WP-Safety

Enhanced Text Widget Security & Risk Analysis

wordpress.org/plugins/enhanced-text-widget

An enhanced version of the text widget that supports Text, HTML, CSS, JavaScript, Flash, Shortcodes and PHP with linkable widget title.

30K active installs v1.6.7 PHP + WP 3.6+ Updated Jul 17, 2024
clickablelinkablelinked-titletextwidget
89
A · Safe
CVEs total6
Unpatched0
Last CVEApr 10, 2024
Plugin page Download
Safety Verdict

Is Enhanced Text Widget Safe to Use in 2026?

Generally Safe

Score 89/100

Enhanced Text Widget has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Apr 10, 2024Updated 1yr ago
Risk Assessment

The "enhanced-text-widget" plugin v1.6.7 presents a mixed security posture. While it demonstrates good practices in using prepared statements for SQL queries and implementing nonces and capability checks for its entry points, several concerning areas exist. The static analysis reveals a significant attack surface with 6 AJAX handlers, of which 2 lack proper authorization checks. This is a direct pathway for unauthenticated users to interact with potentially sensitive plugin functionality, increasing the risk of unauthorized actions. Additionally, the plugin uses the `unserialize` function, which is notoriously dangerous if not handled with extreme care to prevent object injection vulnerabilities. The output escaping is also a concern, with only 39% of outputs being properly escaped, indicating a moderate risk of Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history shows a pattern of 6 past medium-severity CVEs, predominantly related to XSS, Missing Authorization, and CSRF. While there are currently no unpatched vulnerabilities, this history suggests a recurring tendency for these types of security flaws to be present in the plugin's codebase. The recent vulnerability in April 2024 further emphasizes the need for ongoing vigilance. Overall, the plugin has strengths in its SQL handling and some security checks, but the unauthenticated AJAX handlers, risky `unserialize` usage, and poor output escaping, combined with its past vulnerability record, warrant a cautious approach.

Key Concerns

  • Unprotected AJAX handlers
  • Usage of unserialize()
  • Low percentage of properly escaped output
  • History of medium severity vulnerabilities
Vulnerabilities
6

Enhanced Text Widget Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2024-31435medium · 4.3Missing Authorization

Inisev Analyst Module <= Various Versions - Missing Authorization

Apr 10, 2024 Patched in 1.6.5 (20d)
CVE-2024-0559medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enhanced Text Widget <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Feb 20, 2024 Patched in 1.6.6 (2d)
CVE-2023-49192medium · 5.3Missing Authorization

Enhanced Text Widget <= 1.6.3 - Missing Authorization via etw_hide_admin_notification_callback

Dec 1, 2023 Patched in 1.6.4 (53d)
CVE-2023-3977medium · 4.3Cross-Site Request Forgery (CSRF)

Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function

Jul 27, 2023 Patched in 1.5.8 (180d)
CVE-2023-0958medium · 4.3Missing Authorization

Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function

Jul 27, 2023 Patched in 1.5.8 (180d)
CVE-2023-23823medium · 4.3Missing Authorization

Enhanced Text Widget <= 1.5.8 - Missing Authorization

Jun 30, 2023 Patched in 1.5.9 (207d)
Code Analysis
Analyzed Mar 16, 2026

Enhanced Text Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
47
30 escaped
Nonce Checks
6
Capability Checks
8
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->values = is_array($raw) ? $raw : @unserialize($raw);analyst\src\Cache\DatabaseCache.php:47

Output Escaping

39% escaped77 total outputs
Attack Surface
2 unprotected

Enhanced Text Widget Attack Surface

Entry Points6
Unprotected2

AJAX Handlers 6

authwp_ajax_analyst_notification_dismissanalyst\src\Mutator.php:100
authwp_ajax_inisev_installationbanner\misc.php:65
authwp_ajax_inisev_installation_widgetbanner\misc.php:66
authwp_ajax_etw_hide_admin_notificationenhanced-text-widget.php:269
authwp_ajax_tifm_save_decisionenhanced-text-widget.php:346
authwp_ajax_tifm_notice_actionsmodules\tryOutPlugins\tryOutPlugins.php:36
WordPress Hooks 18
actioninitanalyst\main.php:65
actioninitanalyst\src\Analyst.php:80
actionadmin_footeranalyst\src\Mutator.php:56
actionadmin_noticesanalyst\src\Mutator.php:74
actionadmin_enqueue_scriptsanalyst\src\Mutator.php:86
actionins_global_print_carrouselbanner\misc.php:135
actionadmin_footerbanner\misc.php:139
actionwidgets_initenhanced-text-widget.php:215
actionadmin_initenhanced-text-widget.php:217
actionadmin_noticesenhanced-text-widget.php:222
actionadmin_print_footer_scriptsenhanced-text-widget.php:249
actionplugins_loadedenhanced-text-widget.php:293
actionadmin_footerenhanced-text-widget.php:313
actionin_admin_footermodules\tryOutPlugins\tryOutPlugins.php:64
actionadmin_noticesmodules\tryOutPlugins\tryOutPlugins.php:68
actionadmin_headmodules\tryOutPlugins\tryOutPlugins.php:69
actionin_admin_footermodules\tryOutPlugins\tryOutPlugins.php:70
filterplugin_install_action_linksmodules\tryOutPlugins\tryOutPlugins.php:361
Maintenance & Trust

Enhanced Text Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJul 17, 2024
PHP min version
Downloads849K

Community Trust

Rating98/100
Number of ratings50
Active installs30K
Alternatives

Enhanced Text Widget Alternatives

Linkable Title Html and Php Widget

Linkable Title Html and Php Widget

linkable-title-html-and-php-widget

A
85

A widget where you may have Text, HTML, Javascript, Flash and/or Php as content with linkable/clickable widget title.

700 No CVEs
Widget Context

Widget Context

widget-context

A
92

Show and hide widgets on specific posts, pages and sections of your site.

40K No CVEs
WP Editor Widget

WP Editor Widget

wp-editor-widget

A
85

WP Editor Widget adds a rich text widget where the content is edited using the standard WordPress visual editor.

10K No CVEs
Widget Content Blocks

Widget Content Blocks

wysiwyg-widgets

A
100

Edit widget content using the default WordPress visual editor and media uploading functionality. Create widgets like you would create posts or pages.

10K No CVEs
Podium

Podium

podium

A
100

Add and customize Podium's Web Suite tools to your WordPress website

5K No CVEs
Developer Profile

Enhanced Text Widget Developer Profile

cl272

2 plugins · 40K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect Enhanced Text Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
enhanced-text-widgetwidget_text
Data Attributes
id="enhanced-text-widget-admin-css"id="etw-credits-style-css"
FAQ

Frequently Asked Questions about Enhanced Text Widget