WP-Safety

Category Column Security & Risk Analysis

wordpress.org/plugins/category-coloumn

The Category Column does simply, what the name says; it will show excerpts of the latest posts in your sidebar.

20 active installs v4.5 PHP + WP 2.9+ Updated Feb 26, 2016
categorycolumnnewspapersidebarwidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Category Column Safe to Use in 2026?

Generally Safe

Score 85/100

Category Column has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The 'category-coloumn' v4.5 plugin presents a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs) and a seemingly small attack surface with no exposed AJAX handlers, REST API routes, or shortcodes that are unprotected. The use of prepared statements for all SQL queries is also a strong security practice. However, significant concerns arise from the static code analysis. The presence of the `create_function` dangerous function, while not necessarily exploitable without further context, is a code smell that can lead to serious vulnerabilities if used with user-supplied input. Furthermore, a concerning 76% of output is not properly escaped, representing a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, especially if any of the output is derived from user input or external data. The taint analysis also indicates two flows with unsanitized paths, suggesting potential for data leakage or manipulation, although these did not reach critical or high severity in the analysis. The lack of any nonce checks or capability checks, combined with the unsanitized flows, significantly weakens the plugin's defense against unauthorized actions. The absence of external HTTP requests and file operations, while positive, does not mitigate the risks identified in the code itself. In conclusion, while the plugin benefits from a clean vulnerability history and good practices in SQL handling and attack surface management, the critical weaknesses in output escaping, the use of `create_function`, and the absence of security checks like nonces and capability checks make it a moderate to high risk, particularly concerning XSS.

Key Concerns

  • Dangerous function create_function used
  • Significant portion of output unescaped
  • Taint flows with unsanitized paths
  • No nonce checks implemented
  • No capability checks implemented
Vulnerabilities
None known

Category Column Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Category Column Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
2 prepared
Unescaped Output
65
20 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("Category_Column_Widget");'))class-lib\CC_WidgetClass.php:351

SQL Query Safety

100% prepared2 total queries

Output Escaping

24% escaped85 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
file_template (class-lib\A5_DynamicFileClass.php:68)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Category Column Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 14
actionsave_postcategory_column.php:64
actiondeleted_postcategory_column.php:65
actionswitch_themecategory_column.php:66
actionadmin_enqueue_scriptscategory_column.php:68
filterplugin_row_metacategory_column.php:70
filterplugin_action_linkscategory_column.php:71
actioninitcategory_column.php:80
actionwp_before_admin_bar_rendercategory_column.php:84
actioninitclass-lib\A5_DynamicFileClass.php:43
actiontemplate_redirectclass-lib\A5_DynamicFileClass.php:44
actionadmin_initclass-lib\CC_AdminClass.php:20
actionadmin_menuclass-lib\CC_AdminClass.php:21
actionadmin_enqueue_scriptsclass-lib\CC_AdminClass.php:22
actionwidgets_initclass-lib\CC_WidgetClass.php:351
Maintenance & Trust

Category Column Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedFeb 26, 2016
PHP min version
Downloads15K

Community Trust

Rating100/100
Number of ratings1
Active installs20
Alternatives

Category Column Alternatives

Featured Category Widget

Featured Category Widget

category-feature

A
85

The Featured Category Widget is basically a Featured Post Widget for a category.

100 No CVEs
List Custom Taxonomy Widget

List Custom Taxonomy Widget

list-custom-taxonomy-widget

A
91

The List Custom Taxonomy Widget is a quick and easy way to display custom taxonomies. Simply choose the taxonomy name you want to display from an auto …

9K 1 CVE
Recent Posts by Category Widget

Recent Posts by Category Widget

recent-posts-by-category-widget

A
85

Just like the default Recent Posts widget except you can choose a category to pull posts from.

4K No CVEs
LJ Multi Column Archive

LJ Multi Column Archive

lj-multi-column-archive

A
85

LJ Multi Column Archive is a Wordpress plugin/widget that allows you to display your archive list with multiple columns.

1K No CVEs
NS Category Widget

NS Category Widget

ns-category-widget

A
100

A plugin to add widget for listing Categories and Taxonomies. Extending Default WordPress Category Widget.

1K No CVEs
Developer Profile

Category Column Developer Profile

tepelstreel

8 plugins · 3K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Category Column

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/category-coloumn/class-lib/A5_ImageClass.php/wp-content/plugins/category-coloumn/class-lib/A5_ExcerptClass.php/wp-content/plugins/category-coloumn/class-lib/A5_FormFieldClass.php/wp-content/plugins/category-coloumn/class-lib/A5_OptionPageClass.php/wp-content/plugins/category-coloumn/class-lib/A5_DynamicFileClass.php/wp-content/plugins/category-coloumn/class-lib/A5_WidgetClass.php/wp-content/plugins/category-coloumn/class-lib/CC_AdminClass.php/wp-content/plugins/category-coloumn/class-lib/CC_DynamicCSSClass.php+1 more
Script Paths
/wp-content/plugins/category-coloumn/ta-expander.js/wp-content/plugins/category-coloumn/ta-expander.min.js
Version Parameters
category-coloumn/ta-expander.js?ver=category-coloumn/ta-expander.min.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-cc_options
JS Globals
CategoryColumn
FAQ

Frequently Asked Questions about Category Column