CiviCRM Contribution Page Widget Security & Risk Analysis

wordpress.org/plugins/civicrm-contribution-page-widget

Displays contribution page widgets from CiviContribute as native WordPress widgets.

30 active installs v0.1 PHP + WP 3.3+ Updated Sep 10, 2015
civicrmevents
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is CiviCRM Contribution Page Widget Safe to Use in 2026?

Generally Safe

Score 85/100

CiviCRM Contribution Page Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The "civicrm-contribution-page-widget" plugin version 0.1 presents a concerning security posture despite its seemingly small attack surface and lack of historical vulnerabilities. The static analysis reveals a critical weakness: 100% of output is not properly escaped. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site through the plugin's output. Furthermore, the complete absence of capability checks and nonce checks, combined with zero AJAX handlers and REST API routes being analyzed for authorization, suggests a lack of fundamental security controls that are essential for protecting against unauthorized actions and CSRF attacks. While there are no recorded CVEs, this might be due to the plugin's limited adoption or the reporting of vulnerabilities in prior versions not being captured. The absence of dangerous functions and SQL injection risks is positive, but it does not mitigate the severe risk posed by unescaped output and missing authorization checks. The plugin's current state suggests a need for immediate code review and remediation to address these critical security flaws.

Key Concerns

  • Output escaping is not implemented
  • No capability checks found
  • No nonce checks found
Vulnerabilities
None known

CiviCRM Contribution Page Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

CiviCRM Contribution Page Widget Release Timeline

v0.1Current
Code Analysis
Analyzed Apr 16, 2026

CiviCRM Contribution Page Widget Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped6 total outputs
Attack Surface

CiviCRM Contribution Page Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 1
actionwidgets_initcivicontribute-widget.php:29
Maintenance & Trust

CiviCRM Contribution Page Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedSep 10, 2015
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Developer Profile

CiviCRM Contribution Page Widget Developer Profile

Andie Hunt

2 plugins · 230 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CiviCRM Contribution Page Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/civicrm-contribution-page-widget/civicontribute-widget.php

HTML / DOM Fingerprints

CSS Classes
civicontribute-widgetcivicontribute-widget-civicontribute-widget-widget
Data Attributes
id="civicontribute-widget-widget-id"
FAQ

Frequently Asked Questions about CiviCRM Contribution Page Widget