WP-Safety

C9 Variables Security & Risk Analysis

wordpress.org/plugins/c9-variables

Use variables to make smart reusable content. The basic plugin is fully functional and supports up to 10 variables. The Pro plugin supports unlimited …

0 active installs v1.0.0 PHP + WP 4.7+ Updated Unknown
content-managementmodularizeproductivityreusable-contenttools
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is C9 Variables Safe to Use in 2026?

Generally Safe

Score 100/100

C9 Variables has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The c9-variables plugin v1.0.0 exhibits a concerning security posture primarily due to its unprotected AJAX handlers. While the plugin demonstrates good practices like using prepared statements for SQL queries and a history free of known vulnerabilities, the presence of four AJAX handlers without authentication checks represents a significant attack vector. This means any user, including unauthenticated ones, could potentially trigger these handlers, leading to unintended actions or information disclosure. The taint analysis reveals one flow with unsanitized paths, though it is not classified as critical or high, it still warrants attention as it indicates a potential for deeper issues if not addressed. The limited output escaping is also a weakness, potentially opening the door to cross-site scripting (XSS) vulnerabilities if user-supplied data is not properly handled before being displayed.

Key Concerns

  • AJAX handlers without authentication checks
  • Flows with unsanitized paths (taint analysis)
  • Low percentage of properly escaped output
Vulnerabilities
None known

C9 Variables Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

C9 Variables Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
27
4 escaped
Nonce Checks
2
Capability Checks
5
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

13% escaped31 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<class-c9-http-utils> (includes\code\basic\utils\class-c9-http-utils.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

C9 Variables Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

noprivwp_ajax_c9_vars_get_variablesincludes\class-c9-variables.php:177
authwp_ajax_c9_vars_get_variablesincludes\class-c9-variables.php:178
noprivwp_ajax_c9_vars_update_variable_last_usedincludes\class-c9-variables.php:179
authwp_ajax_c9_vars_update_variable_last_usedincludes\class-c9-variables.php:180
WordPress Hooks 16
filtermce_external_pluginsadmin\class-c9-variables-admin.php:77
filtermce_buttonsadmin\class-c9-variables-admin.php:78
actionplugins_loadedincludes\class-c9-variables.php:155
actioninitincludes\class-c9-variables.php:171
actionadmin_initincludes\class-c9-variables.php:172
actionsave_post_c9_vars_variableincludes\class-c9-variables.php:173
actionadmin_menuincludes\class-c9-variables.php:174
actionadmin_enqueue_scriptsincludes\class-c9-variables.php:175
actionadmin_enqueue_scriptsincludes\class-c9-variables.php:176
filteradmin_footer_textincludes\class-c9-variables.php:181
actioninitincludes\class-c9-variables.php:196
actionwp_enqueue_scriptsincludes\class-c9-variables.php:197
actionwp_enqueue_scriptsincludes\class-c9-variables.php:198
actionsave_postincludes\code\basic\admin\core\class-c9-variables-admin-delegate.php:149
actionpost_updated_messagesincludes\code\basic\admin\core\class-c9-variables-admin-delegate.php:150
actionadmin_noticesincludes\code\basic\admin\ui\class-c9-variables-admin-ui.php:29
Maintenance & Trust

C9 Variables Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedUnknown
PHP min version
Downloads1K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

C9 Variables Alternatives

Post Lock

Post Lock

post-lock

A
85

Post Lock prevents accidental updating or publishing of content by requiring a password to do either.

10 No CVEs
Admin Calculator Widget

Admin Calculator Widget

admin-calculator-widget

A
100

A simple floating calculator for WordPress admin dashboard to perform quick calculations while working.

0 No CVEs
Pimi Admin Agent

Pimi Admin Agent

pimi-admin-agent

A
100

Manage your WordPress site using simple commands. Create pages, posts, users, manage plugins, and more with commands.

0 No CVEs
Zen Smart Folders

Zen Smart Folders

zen-smart-folders

A
100

Organize your WordPress Pages & Posts into folders for better management.

0 No CVEs
Hostinger Tools

Hostinger Tools

hostinger

A
99

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE
Developer Profile

C9 Variables Developer Profile

nitinvp

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect C9 Variables

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/c9-variables/admin/css/common/c9-common.css/wp-content/plugins/c9-variables/admin/css/c9-variables-admin.css/wp-content/plugins/c9-variables/admin/js/c9-variables-admin.js
Script Paths
/wp-content/plugins/c9-variables/admin/js/c9-variables-admin.js
Version Parameters
c9-variables-admin/css/common/c9-common.css?ver=c9-variables-admin/css/c9-variables-admin.css?ver=c9-variables-admin/js/c9-variables-admin.js?ver=

HTML / DOM Fingerprints

JS Globals
window.C9_Variables_Constants
FAQ

Frequently Asked Questions about C9 Variables