WP-Safety

Contests by Rewards Fuel Security & Risk Analysis

wordpress.org/plugins/contests-from-rewards-fuel

Contests by Rewards Fuel encourages your audience to take actions that build your business; it's a win-win for you and your customers!

60 active installs v2.0.66 PHP 5.4+ WP 3.0.1+ Updated Dec 16, 2024
contestsfacebookgiveawaysinstagramsweepstakes
90
A · Safe
CVEs total3
Unpatched0
Last CVEDec 17, 2024
Plugin page Download
Safety Verdict

Is Contests by Rewards Fuel Safe to Use in 2026?

Generally Safe

Score 90/100

Contests by Rewards Fuel has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Dec 17, 2024Updated 1yr ago
Risk Assessment

The 'contests-from-rewards-fuel' plugin v2.0.66 exhibits a mixed security posture. On the positive side, the static analysis indicates a strong adherence to secure coding practices in several areas. There are no observed SQL injection vulnerabilities due to the consistent use of prepared statements, and the taint analysis found no critical or high severity issues with unsanitized paths. Additionally, the plugin implements capability checks and nonce checks, which are crucial for securing administrative functionalities. However, a significant concern arises from the output escaping. A very low percentage (24%) of outputs are properly escaped, leaving a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of XSS CVEs. The plugin also has a history of three medium severity CVEs, primarily related to CSRF and XSS, even though none are currently unpatched. This history, coupled with the poor output escaping, suggests a recurring vulnerability pattern that attackers might exploit.

Key Concerns

  • Low output escaping percentage (24%)
  • History of 3 medium severity CVEs
  • History of XSS and CSRF vulnerabilities
Vulnerabilities
3 published

Contests by Rewards Fuel Security Vulnerabilities

CVEs by Year

3 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2024-12513medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contests by Rewards Fuel <= 2.0.65 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 17, 2024 Patched in 2.0.66 (1d)
CVE-2024-1785medium · 5.4Cross-Site Request Forgery (CSRF)

Contests by Rewards Fuel <= 2.0.62 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Mar 19, 2024 Patched in 2.0.63 (1d)
CVE-2024-1787medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contests by Rewards Fuel <= 2.0.64 - Authenticated (Contributor+) Stored Cross-Site Scripting via update_rewards_fuel_api_key

Mar 19, 2024 Patched in 2.0.65 (1d)
Version History

Contests by Rewards Fuel Release Timeline

v2.0.66Current
v2.0.651 CVE
CVE-2024-12513
v2.0.642 CVEs
CVE-2024-1787 CVE-2024-12513
v2.0.632 CVEs
CVE-2024-1787 CVE-2024-12513
v2.0.623 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.613 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.603 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.593 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.583 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.573 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.563 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.523 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.513 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.503 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.493 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.473 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.463 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.453 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.443 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
v2.0.433 CVEs
CVE-2024-1785 CVE-2024-1787 CVE-2024-12513
Code Analysis
Analyzed Mar 16, 2026

Contests by Rewards Fuel Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
19
6 escaped
Nonce Checks
1
Capability Checks
6
File Operations
1
External Requests
1
Bundled Libraries
0

Output Escaping

24% escaped25 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
ajax_handler (includes\class-contests-from-rewards-fuel-admin.php:55)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Contests by Rewards Fuel Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[rf_contest] public\class-contests-from-rewards-fuel-public.php:99
[RF_CONTEST] public\class-contests-from-rewards-fuel-public.php:100
WordPress Hooks 10
actionadmin_menuincludes\class-contests-from-rewards-fuel-activator.php:47
actionadmin_initincludes\class-contests-from-rewards-fuel-admin.php:35
actionadmin_menuincludes\class-contests-from-rewards-fuel-admin.php:36
actionadmin_initincludes\class-contests-from-rewards-fuel-admin.php:37
actionadmin_initincludes\class-contests-from-rewards-fuel-admin.php:38
actionadd_meta_boxesincludes\class-contests-from-rewards-fuel-admin.php:39
actionenqueue_block_editor_assetsincludes\class-contests-from-rewards-fuel-admin.php:144
actionplugins_loadedincludes\class-contests-from-rewards-fuel.php:114
actionwp_enqueue_scriptsincludes\class-contests-from-rewards-fuel.php:140
actionwp_enqueue_scriptsincludes\class-contests-from-rewards-fuel.php:141
Maintenance & Trust

Contests by Rewards Fuel Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedDec 16, 2024
PHP min version5.4
Downloads55K

Community Trust

Rating88/100
Number of ratings65
Active installs60
Alternatives

Contests by Rewards Fuel Alternatives

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

A
88

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs
Woobox

Woobox

woobox

A
99

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs
Run Contests, Raffles, and Giveaways with ContestsWP

Run Contests, Raffles, and Giveaways with ContestsWP

contest-code-checker

B
74

An easy to use WordPress plugin to do giveaways.

100 1 unpatched
Contests & Giveaways – WordPress Contest Plugin

Contests & Giveaways – WordPress Contest Plugin

giveaways-contests

A
85

Contest Cat Lets You Create Incredible Contests, Giveaways & Sweepstakes With Ease.

100 No CVEs
Sweepstakes app

Sweepstakes app

sweepstakes-app

A
85

> This plugin was replaced by our better and more recent [Social Contests](http://wordpress.org/plugins/wishpond-social-campaigns/ "Run social &hellip;

10 No CVEs
Developer Profile

Contests by Rewards Fuel Developer Profile

Rewards Fuel

1 plugin · 60 total installs

93
trust score
Avg Security Score
90/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Contests by Rewards Fuel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contests-from-rewards-fuel/admin/css/contests-from-rewards-fuel-admin.css/wp-content/plugins/contests-from-rewards-fuel/admin/css/dependencies.css/wp-content/plugins/contests-from-rewards-fuel/admin/js/dependencies.js/wp-content/plugins/contests-from-rewards-fuel/admin/js/contests-from-rewards-fuel-admin.js
Script Paths
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Version Parameters
contests-from-rewards-fuel/admin/css/contests-from-rewards-fuel-admin.css?ver=contests-from-rewards-fuel/admin/css/dependencies.css?ver=contests-from-rewards-fuel/admin/js/dependencies.js?ver=contests-from-rewards-fuel/admin/js/contests-from-rewards-fuel-admin.js?ver=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
rewards-fuel-plugin-menu
Data Attributes
rf_ajax_nonce
JS Globals
CONTESTS_FROM_REWARDS_FUEL_VERSIONCONTESTS_FROM_REWARDS_FUEL_BASE_URLCONTESTS_FROM_REWARDS_FUEL_FILE_ROOT
REST Endpoints
/wp-json/rewards-fuel/v1/get_contests
FAQ

Frequently Asked Questions about Contests by Rewards Fuel