11
noprivwp_ajax_wpt_widget_contentwidgets\widget-tabs.php:12
WordPress Hooks 103
actionadmin_noticesall-in-one-widget.php:153
actionadmin_initall-in-one-widget.php:154
actioninitall-in-one-widget.php:155
filterthe_contentall-in-one-widget.php:156
actionmts_view_count_after_updateall-in-one-widget.php:157
actionadmin_menuall-in-one-widget.php:158
filterplugin_action_linksall-in-one-widget.php:159
actionwidgets_initall-in-one-widget.php:161
actionwidgets_initall-in-one-widget.php:162
filterplugin_row_metaall-in-one-widget.php:164
actionadmin_enqueue_scriptsall-in-one-widget.php:166
actioncustomize_controls_enqueue_scriptsall-in-one-widget.php:167
actionwp_enqueue_scriptsall-in-one-widget.php:393
actionadmin_enqueue_scriptswidgets\widget-advert.php:13
actionsave_postwidgets\widget-advert.php:16
actiondelete_attachmentwidgets\widget-advert.php:17
actiondeleted_postwidgets\widget-advert.php:18
actionswitch_themewidgets\widget-advert.php:19
actionwidgets_initwidgets\widget-advert.php:120
actioninitwidgets\widget-ajaxsearch.php:24
actionwp_enqueue_scriptswidgets\widget-ajaxsearch.php:26
actionwp_footerwidgets\widget-ajaxsearch.php:29
actionsave_postwidgets\widget-ajaxsearch.php:35
actiondeleted_postwidgets\widget-ajaxsearch.php:36
actiondelete_attachmentwidgets\widget-ajaxsearch.php:37
actionswitch_themewidgets\widget-ajaxsearch.php:38
actionwidgets_initwidgets\widget-ajaxsearch.php:234
actionwp_enqueue_scriptswidgets\widget-author.php:13
actionsave_postwidgets\widget-author.php:15
actiondeleted_postwidgets\widget-author.php:16
actiondelete_attachmentwidgets\widget-author.php:17
actionswitch_themewidgets\widget-author.php:18
actionwidgets_initwidgets\widget-author.php:114
actionadmin_print_styleswidgets\widget-dataandtime.php:30
actionadmin_enqueue_scriptswidgets\widget-dataandtime.php:31
actionwp_enqueue_scriptswidgets\widget-dataandtime.php:34
actionwp_enqueue_scriptswidgets\widget-dataandtime.php:35
actionsave_postwidgets\widget-dataandtime.php:38
actiondeleted_postwidgets\widget-dataandtime.php:39
actionswitch_themewidgets\widget-dataandtime.php:40
actionwidgets_initwidgets\widget-dataandtime.php:361
actionsave_postwidgets\widget-facebook.php:15
actiondeleted_postwidgets\widget-facebook.php:16
actiondelete_attachmentwidgets\widget-facebook.php:17
actionswitch_themewidgets\widget-facebook.php:18
actionwidgets_initwidgets\widget-facebook.php:254
actionwp_enqueue_scriptswidgets\widget-flickr.php:13
actionsave_postwidgets\widget-flickr.php:15
actiondeleted_postwidgets\widget-flickr.php:16
actiondelete_attachmentwidgets\widget-flickr.php:17
actionswitch_themewidgets\widget-flickr.php:18
actionwidgets_initwidgets\widget-flickr.php:93
actionwp_enqueue_scriptswidgets\widget-instagram.php:20
actionsave_postwidgets\widget-instagram.php:22
actiondeleted_postwidgets\widget-instagram.php:23
actiondelete_attachmentwidgets\widget-instagram.php:24
actionswitch_themewidgets\widget-instagram.php:25
actionwidgets_initwidgets\widget-instagram.php:261
actionwp_enqueue_scriptswidgets\widget-recent.php:14
actionsave_postwidgets\widget-recent.php:15
actiondeleted_postwidgets\widget-recent.php:16
actionswitch_themewidgets\widget-recent.php:17
actionwidgets_initwidgets\widget-recent.php:107
actionwp_enqueue_scriptswidgets\widget-rssfeed.php:12
filterthemeidol_item_attributeswidgets\widget-rssfeed.php:13
filterthemeidol_item_attributeswidgets\widget-rssfeed.php:14
filterthemeidol_default_imagewidgets\widget-rssfeed.php:15
filterthemeidol_default_errorwidgets\widget-rssfeed.php:16
actionsave_postwidgets\widget-rssfeed.php:19
actiondeleted_postwidgets\widget-rssfeed.php:20
actiondelete_attachmentwidgets\widget-rssfeed.php:21
actionswitch_themewidgets\widget-rssfeed.php:22
actionwidgets_initwidgets\widget-rssfeed.php:761
actionsave_postwidgets\widget-site2quotes.php:19
actiondeleted_postwidgets\widget-site2quotes.php:20
actiondelete_attachmentwidgets\widget-site2quotes.php:21
actionswitch_themewidgets\widget-site2quotes.php:22
actionwidgets_initwidgets\widget-site2quotes.php:172
actionwp_enqueue_scriptswidgets\widget-social.php:14
actionsave_postwidgets\widget-social.php:16
actiondeleted_postwidgets\widget-social.php:17
actiondelete_attachmentwidgets\widget-social.php:18
actionswitch_themewidgets\widget-social.php:19
actionwidgets_initwidgets\widget-social.php:218
actionwp_enqueue_scriptswidgets\widget-stylist.php:13
actionsave_postwidgets\widget-stylist.php:22
actiondeleted_postwidgets\widget-stylist.php:23
actiondelete_attachmentwidgets\widget-stylist.php:24
actionswitch_themewidgets\widget-stylist.php:25
actionwidgets_initwidgets\widget-stylist.php:172
actionwp_enqueue_scriptswidgets\widget-tabs.php:15
actionadmin_enqueue_scriptswidgets\widget-tabs.php:16
actionsave_postwidgets\widget-tabs.php:22
actiondeleted_postwidgets\widget-tabs.php:23
actiondelete_attachmentwidgets\widget-tabs.php:24
actionswitch_themewidgets\widget-tabs.php:25
actionwidgets_initwidgets\widget-tabs.php:592
actionwp_enqueue_scriptswidgets\widget-tweet.php:23
actionsave_postwidgets\widget-tweet.php:25
actiondeleted_postwidgets\widget-tweet.php:26
actiondelete_attachmentwidgets\widget-tweet.php:27
actionswitch_themewidgets\widget-tweet.php:28
actionwidgets_initwidgets\widget-tweet.php:420
Maintenance & Trust

All-in-one Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedFeb 23, 2017
PHP min version
Downloads4K

Community Trust

Rating80/100
Number of ratings4
Active installs100
Alternatives

All-in-one Widget Alternatives

Author Recent Posts

Author Recent Posts

author-recent-posts

A
85

Author Recent Posts shows recent posts by an author on the posts written by the author as a responsive widget. This plugin is useful for multi-author &hellip;

100 No CVEs
Advance Widget Pack

Advance Widget Pack

advance-widget-pack

A
92

This plugin displays the featured posts, recent posts, recent comments, popular posts, author details and author list.

20 No CVEs
Recent Posts With Authors Widget

Recent Posts With Authors Widget

recent-posts-with-authors-widget

A
85

Shows a list of recent posts with the author of each post - for multi-author blogs.

10 No CVEs
Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

content-views-query-and-display-post-page

A
96

Easy to show posts, pages, custom posts in customizable grid, list, slider, accordion... Available as Widgets (for Elementor), Shortcode, and Blocks.

100K 4 CVEs
Recent Posts Widget With Thumbnails

Recent Posts Widget With Thumbnails

recent-posts-widget-with-thumbnails

A
100

List the most recent posts with post titles, thumbnails, excerpts, authors, categories, dates and more!

100K No CVEs
Developer Profile

All-in-one Widget Developer Profile

themeidol

4 plugins · 160 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect All-in-one Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/all-in-one-widget/css/widget-style.css/wp-content/plugins/all-in-one-widget/assets/css/bootstrap.min.css/wp-content/plugins/all-in-one-widget/assets/css/owl.carousel.css/wp-content/plugins/all-in-one-widget/assets/css/owl.theme.css/wp-content/plugins/all-in-one-widget/assets/css/magnific-popup.css/wp-content/plugins/all-in-one-widget/assets/css/animate.css/wp-content/plugins/all-in-one-widget/assets/css/frontend.css/wp-content/plugins/all-in-one-widget/assets/js/bootstrap.min.js+6 more
Script Paths
/wp-content/plugins/all-in-one-widget/assets/js/frontend.js/wp-content/plugins/all-in-one-widget/assets/js/instafeed.min.js/wp-content/plugins/all-in-one-widget/assets/js/masonry.pkgd.min.js
Version Parameters
all-in-one-widget/css/widget-style.css?ver=all-in-one-widget/assets/css/bootstrap.min.css?ver=all-in-one-widget/assets/css/owl.carousel.css?ver=all-in-one-widget/assets/css/owl.theme.css?ver=all-in-one-widget/assets/css/magnific-popup.css?ver=all-in-one-widget/assets/css/animate.css?ver=all-in-one-widget/assets/css/frontend.css?ver=all-in-one-widget/assets/js/bootstrap.min.js?ver=all-in-one-widget/assets/js/owl.carousel.js?ver=all-in-one-widget/assets/js/jquery.magnific-popup.min.js?ver=all-in-one-widget/assets/js/wow.min.js?ver=all-in-one-widget/assets/js/frontend.js?ver=all-in-one-widget/assets/js/instafeed.min.js?ver=all-in-one-widget/assets/js/masonry.pkgd.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
themeidol-widget-tabsthemeidol-tab-contentthemeidol-widget-twitter-feedthemeidol-widget-advertthemeidol-widget-flickrthemeidol-widget-recent-postthemeidol-widget-socialthemeidol-widget-author+7 more
Data Attributes
data-widget-type
JS Globals
Themeidolwidgetsthemeidol
FAQ

Frequently Asked Questions about All-in-one Widget