Does Broadstreet have any unpatched vulnerabilities?

No. All known vulnerabilities in Broadstreet have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Broadstreet compatible with WordPress 6.9.4?

According to WordPress.org data, Broadstreet 1.52.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Broadstreet updated?

Broadstreet was last updated on Dec 16, 2025. Frequent updates are generally a positive security signal.

What is Broadstreet's security score?

Broadstreet has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Broadstreet Security & Risk Analysis

wordpress.org/plugins/broadstreet

Integrate Broadstreet adserving power into your site.

700 active installs v1.52.2 PHP + WP 3.0+ Updated Dec 16, 2025

broadstreethyperlocalindependentlocalpublishers

A · Safe

CVEs total6

Unpatched0

Last CVEJan 19, 2026

Plugin page Download

Safety Verdict

Is Broadstreet Safe to Use in 2026?

Generally Safe

Score 95/100

Broadstreet has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jan 19, 2026Updated 3mo ago

Risk Assessment

The "broadstreet" plugin version 1.52.2 presents a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. A substantial number of entry points, specifically 16 out of 20, lack proper authentication or authorization checks, creating a large potential for unauthorized access and actions. The absence of any taint analysis results is positive, suggesting no critical flaws were detected in that specific area during the analysis. However, the plugin's history is marred by 6 known medium-severity CVEs, including past instances of missing authorization, CSRF, and XSS. The fact that there are currently no unpatched CVEs is a positive sign, but the recurring nature of these vulnerability types indicates a potential for similar weaknesses to be reintroduced or remain latent in the codebase. The most recent vulnerability was dated in the future (2026-01-19), which is an anomaly that warrants investigation and may indicate an error in the data itself or a projection that did not materialize. Overall, the plugin has strengths in secure database interactions and output handling, but its extensive unprotected entry points and past vulnerability patterns necessitate caution and vigilant monitoring.

Key Concerns

Large attack surface without auth checks
Unprotected REST API routes
Unprotected AJAX handlers
Missing nonce checks on AJAX
Past medium severity CVEs (6 total)
Percentage of output not properly escaped

Vulnerabilities

Broadstreet Security Vulnerabilities

CVEs by Year

5 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

6 total CVEs

CVE-2025-69311medium · 4.3Missing Authorization

Broadstreet Ads <= 1.52.1 - Missing Authorization

Jan 19, 2026 Patched in 1.52.2 (10d)

CVE-2025-4652medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broadstreet Ads <= 1.51.7 - Reflected Cross-Site Scripting

May 29, 2025 Patched in 1.51.8 (20d)

CVE-2025-48113medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broadstreet <= 1.51.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 16, 2025 Patched in 1.51.3 (257d)

CVE-2025-32211medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broadstreet <= 1.52.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Apr 7, 2025 Patched in 1.52.2 (296d)

CVE-2025-32270medium · 4.3Cross-Site Request Forgery (CSRF)

Broadstreet <= 1.51.1 - Cross-Site Request Forgery

Apr 4, 2025 Patched in 1.52.2 (305d)

CVE-2024-11825medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broadstreet <= 1.51.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via zone Parameter

Jan 24, 2025 Patched in 1.51.1 (6d)

Code Analysis

Analyzed Mar 16, 2026

Broadstreet Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

190

698 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

79% escaped888 total outputs

Attack Surface

16 unprotected

Broadstreet Attack Surface

Entry Points20

Unprotected16

AJAX Handlers 12

authwp_ajax_bs_save_settingsBroadstreet\Core.php:198

authwp_ajax_create_advertiserBroadstreet\Core.php:199

authwp_ajax_import_facebookBroadstreet\Core.php:200

authwp_ajax_registerBroadstreet\Core.php:201

authwp_ajax_save_zone_settingsBroadstreet\Core.php:202

authwp_ajax_get_sponsored_metaBroadstreet\Core.php:203

authwp_ajax_bs_save_settingstrunk\Broadstreet\Core.php:198

authwp_ajax_create_advertisertrunk\Broadstreet\Core.php:199

authwp_ajax_import_facebooktrunk\Broadstreet\Core.php:200

authwp_ajax_registertrunk\Broadstreet\Core.php:201

authwp_ajax_save_zone_settingstrunk\Broadstreet\Core.php:202

authwp_ajax_get_sponsored_metatrunk\Broadstreet\Core.php:203

REST API Routes 4

GET/wp-json/broadstreet/v1/targetsBroadstreet\Core.php:207

GET/wp-json/broadstreet/v1/refreshBroadstreet\Core.php:216

GET/wp-json/broadstreet/v1/targetstrunk\Broadstreet\Core.php:207

GET/wp-json/broadstreet/v1/refreshtrunk\Broadstreet\Core.php:216

Shortcodes 4

[broadstreet] Broadstreet\Core.php:148

[businesses] Broadstreet\Core.php:185

[broadstreet] trunk\Broadstreet\Core.php:148

[businesses] trunk\Broadstreet\Core.php:185

WordPress Hooks 66

actionadmin_menuBroadstreet\Core.php:140

actionadmin_enqueue_scriptsBroadstreet\Core.php:141

actionadmin_initBroadstreet\Core.php:142

actionwp_enqueue_scriptsBroadstreet\Core.php:143

filterscript_loader_tagBroadstreet\Core.php:144

actioninitBroadstreet\Core.php:145

actionadmin_noticesBroadstreet\Core.php:146

actionwidgets_initBroadstreet\Core.php:147

filterimage_size_names_chooseBroadstreet\Core.php:149

actionwp_footerBroadstreet\Core.php:150

actionwp_body_openBroadstreet\Core.php:152

filterthe_contentBroadstreet\Core.php:153

filterthe_content_feedBroadstreet\Core.php:154

actionloop_endBroadstreet\Core.php:155

filtercomments_templateBroadstreet\Core.php:157

actionpost_updatedBroadstreet\Core.php:160

actiontransition_post_statusBroadstreet\Core.php:161

actionpost_updatedBroadstreet\Core.php:164

actionget_template_part_template-parts/header/entryBroadstreet\Core.php:167

actionafter_headerBroadstreet\Core.php:168

actionbefore_footerBroadstreet\Core.php:169

filterrest_pre_echo_responseBroadstreet\Core.php:170

actioninitBroadstreet\Core.php:178

actionwp_enqueue_scriptsBroadstreet\Core.php:179

actionpre_get_postsBroadstreet\Core.php:180

filterthe_contentBroadstreet\Core.php:181

filterthe_postsBroadstreet\Core.php:182

filtercomment_form_defaultsBroadstreet\Core.php:183

actionsave_postBroadstreet\Core.php:184

actionadd_meta_boxesBroadstreet\Core.php:189

actionrss2_itemBroadstreet\Core.php:192

actionrss_itemBroadstreet\Core.php:193

actionrest_api_initBroadstreet\Core.php:205

actionadmin_menutrunk\Broadstreet\Core.php:140

actionadmin_enqueue_scriptstrunk\Broadstreet\Core.php:141

actionadmin_inittrunk\Broadstreet\Core.php:142

actionwp_enqueue_scriptstrunk\Broadstreet\Core.php:143

filterscript_loader_tagtrunk\Broadstreet\Core.php:144

actioninittrunk\Broadstreet\Core.php:145

actionadmin_noticestrunk\Broadstreet\Core.php:146

actionwidgets_inittrunk\Broadstreet\Core.php:147

filterimage_size_names_choosetrunk\Broadstreet\Core.php:149

actionwp_footertrunk\Broadstreet\Core.php:150

actionwp_body_opentrunk\Broadstreet\Core.php:152

filterthe_contenttrunk\Broadstreet\Core.php:153

filterthe_content_feedtrunk\Broadstreet\Core.php:154

actionloop_endtrunk\Broadstreet\Core.php:155

filtercomments_templatetrunk\Broadstreet\Core.php:157

actionpost_updatedtrunk\Broadstreet\Core.php:160

actiontransition_post_statustrunk\Broadstreet\Core.php:161

actionpost_updatedtrunk\Broadstreet\Core.php:164

actionget_template_part_template-parts/header/entrytrunk\Broadstreet\Core.php:167

actionafter_headertrunk\Broadstreet\Core.php:168

actionbefore_footertrunk\Broadstreet\Core.php:169

filterrest_pre_echo_responsetrunk\Broadstreet\Core.php:170

actioninittrunk\Broadstreet\Core.php:178

actionwp_enqueue_scriptstrunk\Broadstreet\Core.php:179

actionpre_get_poststrunk\Broadstreet\Core.php:180

filterthe_contenttrunk\Broadstreet\Core.php:181

filterthe_poststrunk\Broadstreet\Core.php:182

filtercomment_form_defaultstrunk\Broadstreet\Core.php:183

actionsave_posttrunk\Broadstreet\Core.php:184

actionadd_meta_boxestrunk\Broadstreet\Core.php:189

actionrss2_itemtrunk\Broadstreet\Core.php:192

actionrss_itemtrunk\Broadstreet\Core.php:193

actionrest_api_inittrunk\Broadstreet\Core.php:205

Maintenance & Trust

Broadstreet Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 16, 2025

PHP min version

Downloads46K

Community Trust

Rating100/100

Number of ratings2

Active installs700

Alternatives

Broadstreet Alternatives

Ping News

ping-news

The Ping! WordPress plugin allows hyperlocal journalists to submit their news stories to the Ping! system and receive approval/feedback on their stori …

20 No CVEs

Polylang

polylang

Go multilingual in a simple and efficient way. Keep writing posts and taxonomy terms as usual while defining their languages all at once.

800K 3 CVEs

Performant Translations

performant-translations

100

Making internationalization/localization in WordPress faster than ever before.

40K No CVEs

Structured Content (JSON-LD) #wpsc

structured-content

Add flexible content boxes with JSON-LD microdata output according to schema.org e.g. FAQPage, ProfilePage, Event, Course, LocalBusiness, JobPosting a …

40K 9 CVEs

WP User Avatars

wp-user-avatars

Allow registered users to upload & select their own avatars.

20K No CVEs

Developer Profile

Broadstreet Developer Profile

Broadstreet

5 plugins · 3K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

496 days

View full developer profile

Detection Fingerprints

How We Detect Broadstreet

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/broadstreet/css/broadstreet.css/wp-content/plugins/broadstreet/js/broadstreet.js/wp-content/plugins/broadstreet/js/broadstreet-admin.js/wp-content/plugins/broadstreet/css/broadstreet-admin.css

Script Paths

/wp-content/plugins/broadstreet/js/broadstreet.js/wp-content/plugins/broadstreet/js/broadstreet-admin.js

Version Parameters

broadstreet/css/broadstreet.css?ver=broadstreet/js/broadstreet.js?ver=broadstreet/js/broadstreet-admin.js?ver=broadstreet/css/broadstreet-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

broadstreet-widgetbroadstreet-ad-wrapper

HTML Comments

Data Attributes

data-broadstreet-zone-iddata-broadstreet-placement-id

JS Globals

window.broadstreet_config

REST Endpoints

/wp-json/broadstreet/v1/data

Shortcode Output

[broadstreet][businesses]

FAQ