WP-Safety

WebDefender Security – Protection & AntiSpam Security & Risk Analysis

wordpress.org/plugins/cwis-antivirus-malware-detected

PRO Security – Antivirus Scanner, 2-Layer Protection Hide Security, Brute Force Security & Antispam, Security Website and Security Hardening.

1K active installs v5.0.2.1 PHP + WP 2.8+ Updated Jan 20, 2026
malware-scannerprotectionsecuritysecurity-pluginwordpress-security
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WebDefender Security – Protection & AntiSpam Safe to Use in 2026?

Generally Safe

Score 100/100

WebDefender Security – Protection & AntiSpam has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The "cwis-antivirus-malware-detected" plugin v5.0.2.1 exhibits a concerning security posture due to a significant number of unprotected entry points. All identified AJAX handlers (4) and REST API routes (2) lack proper authentication or permission checks, exposing the plugin to potential unauthorized access and manipulation. While the plugin demonstrates good practices in SQL query preparation (77%) and output escaping (93%), these strengths are heavily overshadowed by the critical lack of security on its primary interaction points.

The static analysis reveals that all 6 identified entry points are unprotected, presenting a substantial attack surface. The presence of the `unserialize` function among dangerous functions is a potential risk, especially when coupled with unsanitized input, although the taint analysis did not report any critical or high-severity flows. The absence of nonce checks on AJAX handlers is a particularly glaring omission, a standard security measure that should be implemented to prevent CSRF attacks.

Furthermore, the plugin has a clean vulnerability history with no recorded CVEs. This might suggest a relatively well-maintained codebase in the past or that vulnerabilities haven't been publicly disclosed. However, the lack of historical issues does not negate the present security weaknesses identified in the code. The plugin's strengths in output escaping and prepared statements are commendable but insufficient to mitigate the risks posed by unprotected AJAX and REST API endpoints.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Dangerous function 'unserialize' used
  • No nonce checks on AJAX
  • Taint analysis: 3 flows with unsanitized paths
Vulnerabilities
None known

WebDefender Security – Protection & AntiSpam Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WebDefender Security – Protection & AntiSpam Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

WebDefender Security – Protection & AntiSpam Code Analysis

Dangerous Functions
10
Raw SQL Queries
3
10 prepared
Unescaped Output
9
113 escaped
Nonce Checks
0
Capability Checks
3
File Operations
16
External Requests
16
Bundled Libraries
1

Dangerous Functions Found

unserialize$result = $serialized_data ? unserialize( $serialized_data ) : array();cwis-scan\app\Actions\Explorer.php:391
unserialize$result = $serialized_data ? unserialize( $serialized_data ) : array();cwis-scan\app\Actions\Explorer.php:476
unserialize$result = $serialized_data ? unserialize( $serialized_data ) : array();cwis-scan\app\Actions\Files.php:232
unserialize$serialized_data = ( ! empty( $serialized_data ) ) ? unserialize( trim( $serialized_data ) ) : falsecwis-scan\app\Actions\Results.php:200
unserialize$result = $serialized_data ? unserialize( $serialized_data ) : array();cwis-scan\app\Actions\Results.php:262
unserialize$result = $serialized_data ? unserialize( $serialized_data ) : array();cwis-scan\app\Actions\Tree.php:262
unserialize$this->local_results = unserialize( $results_srlzd );cwis-scan\app\Library\CwisLicensing.php:524
unserializereturn $serialized_data ? unserialize( $serialized_data ) : null;cwis-scan\app\Library\CwisProgress.php:308
unserializeif ( is_string( $data ) && unserialize( $data ) !== false ) {cwis-scan\config\cwis-compat.php:140
unserializereturn unserialize( $data );cwis-scan\config\cwis-compat.php:141

Bundled Libraries

Select2

SQL Query Safety

77% prepared13 total queries

Output Escaping

93% escaped122 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
process_router_request (cwis-scan\app\Library\Cwis_Defender_Converter.php:292)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

WebDefender Security – Protection & AntiSpam Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 4

noprivwp_ajax_cwis_scannercwis-scan\app\Adapters\CwisWP.php:1068
authwp_ajax_cwis_scannercwis-scan\app\Adapters\CwisWP.php:1069
noprivwp_ajax_cwis_restcwis-scan\app\Adapters\CwisWP.php:1070
authwp_ajax_cwis_restcwis-scan\app\Adapters\CwisWP.php:1071

REST API Routes 2

GET/wp-json/cwis/v5/restcwis-scan\app\Adapters\CwisWP.php:986
POST/wp-json/cwis/v5/restcwis-scan\app\Adapters\CwisWP.php:995
WordPress Hooks 16
actionrest_api_initcwis-scan\app\Adapters\CwisWP.php:1072
actionadmin_initcwis-scan\app\Adapters\CwisWP.php:1074
actionadmin_bar_menucwis-scan\app\Adapters\CwisWP.php:1091
actionadmin_menucwis-scan\app\Adapters\CwisWP.php:1092
actionadmin_enqueue_scriptscwis-scan\app\Adapters\CwisWP.php:1095
actionadmin_enqueue_scriptscwis-scan\app\Adapters\CwisWP.php:1096
actionadmin_enqueue_scriptscwis-scan\app\Adapters\CwisWP.php:1097
actionadmin_footercwis-scan\app\Adapters\CwisWP.php:1099
actionupgrader_process_completecwis-scan\app\Adapters\CwisWP.php:1100
filteradmin_memory_limitcwis-scan\app\Library\CwisConfig.php:355
filterwp_memory_limitcwis-scan\app\Library\CwisConfig.php:362
filterpre_option_enable_xmlrpccwis-scan\app\Library\Cwis_Defender_Admin.php:311
filteremoji_svg_urlcwis-scan\app\Library\Cwis_Defender_Admin.php:321
filterrevslider_meta_generatorcwis-scan\app\Library\Cwis_Defender_Admin.php:324
filterthe_generatorcwis-scan\app\Library\Cwis_Defender_Admin.php:331
filterallow_dev_auto_core_updatescwis-scan\app\Library\Cwis_Updater_Methods.php:390
Maintenance & Trust

WebDefender Security – Protection & AntiSpam Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 20, 2026
PHP min version
Downloads274K

Community Trust

Rating80/100
Number of ratings18
Active installs1K
Alternatives

WebDefender Security – Protection & AntiSpam Alternatives

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

A
100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs
SecuPress with Simple SSL – Simple and Performant Security

SecuPress with Simple SSL – Simple and Performant Security

secupress

A
96

Protect your WordPress with SecuPress, analyze and ensure the safety of your website daily.

40K 6 CVEs
Quttera ThreatSign – Web Malware Scanner for WordPress

Quttera ThreatSign – Web Malware Scanner for WordPress

quttera-web-malware-scanner

A
98

WordPress multi-level security scanner detecting malware, 0-day threats, brute-force attacks, bot attacks, and unauthorized admin changes.

10K 3 CVEs
SP Move Login

SP Move Login

sf-move-login

A
100

Move your WordPress login page to protect it from bots. This plugin contains the Move Login module from SecuPress. Other security modules are availabl …

7K No CVEs
Virusdie – One-click website security

Virusdie – One-click website security

virusdie

A
95

Malware scanning & removal, website hardening, patching vulnerabilities, real-time protection against online attacks, blacklist monitoring in a click!

2K 4 CVEs
Developer Profile

WebDefender Security – Protection & AntiSpam Developer Profile

CobWeb Security Ltd.

1 plugin · 1K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WebDefender Security – Protection & AntiSpam

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cwis-antivirus-malware-detected/cwis-scan/assets/css/backend.css/wp-content/plugins/cwis-antivirus-malware-detected/cwis-scan/assets/css/backend-dark-theme.css/wp-content/plugins/cwis-antivirus-malware-detected/cwis-scan/assets/css/frontend.css/wp-content/plugins/cwis-antivirus-malware-detected/cwis-scan/assets/js/backend.js
Generator Patterns
WebDefender Security – Protection & AntiSpam
Script Paths
/wp-content/plugins/cwis-antivirus-malware-detected/cwis-scan/assets/js/backend.js
Version Parameters
cwis-antivirus-malware-detected/cwis-scan/assets/css/backend.css?ver=cwis-antivirus-malware-detected/cwis-scan/assets/css/backend-dark-theme.css?ver=cwis-antivirus-malware-detected/cwis-scan/assets/css/frontend.css?ver=cwis-antivirus-malware-detected/cwis-scan/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
cwis-dashboard-widget-bodywd-antispam-noticewd-block-ui-spinner-wrap
HTML Comments
<!-- Cwis dashboard --><!-- Security Dashboard -->
Data Attributes
data-wd-plugin-version
JS Globals
cwis_dataWdapp
REST Endpoints
/wp-json/wdapp/v1/installer/wp-json/wdapp/v1/scanner/wp-json/wdapp/v1/check_server_status
FAQ

Frequently Asked Questions about WebDefender Security – Protection & AntiSpam