Custom Query Shortcode Security & Risk Analysis
wordpress.org/plugins/custom-query-shortcodeA powerful shortcode that enables you to query anything you want and display it however you like, on both pages and posts, and in widgets.
Is Custom Query Shortcode Safe to Use in 2026?
Generally Safe
Score 99/100Custom Query Shortcode has a strong security track record. Known vulnerabilities have been patched promptly.
The "custom-query-shortcode" plugin exhibits a generally positive security posture based on the static analysis. The absence of dangerous functions, file operations, external HTTP requests, and the use of prepared statements for all SQL queries are strong indicators of secure coding practices. The high percentage of properly escaped output further contributes to a reduced risk of cross-site scripting vulnerabilities. The limited attack surface, with only one shortcode and no unprotected entry points, is also a significant strength.
However, the plugin does have a history of a medium severity vulnerability, specifically a path traversal issue. While this vulnerability is listed as patched, its existence suggests a potential for previously undiscovered or similar vulnerabilities in how it handles file paths or input that could be used to manipulate them. The lack of nonce checks and capability checks, while not directly exploitable through the current static analysis findings, represents a missed opportunity to further harden the plugin against various attack vectors that often exploit these weaknesses.
In conclusion, "custom-query-shortcode" v0.5.0 appears to be a relatively secure plugin due to its adherence to many secure coding principles. The primary concern stems from its past vulnerability, which highlights the importance of ongoing vigilance and thorough security testing. While the current static analysis doesn't reveal immediate critical threats, the absence of certain security checks warrants consideration for future development and auditing.
Key Concerns
- Medium severity vulnerability history
- Missing nonce checks
- Missing capability checks
Custom Query Shortcode Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Custom Query Shortcode <= 0.4.0 - Authenticated (Contributor+) Path Traversal via lens Parameter
Custom Query Shortcode Code Analysis
Output Escaping
Custom Query Shortcode Attack Surface
Shortcodes 1
WordPress Hooks 3
Maintenance & Trust
Custom Query Shortcode Maintenance & Trust
Maintenance Signals
Community Trust
Custom Query Shortcode Alternatives
Display Posts – Easy lists, grids, navigation, and more
display-posts-shortcode
Add a listing of content on your website using a simple shortcode. Filter the results by category, author, and more.
Query Shortcode
query-shortcode
An insanely powerful shortcode that enables you to query anything you want and display it however you like.
Mhshohel Faq
mhshohel-faq
faq in accordian, with custom post, and shortcode.
Random Post Box
random-post-box
The Random Post Box plugin places a box anywhere on the blog, where it loads random posts one-after-the-other.
DeMomentSomTres Display Posts Shortcode
demomentsomtres-display-posts-shortcode
Display a listing of posts using the [display-posts] shortcode allowing multiple network instances.
Custom Query Shortcode Developer Profile
3 plugins · 130 total installs
How We Detect Custom Query Shortcode
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/custom-query-shortcode/assets/css/query-shortcode.css/wp-content/plugins/custom-query-shortcode/assets/js/query-shortcode.jscustom-query-shortcode/assets/css/query-shortcode.css?ver=custom-query-shortcode/assets/js/query-shortcode.js?ver=HTML / DOM Fingerprints
cqs-gridcqs-grid-itemdata-cqs-cols[query]<!-- Start of query shortcode --><!-- End of query shortcode -->