WP-Safety

Customize Widgets Plus Security & Risk Analysis

wordpress.org/plugins/customize-widgets-plus

Lab features and a testbed for improvements to Widgets and the Customizer.

10 active installs v0.2 PHP + WP + Updated Jun 3, 2015
customizecustomizerwidgets
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Customize Widgets Plus Safe to Use in 2026?

Generally Safe

Score 85/100

Customize Widgets Plus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The "customize-widgets-plus" v0.2 plugin exhibits a generally good security posture with a very small attack surface and a high percentage of properly escaped output. The plugin also demonstrates strong practices in its handling of SQL queries, all of which utilize prepared statements, and has a clean vulnerability history with no known CVEs. However, the presence of three 'unserialize' function calls is a significant concern. Unserialize is inherently risky as it can lead to arbitrary object injection if not used with extreme caution and proper validation of the serialized data's source.

While the static analysis did not reveal any direct taint flows with unsanitized paths leading to critical or high severity issues, the potential for 'unserialize' to be exploited remains. The taint analysis reporting one flow with unsanitized paths, even if not critical, warrants attention, especially when combined with the use of 'unserialize'. The lack of documented vulnerabilities might suggest that the plugin is not a frequent target or that its current implementation, despite the 'unserialize' calls, hasn't been successfully exploited to date. However, this should not be taken as a guarantee of future safety.

In conclusion, the plugin's strengths lie in its limited attack surface, secure SQL handling, and good output escaping. The primary weakness is the use of the 'unserialize' function. While the taint analysis didn't highlight immediate critical vulnerabilities stemming from this, the potential for deserialization vulnerabilities exists and is the most significant risk factor. Therefore, further investigation into how and where 'unserialize' is used and what data it processes is strongly recommended.

Key Concerns

  • Dangerous function calls (unserialize)
  • Taint flow with unsanitized paths
Vulnerabilities
None known

Customize Widgets Plus Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Customize Widgets Plus Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
4 prepared
Unescaped Output
2
14 escaped
Nonce Checks
2
Capability Checks
1
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$instances_by_type[ $matches['id_base'] ] = unserialize( $option_value );php\class-widget-posts-cli-command.php:308
unserialize$instance = unserialize( $decoded_instance );php\class-widget-posts.php:630
unserialize$instance = unserialize( $post_content_filtered );php\class-widget-posts.php:632

SQL Query Safety

100% prepared4 total queries

Output Escaping

88% escaped16 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<class-widget-number-incrementing> (php\class-widget-number-incrementing.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Customize Widgets Plus Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 35
actionadmin_noticescustomize-widgets-plus.php:40
filtercustomize_dynamic_setting_classphp\class-efficient-multidimensional-setting-sanitizing.php:67
actionwidgets_initphp\class-efficient-multidimensional-setting-sanitizing.php:69
actionwp_loadedphp\class-efficient-multidimensional-setting-sanitizing.php:74
actioncustomize_savephp\class-efficient-multidimensional-setting-sanitizing.php:76
actioncustomize_save_afterphp\class-efficient-multidimensional-setting-sanitizing.php:77
actionwpphp\class-efficient-multidimensional-setting-sanitizing.php:195
actioninitphp\class-https-resource-proxy.php:46
filterquery_varsphp\class-https-resource-proxy.php:47
filterredirect_canonicalphp\class-https-resource-proxy.php:48
actiontemplate_redirectphp\class-https-resource-proxy.php:49
actioninitphp\class-https-resource-proxy.php:50
filterwp_unique_post_slug_is_bad_flat_slugphp\class-https-resource-proxy.php:51
filterwp_unique_post_slug_is_bad_hierarchical_slugphp\class-https-resource-proxy.php:52
filterscript_loader_srcphp\class-https-resource-proxy.php:115
filterstyle_loader_srcphp\class-https-resource-proxy.php:116
actionwp_enqueue_scriptsphp\class-https-resource-proxy.php:117
actionwidgets_initphp\class-non-autoloaded-widget-options.php:37
actionafter_setup_themephp\class-plugin.php:62
actionwp_default_scriptsphp\class-plugin.php:123
actionwp_default_stylesphp\class-plugin.php:124
actioncustomize_controls_enqueue_scriptsphp\class-plugin.php:125
actionwidgets_initphp\class-widget-number-incrementing.php:36
actioncustomize_controls_enqueue_scriptsphp\class-widget-number-incrementing.php:38
actionadmin_enqueue_scriptsphp\class-widget-number-incrementing.php:39
filtercustomize_refresh_noncesphp\class-widget-number-incrementing.php:40
actionwidget_posts_import_skip_existingphp\class-widget-posts-cli-command.php:103
actionwidget_posts_import_successphp\class-widget-posts-cli-command.php:109
actionwidget_posts_import_failurephp\class-widget-posts-cli-command.php:124
actionwidgets_initphp\class-widget-posts.php:79
actionwidgets_initphp\class-widget-posts.php:129
actioninitphp\class-widget-posts.php:130
actionthe_postphp\class-widget-posts.php:204
actionpre_get_postsphp\class-widget-posts.php:555
actionwidgets_initphp\class-wp-customize-widget-setting.php:128
Maintenance & Trust

Customize Widgets Plus Maintenance & Trust

Maintenance Signals

WordPress version tested
Last updatedJun 3, 2015
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Customize Widgets Plus Alternatives

Blaze Demo Importer

Blaze Demo Importer

blaze-demo-importer

A
96

Blaze Demo Importer can be used in all the official themes developed by BlazeThemes.

8K 2 CVEs
Organic Builder Widgets – Simple WordPress Page Builder

Organic Builder Widgets – Simple WordPress Page Builder

organic-customizer-widgets

A
85

A simple WordPress page builder, Organic Builder Widgets provides a collection of 12 custom widgets to be used in the Customizer as content sections.

4K No CVEs
Storefront Top Bar

Storefront Top Bar

storefront-top-bar

A
85

Adds two widgets areas on top of the header of Storefront.

2K No CVEs
JS Widgets

JS Widgets

js-widgets

A
100

A prototype of next generation of widgets in core, embracing JS for UI and powering the Widgets REST API.

10 No CVEs
Widget Favorites

Widget Favorites

widget-favorites

A
85

Store revisions of widget instances for re-use.

10 No CVEs
Developer Profile

Customize Widgets Plus Developer Profile

Weston Ruter

22 plugins · 437K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
4499 days
View full developer profile
Detection Fingerprints

How We Detect Customize Widgets Plus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/customize-widgets-plus/php/assets/js/customizer-widgets-plus.js
Script Paths
/wp-content/plugins/customize-widgets-plus/php/assets/js/customizer-widgets-plus.js
Version Parameters
customize-widgets-plus/php/assets/js/customizer-widgets-plus.js?ver=

HTML / DOM Fingerprints

CSS Classes
widget-control-titlewidget-content-wrapcustomize-widget-instance
Data Attributes
data-customize-widget-id
JS Globals
wp.customize.Widgets.SectionWidget
REST Endpoints
/wp-json/customize-widgets-plus/v1/settings
FAQ

Frequently Asked Questions about Customize Widgets Plus