WP-Safety

Dynamic Widgets Security & Risk Analysis

wordpress.org/plugins/dynamic-widgets

Dynamic Widgets gives you full control on which pages a widget will display. It lets you dynamicly show or hide widgets on WordPress pages.

10K active installs v1.6.6 PHP 5.2.7+ WP 3.0.0+ Updated Feb 12, 2026
conditiondynamiclogicruleswidget
94
A · Safe
CVEs total6
Unpatched0
Last CVENov 1, 2024
Download
Safety Verdict

Is Dynamic Widgets Safe to Use in 2026?

Generally Safe

Score 94/100

Dynamic Widgets has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Nov 1, 2024Updated 1mo ago
Risk Assessment

The dynamic-widgets plugin v1.6.6 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and includes nonce checks on its single AJAX handler, significant concerns arise from the presence of the dangerous `unserialize` function and a high number of taint flows with unsanitized paths. The plugin has a concerning history with 6 known CVEs, including high and medium severity vulnerabilities such as Cross-Site Request Forgery, Cross-Site Scripting, and SQL Injection. The fact that these are currently unpatched, despite the last vulnerability being reported recently, is a red flag.

While the attack surface is small and the single AJAX entry point appears protected from a direct authorization perspective (no explicit capability checks listed, but assumed to be handled internally or via nonce), the code signals and taint analysis reveal potential weaknesses. The high percentage of improperly escaped output (74%) is a critical concern for Cross-Site Scripting vulnerabilities. The 5 taint flows with unsanitized paths, especially when coupled with the `unserialize` function, suggest potential for code execution or data manipulation if these flows are triggered in sensitive contexts. The vulnerability history, particularly the recurrence of XSS and SQLi, reinforces the need for careful code review and patching.

In conclusion, dynamic-widgets v1.6.6 is not recommended for use in its current state due to the combination of a problematic vulnerability history, the dangerous `unserialize` function, significant output escaping issues, and a concerning number of unsanitized taint flows. While some security measures are in place, the risks associated with the identified issues outweigh the strengths.

Key Concerns

  • Presence of dangerous unserialize function
  • 5 taint flows with unsanitized paths
  • 26% properly escaped output
  • 6 known CVEs in vulnerability history
  • High and medium severity unpatched CVEs
  • Capability checks: 0
Vulnerabilities
6

Dynamic Widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2012
2012
3 CVEs in 2015
2015
1 CVE in 2021
2021
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2024-51669medium · 4.3Cross-Site Request Forgery (CSRF)

Dynamic Widgets <= 1.6.4 - Cross-Site Request Forgery

Nov 1, 2024 Patched in 1.6.5 (6d)
CVE-2021-24933medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic Widgets <= 1.5.16 - Reflected Cross-Site Scripting

Dec 28, 2021 Patched in 1.6 (756d)
CVE-2015-10100high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Dynamic Widgets <= 1.5.10 - Authenticated SQL Injection

Oct 14, 2015 Patched in 1.5.11 (3159d)
CVE-2015-9437medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic Widgets <= 1.5.10 - Refletced Cross-Site Scripting

Aug 11, 2015 Patched in 1.5.11 (3087d)
CVE-2015-9436medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic Widgets <= 1.5.10 - Cross-Site Scripting

Aug 11, 2015 Patched in 1.5.11 (3087d)
WF-d3027edb-770a-43d8-8abe-e9d9a51f4ab3-dynamic-widgetshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic Widgets <= 1.5.1 - Cross Site Scripting

May 15, 2012 Patched in 1.5.2 (4270d)
Code Analysis
Analyzed Mar 16, 2026

Dynamic Widgets Code Analysis

Dangerous Functions
8
Raw SQL Queries
0
41 prepared
Unescaped Output
102
36 escaped
Nonce Checks
8
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$urls = unserialize($condition->value);dynwid_worker.php:189
unserialize$domains = unserialize($condition->value);dynwid_worker.php:227
unserialize$ips = unserialize($condition->value);dynwid_worker.php:242
unserialize$shortcode_match = unserialize($condition->value);dynwid_worker.php:252
unserialize$domains = unserialize($opt->value);mods\domain_module.php:30
unserialize$ips = unserialize($opt->value);mods\ip_module.php:30
unserialize$shortcode = unserialize($opt->value);mods\shortcode_module.php:29
unserialize$urls = unserialize($opt->value);mods\url_module.php:31

SQL Query Safety

100% prepared41 total queries

Output Escaping

26% escaped138 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
<dynwid_admin_overview> (dynwid_admin_overview.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Dynamic Widgets Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_term_treedynamic-widgets.php:684
WordPress Hooks 14
actionsidebar_admin_pagedynamic-widgets.php:459
filtersidebars_widgetsdynamic-widgets.php:649
actionadmin_menudynamic-widgets.php:672
actionadd_meta_boxesdynamic-widgets.php:675
actionedit_tag_form_fieldsdynamic-widgets.php:676
actionedited_termdynamic-widgets.php:677
actionsave_postdynamic-widgets.php:679
actionsidebar_admin_setupdynamic-widgets.php:680
actionwp_headdynamic-widgets.php:688
actionadmin_menudynamic-widgets.php:694
actionadmin_action_dynwid_dumpdynamic-widgets.php:1004
actionadmin_action_wpec_dumpdynamic-widgets.php:1005
actionadmin_action_dynwid_uninstalldynamic-widgets.php:1006
actioninitdynamic-widgets.php:1007
Maintenance & Trust

Dynamic Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 12, 2026
PHP min version5.2.7
Downloads1.0M

Community Trust

Rating94/100
Number of ratings109
Active installs10K
Alternatives

Dynamic Widgets Alternatives

Visibility Logic for Elementor

Visibility Logic for Elementor

visibility-logic-elementor

A
99

Conditional visibility for Elementor — show or hide widgets based on user role, ACF fields, device type, date & time, browser and more.

30K 3 CVEs
Widget Display Conditions

Widget Display Conditions

widget-display-conditions

A
85

Manages widget display by conditions.

300 No CVEs
Context Manager

Context Manager

context-manager

A
85

Make your site react to users' context by changing your theme's CSS and JavaScript files, navigation menus, sidebars and the HTML body tag.

20 No CVEs
Element Pack Addons for Elementor

Element Pack Addons for Elementor

bdthemes-element-pack-lite

A
89

Ultimate Elementor addon with 300+ widgets, templates, live copy paste, post grid, header footer, mega menu, dynamic builder, WooCommerce and more.

100K 36 CVEs
Conditional Fields for Contact Form 7

Conditional Fields for Contact Form 7

cf7-conditional-fields

A
97

Adds conditional logic to Contact Form 7.

100K 4 CVEs
Developer Profile

Dynamic Widgets Developer Profile

Kalmang

1 plugin · 10K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
2394 days
View full developer profile
Detection Fingerprints

How We Detect Dynamic Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dynamic-widgets/img/dynamic-widgets.png/wp-content/plugins/dynamic-widgets/img/dw-admin.png/wp-content/plugins/dynamic-widgets/css/dw-admin.css/wp-content/plugins/dynamic-widgets/css/dw-client.css/wp-content/plugins/dynamic-widgets/js/dw-admin.js/wp-content/plugins/dynamic-widgets/js/dw-client.js
Script Paths
/wp-content/plugins/dynamic-widgets/js/dw-admin.js/wp-content/plugins/dynamic-widgets/js/dw-client.js
Version Parameters
dynamic-widgets/css/dw-admin.css?ver=dynamic-widgets/css/dw-client.css?ver=dynamic-widgets/js/dw-admin.js?ver=dynamic-widgets/js/dw-client.js?ver=

HTML / DOM Fingerprints

CSS Classes
dw_widget_optionsdw_main_widget_settingsdw_options_adddw_options_add_linkdw_options_ruledw_options_remove
HTML Comments
<!-- Dynamic Widgets --><!-- DW-ADMIN --><!-- DW-CLIENT --><!-- DW END -->+8 more
Data Attributes
data-dw-widget-iddata-dw-maintypedata-dw-namedata-dw-value
JS Globals
dw_admin_varsdw_client_vars
FAQ

Frequently Asked Questions about Dynamic Widgets