Does Category Posts Widget have any unpatched vulnerabilities?

No. All known vulnerabilities in Category Posts Widget have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Category Posts Widget compatible with WordPress 6.9.4?

According to WordPress.org data, Category Posts Widget 4.9.22 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Category Posts Widget compatible with PHP 5.3+?

Category Posts Widget requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Category Posts Widget updated?

Category Posts Widget was last updated on Feb 7, 2026. Frequent updates are generally a positive security signal.

What is Category Posts Widget's security score?

Category Posts Widget has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Category Posts Widget Security & Risk Analysis

wordpress.org/plugins/category-posts

Adds a widget that shows the most recent posts from a single category.

40K active installs v4.9.22 PHP 5.3+ WP 2.8+ Updated Feb 7, 2026

blockcategoriescategorypostsrecent-posts

A · Safe

CVEs total2

Unpatched0

Last CVEApr 3, 2025

Plugin page Download

Safety Verdict

Is Category Posts Widget Safe to Use in 2026?

Generally Safe

Score 99/100

Category Posts Widget has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 3, 2025Updated 1mo ago

Risk Assessment

The "category-posts" plugin version 4.9.22 exhibits a generally good security posture based on the provided static analysis. The complete absence of direct attack surface entry points like AJAX handlers, REST API routes, and shortcodes is a significant strength. Furthermore, all identified SQL queries utilize prepared statements, and there are no observed file operations or external HTTP requests, minimizing common web application attack vectors. The plugin also implements capability checks, indicating an awareness of user privilege management. However, a concerning weakness lies in the output escaping, with only 57% of outputs being properly escaped. This leaves a notable portion of the plugin's output potentially vulnerable to Cross-Site Scripting (XSS) attacks, especially if user-supplied data is rendered directly to the page without adequate sanitization. The historical vulnerability data, showing two medium severity CVEs related to XSS and a recent patch in 2025, reinforces the concern around improper output neutralization. While there are no currently unpatched vulnerabilities, the recurring XSS pattern suggests that output handling remains a critical area for improvement.

Key Concerns

Output escaping is only 57% proper
Bundled outdated library: TinyMCE v4.7
Bundled outdated library: Select2 v4.0.3
Two medium severity CVEs historically

Vulnerabilities

Category Posts Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-1453medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Category Posts Widget <= 4.9.19 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 3, 2025 Patched in 4.9.20 (28d)

CVE-2024-9638medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Category Posts Widget <= 4.9.17 - Authenticated (Admin+) Stored Cross-Site SCripting

Dec 17, 2024 Patched in 4.9.18 (29d)

Code Analysis

Analyzed Mar 16, 2026

Category Posts Widget Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

103 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE4.7Select24.0.3

Output Escaping

57% escaped181 total outputs

Attack Surface

Category Posts Widget Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 31

actionwp_before_admin_bar_rendercat-posts.php:80

actionadmin_bar_menucat-posts.php:83

actionwp_headcat-posts.php:117

actionwp_headcat-posts.php:172

actionadmin_enqueue_scriptscat-posts.php:245

actionadmin_initcat-posts.php:247

actionadmin_print_styles-widgets.phpcat-posts.php:269

actionsiteorigin_panel_enqueue_admin_scriptscat-posts.php:272

actionwidgets_initcat-posts.php:440

actionsave_postcat-posts.php:797

actioncustomize_registercat-posts.php:939

actioncustomize_save_aftercat-posts.php:975

filtermce_external_pluginscat-posts.php:1019

filtermce_buttonscat-posts.php:1044

filtermce_external_languagescat-posts.php:1068

filterwidget_types_to_hide_from_legacy_widget_blockcat-posts.php:1085

actionshow_user_profilecat-posts.php:1091

actionedit_user_profilecat-posts.php:1092

actionpersonal_options_updatecat-posts.php:1148

actionedit_user_profile_updatecat-posts.php:1149

actionwp_loadedcat-posts.php:1175

actionwp_footerclass-widget.php:454

actionwp_footerclass-widget.php:559

actionwp_footerclass-widget.php:568

filterexcerpt_lengthclass-widget.php:972

filterexcerpt_moreclass-widget.php:976

filterthe_excerptclass-widget.php:979

filterget_the_excerptclass-widget.php:994

actionwp_footerclass-widget.php:1044

actionwp_footerclass-widget.php:1086

actionrest_api_initloadmore.php:95

Maintenance & Trust

Category Posts Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 7, 2026

PHP min version5.3

Downloads1.8M

Community Trust

Rating90/100

Number of ratings79

Active installs40K

Alternatives

Category Posts Widget Alternatives

Custom Recent Posts Widget

custom-recent-posts-widget

A widget to show recent posts list based on categories or tags

1K No CVEs

Custom Recent Posts Widget Plus

custom-recent-posts-widget-plus

Nice widget it is like the default Recent Posts widget except you can choose a category and in addition show the thumbnails.

10 No CVEs

News In Stack Widget

news-in-stack-widget

Just another recent post widget. Simple but flexible.

10 No CVEs

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

content-views-query-and-display-post-page

Easy to show posts, pages, custom posts in customizable grid, list, slider, accordion... Available as Widgets (for Elementor), Shortcode, and Blocks.

100K 4 CVEs

Developer Profile

Category Posts Widget Developer Profile

ZephyrWest

2 plugins · 40K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

29 days

View full developer profile

Detection Fingerprints

How We Detect Category Posts Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/category-posts/styles/admin/category-posts-widget.css/wp-content/plugins/category-posts/js/admin/category-posts-widget.min.js/wp-content/plugins/category-posts/js/admin/category-posts-widget.js/wp-content/plugins/category-posts/js/frontend/category-posts-frontend.min.js/wp-content/plugins/category-posts/js/frontend/category-posts-frontend.js

Script Paths

js/admin/category-posts-widget.min.jsjs/admin/category-posts-widget.jsjs/frontend/category-posts-frontend.min.jsjs/frontend/category-posts-frontend.js

Version Parameters

category-posts-widget.css?ver=category-posts-widget.min.js?ver=category-posts-widget.js?ver=category-posts-frontend.min.js?ver=category-posts-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

cat-posts-widget

HTML Comments

+11 more

Data Attributes

data-catposts-nonce

JS Globals

window.tiptoppresstiptoppress.accordiontiptoppress.template_tagstiptoppress.categoryPostswindow.cwp_default_thumb_selection

Shortcode Output

[catposts

FAQ