Display Yelp Widget Security & Risk Analysis

wordpress.org/plugins/display-yelp-widget

Displays your business's Yelp rating and reviews.

0 active installs v1.2.0 PHP 5.6+ WP 4.0+ Updated Feb 15, 2019
ratingratingsreviewreviewsyelp
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Display Yelp Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Display Yelp Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The "display-yelp-widget" plugin v1.2.0 presents a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no discovered AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all identified SQL queries utilize prepared statements, and there are no reported CVEs, indicating a generally low level of historically exploitable issues. However, there are significant concerns stemming from the code analysis. The presence of the `create_function` is a critical security risk as it is deprecated and can be used to execute arbitrary PHP code, especially when combined with unsanitized input, which is a common pattern for this function. Additionally, a substantial portion of the output (42%) is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is displayed without adequate sanitization. The lack of nonce and capability checks on any potential entry points, though currently zero, leaves the plugin vulnerable if new entry points are added in the future without proper security controls. The single external HTTP request, while not inherently a vulnerability, warrants scrutiny to ensure it doesn't fetch untrusted data or execute callbacks from an external source without validation.

Key Concerns

  • Use of deprecated and dangerous function create_function
  • Significant amount of unescaped output (42%)
  • Lack of nonce checks on entry points
  • Lack of capability checks on entry points
Vulnerabilities
None known

Display Yelp Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Display Yelp Widget Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Display Yelp Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
19
26 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_filter('extra_plugin_headers', create_function('', 'return array("GitHub Plugin URI","Twitter");includes\display-yelp-widget-admin.php:226

Output Escaping

58% escaped45 total outputs
Attack Surface

Display Yelp Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
actionadmin_menuincludes\display-yelp-widget-admin.php:12
actionadmin_enqueue_scriptsincludes\display-yelp-widget-admin.php:17
actionadmin_initincludes\display-yelp-widget-admin.php:20
filterextra_plugin_headersincludes\display-yelp-widget-admin.php:226
actionwp_enqueue_scriptsincludes\display-yelp-widget.php:19
actionwidgets_initincludes\display-yelp-widget.php:330
Maintenance & Trust

Display Yelp Widget Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.0
Last updatedFeb 15, 2019
PHP min version5.6
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Developer Profile

Display Yelp Widget Developer Profile

Magda Sicknick

7 plugins · 80 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Display Yelp Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/display-yelp-widget/assets/css/style-admin.css
Version Parameters
display-yelp-widget/assets/css/style-admin.css?ver=

HTML / DOM Fingerprints

Data Attributes
name='display_yelp_widget_settings[api_key]'name='display_yelp_widget_settings[style]'id='yel-widget-no-style-y'id='yel-widget-no-style-n'
FAQ

Frequently Asked Questions about Display Yelp Widget