WP-Safety

Blog, Posts and Category Filter for Elementor Security & Risk Analysis

wordpress.org/plugins/blog-posts-and-category-for-elementor

Blog, Posts and Category Filter for Elementor lets you filter your Blog posts with Category. You can now display more posts to your users.

1K active installs v2.1.0 PHP 7.4+ WP 6.0+ Updated Apr 26, 2025
elementor-blog-filterelementor-category-filterelementor-post-filter
91
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 3, 2025
Plugin page Download
Safety Verdict

Is Blog, Posts and Category Filter for Elementor Safe to Use in 2026?

Generally Safe

Score 91/100

Blog, Posts and Category Filter for Elementor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 3, 2025Updated 1yr ago
Risk Assessment

The plugin exhibits a mixed security posture. While it demonstrates good practices regarding SQL queries, which are all prepared, and a high percentage of properly escaped output, significant concerns arise from its attack surface. All five identified AJAX handlers lack authentication checks, making them potential entry points for unauthorized actions. Furthermore, the taint analysis reveals two flows with unsanitized paths, indicating potential for vulnerabilities if user input is not handled carefully, although these did not reach a critical or high severity in the analysis.

The plugin has a history of two known medium-severity Cross-Site Scripting (XSS) vulnerabilities. The fact that there are no currently unpatched CVEs is positive, but the recurring nature of XSS issues in its history suggests a persistent weakness in input sanitization or output encoding for certain user-provided data. The recent vulnerability date (2025-02-03) is concerning as it implies recent issues, even if patched.

In conclusion, while the plugin has some strengths like prepared SQL statements, the substantial number of unprotected AJAX handlers and the historical XSS vulnerabilities are significant weaknesses. These factors, combined with the taint analysis findings, present a notable risk that requires attention, particularly regarding the handling of user-supplied data within the AJAX endpoints.

Key Concerns

  • AJAX handlers without authentication checks
  • Taint flows with unsanitized paths
  • History of medium severity XSS vulnerabilities
  • Lack of nonce checks on AJAX handlers
  • Lack of capability checks on AJAX handlers
Vulnerabilities
2 published

Blog, Posts and Category Filter for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-22648medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Blog, Posts and Category Filter for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 3, 2025 Patched in 2.1.0 (87d)
CVE-2024-4667medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Blog, Posts and Category Filter for Elementor <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post and Category Filter Widget

Jul 8, 2024 Patched in 2.0.0 (1d)
Version History

Blog, Posts and Category Filter for Elementor Release Timeline

v2.1.0Current
v2.0.11 CVE
CVE-2025-22648
v2.0.01 CVE
CVE-2025-22648
v1.0.32 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.52 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.42 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.32 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.22 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.12 CVEs
CVE-2025-22648 CVE-2024-4667
v0.9.02 CVEs
CVE-2025-22648 CVE-2024-4667
Code Analysis
Analyzed Mar 16, 2026

Blog, Posts and Category Filter for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
18
96 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

Output Escaping

84% escaped114 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
goodbye_form_callback (class-plugin-deactivate-feedback.php:365)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Blog, Posts and Category Filter for Elementor Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

noprivwp_ajax_load_postsclass-ajax.php:15
authwp_ajax_load_postsclass-ajax.php:16
authwp_ajax_pd_pcf_goodbye_formclass-plugin-deactivate-feedback.php:63
authwp_ajax_pdpcf_review_transientclass-plugin-review.php:21
authwp_ajax_process_pd_pcf_promo_formsupport-page\class-support-page.php:24
WordPress Hooks 26
actionadmin_menuadmin\admin-pages.php:2
actionadmin_enqueue_scriptsadmin\admin-pages.php:97
actionadmin_initadmin\admin-pages.php:110
actionadmin_noticesadmin\notices\support.php:10
actionplugins_loadedadmin\post-category-filter-utils.php:15
actionadmin_noticesadmin\post-category-filter-utils.php:21
actionadmin_noticesadmin\post-category-filter-utils.php:27
actionadmin_noticesadmin\post-category-filter-utils.php:33
actionadmin_enqueue_scriptsadmin\post-category-filter-utils.php:38
actionelementor/frontend/after_enqueue_stylesadmin\post-category-filter-utils.php:39
actionelementor/frontend/after_register_scriptsadmin\post-category-filter-utils.php:42
actionelementor/widgets/registeradmin\post-category-filter-utils.php:45
actionadmin_footer-plugins.phpclass-plugin-deactivate-feedback.php:62
actionadmin_enqueue_scriptsclass-plugin-deactivate-feedback.php:65
filterwp_mail_content_typeclass-plugin-deactivate-feedback.php:119
actionadmin_noticesclass-plugin-review.php:19
actionadmin_footerclass-plugin-review.php:20
actionelementor/initpost-and-category-filter-for-elementor.php:43
actionplugins_loadedpost-and-category-filter-for-elementor.php:93
actionwp_footerpost-and-category-filter-for-elementor.php:97
filtercustom_menu_orderpost-and-category-filter-for-elementor.php:136
actionupgrader_process_completepost-and-category-filter-for-elementor.php:146
actioninitpost-and-category-filter-for-elementor.php:147
actionwp_headsupport-page\class-support-page.php:6
actionadmin_enqueue_scriptssupport-page\class-support-page.php:142
actionadmin_menusupport-page\class-support-page.php:172
Maintenance & Trust

Blog, Posts and Category Filter for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 26, 2025
PHP min version7.4
Downloads29K

Community Trust

Rating88/100
Number of ratings14
Active installs1K
Alternatives

Blog, Posts and Category Filter for Elementor Alternatives

No alternatives data available yet.

Developer Profile

Blog, Posts and Category Filter for Elementor Developer Profile

Plugin Devs

16 plugins · 18K total installs

76
trust score
Avg Security Score
83/100
Avg Patch Time
60 days
View full developer profile
Detection Fingerprints

How We Detect Blog, Posts and Category Filter for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/blog-posts-and-category-for-elementor/assets/css/main.css/wp-content/plugins/blog-posts-and-category-for-elementor/assets/js/pd-pcf-frontend.js
Script Paths
/wp-content/plugins/blog-posts-and-category-for-elementor/assets/js/pd-pcf-frontend.js
Version Parameters
/wp-content/plugins/blog-posts-and-category-for-elementor/assets/css/main.css?ver=/wp-content/plugins/blog-posts-and-category-for-elementor/assets/js/pd-pcf-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
pd_pcf-up-pro-link
HTML Comments
/* Welcome to the Custom CSS editor! Please add all your custom CSS here and avoid modifying the core plugin files. Don't use <style> tag *//* Welcome to the Custom JS editor! Please add all your custom JS here and avoid modifying the core plugin files. Don't use <script> tag */
Data Attributes
name="pd_pcf_custom_css"id="pd_pcf_custom_css"name="pd_pcf_custom_js"id="pd_pcf_custom_js"
FAQ

Frequently Asked Questions about Blog, Posts and Category Filter for Elementor