WP-Safety

Dropcaps Shortcode and Widget Security & Risk Analysis

wordpress.org/plugins/dropcaps-shortcodes-and-widget

Create Dropcaps. Nice and easy interface. Insert anywhere in your site - page/post editor, sidebars, template files.

200 active installs v1.8 PHP + WP 3.6+ Updated Mar 3, 2022
buttondrop-capsdropcapsshortcodewidgets
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Dropcaps Shortcode and Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Dropcaps Shortcode and Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "dropcaps-shortcodes-and-widget" plugin version 1.8 presents a significant security risk due to a large, unprotected attack surface. All six identified AJAX handlers lack authentication checks, making them prime targets for unauthorized actions. This is further exacerbated by the presence of the `unserialize` function, a known vulnerability vector, and taint analysis revealing three flows with unsanitized paths, indicating potential for code injection or data manipulation. The absence of any capability checks or nonce verification on these AJAX endpoints means that any authenticated user, or even an unauthenticated user if the endpoints are directly accessible, could potentially trigger malicious actions.

Despite these critical concerns, the plugin demonstrates good practices in other areas, such as using prepared statements for all SQL queries and a moderate level of output escaping. The lack of any recorded vulnerabilities in its history is a positive sign, suggesting that the core functionality might not have been historically exploited or that the current version has improved over time. However, the current static analysis findings outweigh this positive history. The combination of unprotected entry points and the `unserialize` function, along with the identified unsanitized taint flows, creates a high-risk profile that requires immediate attention. A more robust approach to securing AJAX handlers and scrutinizing the use of `unserialize` is strongly recommended.

Key Concerns

  • 6 unprotected AJAX handlers
  • Presence of unserialize function
  • 3 unsanitized taint flows (High severity)
  • No nonce checks on AJAX handlers
  • No capability checks on AJAX handlers
  • Moderate output escaping (55%)
Vulnerabilities
None known

Dropcaps Shortcode and Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Dropcaps Shortcode and Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
19
23 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserialize$value = unserialize( urldecode( $value ) );include\otw_components\otw_functions\otw_functions.php:596

Bundled Libraries

Select2TinyMCE

Output Escaping

55% escaped42 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
otw_get (include\otw_components\otw_functions\otw_functions.php:558)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Dropcaps Shortcode and Widget Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_otw_shortcode_editor_dialoginclude\otw_components\otw_shortcode\otw_shortcode.class.php:166
authwp_ajax_otw_shortcode_get_codeinclude\otw_components\otw_shortcode\otw_shortcode.class.php:167
authwp_ajax_otw_shortcode_live_previewinclude\otw_components\otw_shortcode\otw_shortcode.class.php:168
authwp_ajax_otw_shortcode_live_reloadinclude\otw_components\otw_shortcode\otw_shortcode.class.php:169
authwp_ajax_otw_shortcode_preview_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:170
authwp_ajax_otw_shortcode_preview_front_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:171
WordPress Hooks 11
actionwp_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:90
actionadmin_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:94
actionadmin_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:164
filtermce_external_pluginsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:175
filtermce_buttonsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:176
actionwp_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:185
actionadmin_menuinclude\otw_dcsw_functions.php:41
actionadmin_print_stylesinclude\otw_dcsw_functions.php:43
actionadmin_enqueue_scriptsinclude\otw_dcsw_functions.php:45
actioninitotw_content_manager.php:64
actionwidgets_initotw_content_manager.php:65
Maintenance & Trust

Dropcaps Shortcode and Widget Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMar 3, 2022
PHP min version
Downloads10K

Community Trust

Rating74/100
Number of ratings3
Active installs200
Alternatives

Dropcaps Shortcode and Widget Alternatives

Quotes Shortcode and Widget

Quotes Shortcode and Widget

quotes-shortcode-and-widget

A
85

Create Quotes. Nice and easy interface. Insert anywhere in your site - page/post editor, sidebars, template files.

200 No CVEs
Tipi Components

Tipi Components

tipi-components

A
85

Tipi Components is a lightweight plugin to add some handy extra tools to your site.

10 No CVEs
WP GitHub Buttons

WP GitHub Buttons

wp-github-buttons

A
100

Displays GitHub buttons.

10 No CVEs
Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

contact-form-plugin

C
67

The most powerful and user-friendly WordPress contact form plugin. Create beautiful contact forms, widgets and pages using shortcodes.

30K 1 unpatched
Forget About Shortcode Buttons

Forget About Shortcode Buttons

forget-about-shortcode-buttons

A
91

A visual way to add CSS buttons in the rich text editor and to your themes.

30K 2 CVEs
Developer Profile

Dropcaps Shortcode and Widget Developer Profile

OTWthemes

12 plugins · 6K total installs

70
trust score
Avg Security Score
66/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Dropcaps Shortcode and Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/css/colorpicker.css/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/css/datetimepicker.css/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/css/otw_form_admin.css/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/css/select2.min.css/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/colorpicker.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/datetimepicker.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/otw_form_admin.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/select2.full.min.js
Script Paths
/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/colorpicker.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/select2.full.min.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/datetimepicker.js/wp-content/plugins/dropcaps-shortcodes-and-widget/include/otw_components/otw_form/js/otw_form_admin.js
Version Parameters
dropcaps-shortcodes-and-widget/style.css?ver=dropcaps-shortcodes-and-widget/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
otw-form-controlotw-dynamic-select-wrapperotw-form-hintotw-clear
Data Attributes
data-value
JS Globals
OTW_Form
FAQ

Frequently Asked Questions about Dropcaps Shortcode and Widget