WP-Safety

Client Showcase Security & Risk Analysis

wordpress.org/plugins/client-showcase

Display your Clients with pride. This plugin displays your client's logo in a page, post using a shortcode or use the custom widget.

30 active installs v1.2.0 PHP + WP 4.0+ Updated Mar 23, 2017
client-listclient-showcaseclientsclients-logodisplay-clients
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 1, 2025
Download
Safety Verdict

Is Client Showcase Safe to Use in 2026?

Use With Caution

Score 64/100

Client Showcase has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 9yr ago
Risk Assessment

The client-showcase plugin v1.2.0 exhibits a concerning security posture due to a significant lack of proper input validation and output escaping, coupled with a known unpatched vulnerability. The static analysis reveals an unprotected AJAX handler, which presents a direct entry point for attackers. The high percentage of unsanitized output (96%) is particularly alarming, suggesting a strong likelihood of Cross-Site Scripting (XSS) vulnerabilities. This is further corroborated by the vulnerability history, which shows a medium severity XSS vulnerability from April 2025 that remains unpatched, indicating a pattern of insecure coding practices and a lack of diligent security patching. While the plugin doesn't use dangerous functions, perform file operations, or make external HTTP requests, these strengths are overshadowed by the critical weaknesses in handling user input and securing entry points. The absence of nonce and capability checks on the identified AJAX handler is a significant oversight, leaving the application vulnerable to various attacks.

Key Concerns

  • Unprotected AJAX handler
  • High percentage of unsanitized output
  • Unpatched medium severity CVE
  • Flows with unsanitized paths
  • Missing nonce checks
  • Missing capability checks
  • Low percentage of prepared SQL statements
Vulnerabilities
1

Client Showcase Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31737medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Client Showcase <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Client Showcase Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
2 prepared
Unescaped Output
26
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

40% prepared5 total queries

Output Escaping

4% escaped27 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
create_client_showcase_options_page (client-showcase.php:279)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Client Showcase Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_client_showcase_update_orderclient-showcase.php:42

Shortcodes 1

[showcase] client-showcase.php:52
WordPress Hooks 11
actioninitclient-showcase.php:30
actioninitclient-showcase.php:31
actionadd_meta_boxesclient-showcase.php:32
actiondisplay_content_type_metaclient-showcase.php:35
filtermanage_edit-client_showcase_columnsclient-showcase.php:37
actionmanage_posts_custom_columnclient-showcase.php:38
actionadmin_menuclient-showcase.php:40
actionadmin_noticesclient-showcase.php:44
actionadmin_initclient-showcase.php:45
actionwp_enqueue_scriptsclient-showcase.php:51
actionwidgets_initclient-showcase.php:486
Maintenance & Trust

Client Showcase Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedMar 23, 2017
PHP min version
Downloads5K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Alternatives

Client Showcase Alternatives

Canto Clients

Canto Clients

canto-clients

A
85

Canto Clients simple and effective client logo shortcode.

10 No CVEs
Contact widget – Ocl.to

Contact widget – Ocl.to

ocl-widget

A
85

Generate your own contact widget and paste it to your Wordpress page. Gather information about clients and automatically transfer it to your Ocl CRM s &hellip;

0 No CVEs
WP Help

WP Help

wp-help

A
92

Site operators can create detailed, hierarchical documentation for the site's authors, editors, and contributors, viewable in the WordPress admin &hellip;

10K No CVEs
CPO Content Types

CPO Content Types

cpo-content-types

A
100

Add support for special content types in your website, such as a portfolio, features, and slides.

3K 1 CVE
Guaranteed Reviews Company (Société des Avis Garantis)

Guaranteed Reviews Company (Société des Avis Garantis)

woo-guaranteed-reviews-company

A
100

Collect and display product and website reviews through Guaranteed Reviews Company / Société des Avis Garantis.

1K No CVEs
Developer Profile

Client Showcase Developer Profile

dxladner

3 plugins · 360 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Client Showcase

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/client-showcase/css/client-showcase-public-styles.css

HTML / DOM Fingerprints

CSS Classes
client_showcase_widget_size
Data Attributes
client_url
Shortcode Output
<ul id="listStyle"><liid="listStyle">
FAQ

Frequently Asked Questions about Client Showcase