Does Blog-in-Blog have any unpatched vulnerabilities?

No. All known vulnerabilities in Blog-in-Blog have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Blog-in-Blog compatible with WordPress 6.7.5?

According to WordPress.org data, Blog-in-Blog 2.0.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Blog-in-Blog compatible with PHP 8.0+?

Blog-in-Blog requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Blog-in-Blog updated?

Blog-in-Blog was last updated on Jan 26, 2026. Frequent updates are generally a positive security signal.

What is Blog-in-Blog's security score?

Blog-in-Blog has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Blog-in-Blog Security & Risk Analysis

wordpress.org/plugins/blog-in-blog

This plugin shows posts from a category on any page you like using shortcodes. Create multiple blogs within a blog using a category.

900 active installs v2.0.1 PHP 8.0+ WP 5.0+ Updated Jan 26, 2026

blogcategoriescmshideshortcode

A · Safe

CVEs total2

Unpatched0

Last CVEMay 30, 2023

Plugin page Download

Safety Verdict

Is Blog-in-Blog Safe to Use in 2026?

Generally Safe

Score 99/100

Blog-in-Blog has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: May 30, 2023Updated 2mo ago

Risk Assessment

The 'blog-in-blog' plugin v2.0.1 exhibits a mixed security posture. On the positive side, the static analysis shows a relatively small attack surface with no unprotected entry points, no dangerous functions, and a reasonable percentage of SQL queries using prepared statements and outputs being properly escaped. The absence of external HTTP requests and bundled libraries is also a good sign.

However, several concerns are raised by the data. The plugin has a history of significant vulnerabilities, including a high severity Cross-Site Scripting (XSS) and a medium severity Path Traversal, with the last vulnerability being relatively recent. The static analysis, while showing some good practices, also highlights a lack of nonce checks and only one capability check across all entry points, which is a significant weakness. The presence of file operations without clear context on their sanitization also warrants caution. The taint analysis is inconclusive due to zero flows analyzed, which could mask potential issues.

In conclusion, while the plugin has made some strides in secure coding practices like prepared statements and output escaping, its past vulnerability history and the identified weaknesses in authentication and sanitization of file operations present a notable risk. The lack of thorough taint analysis further complicates a complete security assessment. Users should be aware of the plugin's historical issues and the current limitations in its security implementation.

Key Concerns

Vulnerability history indicates past XSS and Path Traversal
Last vulnerability identified is recent (2023-05-30)
No nonce checks detected
Only one capability check across all entry points
SQL queries: 25% not using prepared statements
Output escaping: 15% of outputs not properly escaped
Taint analysis not performed/inconclusive

Vulnerabilities

Blog-in-Blog Security Vulnerabilities

CVEs by Year

2 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2023-2436medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Blog-in-Blog <= 2.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

May 30, 2023 Patched in 2.0.1 (981d)

CVE-2023-2435high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Blog-in-Blog <= 2.0.0 - Authenticated (Editor+) Local File Inclusion via Shortcode

May 30, 2023 Patched in 2.0.1 (981d)

Code Analysis

Analyzed Mar 16, 2026

Blog-in-Blog Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

60 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

75% prepared4 total queries

Output Escaping

71% escaped85 total outputs

Attack Surface

Blog-in-Blog Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[blog_in_blog] blog-in-blog.php:297

[bib] blog-in-blog.php:298

WordPress Hooks 11

actioninitblocks\blog-in-blog-block.php:149

filterblock_categories_allblocks\blog-in-blog-block.php:212

filterexcerpt_moreblog-in-blog.php:656

filterquery_varsblog-in-blog.php:1052

filterpre_get_postsblog-in-blog.php:1091

filterpre_get_postsblog-in-blog.php:1122

actionwp_footerblog-in-blog.php:1142

actioninitblog-in-blog.php:1163

actioninitoptions.php:94

actionadmin_menuoptions.php:120

actionadmin_initoptions.php:124

Maintenance & Trust

Blog-in-Blog Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJan 26, 2026

PHP min version8.0

Downloads111K

Community Trust

Rating100/100

Number of ratings16

Active installs900

Alternatives

Blog-in-Blog Alternatives

List category posts

list-category-posts

Very customizable plugin to list posts by category (or tag, author and more) in a post, page or widget. Uses the [catlist] shortcode to select posts.

80K 6 CVEs

Ultimate Category Excluder

ultimate-category-excluder

Ultimate Category Excluder allows you to quickly and easily exclude categories from your front page, archives, feeds, and search results.

50K 1 CVE

Hide Categories and Products for Woocommerce

hide-categories-products-woocommerce

Hide Categories and Products for Woocommerce. This plugins requires WooCommerce to be installed and activated

10K No CVEs

List categories

list-categories

Simple plugin to display categories in any post or page with a shortcode.

6K 1 CVE

Display Categories Widget

display-categories-widget

Display Categories Widget will display Child categories on your sidebar. Can be placed on widget in sidebar.

4K No CVEs

Developer Profile

Blog-in-Blog Developer Profile

timhodson

2 plugins · 910 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

981 days

View full developer profile

Detection Fingerprints

How We Detect Blog-in-Blog

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/blog-in-blog/css/blog-in-blog.css/wp-content/plugins/blog-in-blog/css/blog-in-blog-editor.css/wp-content/plugins/blog-in-blog/js/blog-in-blog.js/wp-content/plugins/blog-in-blog/blocks/blog-in-blog-block.js

Script Paths

/wp-content/plugins/blog-in-blog/js/blog-in-blog.js/wp-content/plugins/blog-in-blog/blocks/blog-in-blog-block.js

Version Parameters

blog-in-blog/style.css?ver=blog-in-blog/script.js?ver=blog-in-blog/blog-in-blog-block.js?ver=

HTML / DOM Fingerprints

CSS Classes

blog-in-blog-wrapperblog-in-blog-post-wrapperblog-in-blog-post-contentblog-in-blog-post-titleblog-in-blog-post-dateblog-in-blog-post-excerptblog-in-blog-navigationblog-in-blog-pagination+1 more

HTML Comments

BIB: using template: BIB: using default template from database

Data Attributes

data-bib-templatedata-bib-category_iddata-bib-category_slugdata-bib-tag_slugdata-bib-custom_post_typedata-bib-author+9 more

JS Globals

blog_in_blog_optsbib_write_debugbib_set_post_order

Shortcode Output

[blog_in_blogcategory_id=num=template=''

FAQ