WP-Safety

Dooodl Security & Risk Analysis

wordpress.org/plugins/dooodl

Dooodl is a fun plugin for your blog that allows your visitors to draw a little doodle and save it to your site.

60 active installs v2.3.0 PHP + WP 2.7+ Updated Jul 18, 2024
doodledoodlesdrawingguestbook
70
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJan 16, 2026
Download
Safety Verdict

Is Dooodl Safe to Use in 2026?

Mostly Safe

Score 70/100

Dooodl is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jan 16, 2026Updated 1yr ago
Risk Assessment

The 'dooodl' v2.3.0 plugin exhibits a concerning security posture due to a significant number of unprotected entry points and a history of vulnerabilities. The static analysis reveals that 3 out of 6 total entry points, all of which are AJAX handlers, lack proper authentication checks. This is a critical oversight that could allow unauthenticated users to trigger potentially harmful actions. Furthermore, the taint analysis indicates all analyzed flows involve unsanitized paths, and while no critical or high severity issues were found, this suggests a general lack of input validation and sanitization throughout the codebase. The plugin's vulnerability history is also a major red flag, with one currently unpatched medium severity vulnerability related to Cross-Site Scripting. This, coupled with the lack of nonce checks and capability checks in the code signals, points to a pattern of insecure coding practices that have led to past security flaws. While the plugin does not appear to use dangerous functions, the raw SQL queries, the low percentage of properly escaped output, and the absence of nonce and capability checks on AJAX handlers are significant weaknesses that, when combined with the existing unpatched vulnerability and unprotected entry points, create a high-risk profile. The presence of bundled libraries like TinyMCE and Select2, while common, doesn't mitigate the fundamental security flaws.

Key Concerns

  • Unprotected AJAX handlers
  • All Taint Flows have unsanitized paths
  • Unpatched Medium Vulnerability (XSS)
  • SQL queries not fully prepared
  • Low percentage of output escaping
  • No nonce checks on AJAX handlers
  • No capability checks found
Vulnerabilities
1

Dooodl Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-68871medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dooodl <= 2.3.0 - Reflected Cross-Site Scripting

Jan 16, 2026Unpatched
Code Analysis
Analyzed Mar 16, 2026

Dooodl Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
1 prepared
Unescaped Output
56
15 escaped
Nonce Checks
0
Capability Checks
0
File Operations
2
External Requests
0
Bundled Libraries
2

Bundled Libraries

TinyMCESelect2

SQL Query Safety

25% prepared4 total queries

Output Escaping

21% escaped71 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
dooodl_handle_bulk_edits (includes\handlers.php:247)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Dooodl Attack Surface

Entry Points6
Unprotected3

AJAX Handlers 3

authwp_ajax_dooodl-get-statsincludes\actions.php:25
authwp_ajax_dooodl-batch-updateincludes\actions.php:26
authwp_ajax_dooodl-database-updateincludes\actions.php:27

Shortcodes 3

[dooodl_widget] includes\shortcodes.php:127
[dooodl_creator] includes\shortcodes.php:128
[dooodl_gallery] includes\shortcodes.php:129
WordPress Hooks 36
actionwidgets_initincludes\actions.php:3
actioninitincludes\actions.php:4
actionplugins_loadedincludes\actions.php:8
actionadmin_menuincludes\actions.php:9
actionall_admin_noticesincludes\actions.php:10
actioncurrent_screenincludes\actions.php:11
actionadd_meta_boxesincludes\actions.php:12
actionwp_dashboard_setupincludes\actions.php:13
actionadmin_enqueue_scriptsincludes\actions.php:14
actionadmin_post_dooodl_deleteincludes\actions.php:16
actionadmin_post_dooodl_approveincludes\actions.php:17
actionadmin_post_dooodl_unapproveincludes\actions.php:18
actionadmin_post_dooodl_restoreincludes\actions.php:19
actionadmin_post_dooodl_permadeleteincludes\actions.php:20
actioninitincludes\actions.php:24
actioninitincludes\actions.php:30
actiontemplate_redirectincludes\actions.php:31
actiondooodl/creator/post/newincludes\actions.php:32
actiondooodl/galleryincludes\actions.php:33
actiondooodl/creatorincludes\actions.php:34
actiondooodl_creatorincludes\actions.php:35
actiondooodl_galleryincludes\actions.php:36
actiondooodl/gallery/xmlincludes\actions.php:37
actiondooodl/gallery/scrollincludes\actions.php:38
filterset-screen-optionincludes\filters.php:6
filterquery_varsincludes\filters.php:7
filterpost_updated_messagesincludes\filters.php:8
actionadmin_footerincludes\handlers.php:26
filtertemplate_includeincludes\handlers.php:163
filtertemplate_includeincludes\handlers.php:167
actionwp_enqueue_scriptsincludes\handlers.php:188
actionwp_enqueue_scriptsincludes\handlers.php:189
actionwp_enqueue_scriptsincludes\handlers.php:193
actionwp_enqueue_scriptsincludes\handlers.php:194
actionadmin_noticesincludes\migration.php:45
actionplugins_loadedincludes\redux_config.php:22
Maintenance & Trust

Dooodl Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.0
Last updatedJul 18, 2024
PHP min version
Downloads19K

Community Trust

Rating86/100
Number of ratings7
Active installs60
Alternatives

Dooodl Alternatives

Gwolle Guestbook

Gwolle Guestbook

gwolle-gb

A
89

Gwolle Guestbook is the WordPress guestbook you've just been looking for. Beautiful and easy.

20K 7 CVEs
WP-ViperGB

WP-ViperGB

wp-vipergb

A
90

Create a stylish and user-friendly Guestbook for your Wordpress blog. Designed to replicate the appearance and behavior of Viper Guestbook.

400 3 CVEs
Guestbook Generator

Guestbook Generator

guestbook-generator

A
85

Instantly generates a guestbook for Wordpress blogs based on the active theme.

200 No CVEs
Embed Google Drive

Embed Google Drive

embed-google-drive

A
100

Embed a link and preview of Google Drive Documents by pasting a shared document link into the editor.

100 No CVEs
Reverse Order Comments

Reverse Order Comments

reverse-order-comments

A
85

Allows to display the comments in reverse order. Latest comment first, oldest last.

100 No CVEs
Developer Profile

Dooodl Developer Profile

noCreativity

1 plugin · 60 total installs

73
trust score
Avg Security Score
70/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Dooodl

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dooodl/assets/migration_manager.js/wp-content/plugins/dooodl/assets/admin_style.css/wp-content/plugins/dooodl/creator/css/screen.css/wp-content/plugins/dooodl/creator/js/script.js/wp-content/plugins/dooodl/gallery/css/style.css/wp-content/plugins/dooodl/gallery/js/script.js
Script Paths
/wp-content/plugins/dooodl/assets/migration_manager.js/wp-content/plugins/dooodl/creator/js/script.js/wp-content/plugins/dooodl/gallery/js/script.js
Version Parameters
ver=2.3.0

HTML / DOM Fingerprints

CSS Classes
dooodl-creator-wrapperdooodl-gallery-wrapperdooodl-image-container
HTML Comments
<!-- Dooodl --><!-- Dooodl Creator --><!-- Dooodl Gallery -->
Data Attributes
data-dooodl-ajax-urldata-dooodl-noncedata-dooodl-image-id
JS Globals
window.dooodl_ajax_urlwindow.dooodl_noncevar DooodlAdminLabels
Shortcode Output
[dooodl_creator][dooodl_gallery]
FAQ

Frequently Asked Questions about Dooodl