Does EntryWizard have any unpatched vulnerabilities?

No. All known vulnerabilities in EntryWizard have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is EntryWizard compatible with WordPress 6.6.5?

According to WordPress.org data, EntryWizard 1.3.29 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is EntryWizard compatible with PHP 7.0+?

EntryWizard requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is EntryWizard updated?

EntryWizard was last updated on Feb 15, 2026. Frequent updates are generally a positive security signal.

What is EntryWizard's security score?

EntryWizard has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

EntryWizard Security & Risk Analysis

wordpress.org/plugins/entrywizard

Uploading by logged-in users of sets of image files and associated data. Administrators design the upload form, and download the images and data.

100 active installs v1.3.29 PHP 7.0+ WP 5.0+ Updated Feb 15, 2026

camera-clubcompetitionimagespreadsheetupload

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is EntryWizard Safe to Use in 2026?

Generally Safe

Score 100/100

EntryWizard has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The 'entrywizard' plugin v1.3.29 presents a mixed security posture. On the positive side, it demonstrates good practices in several areas. There are no known CVEs associated with this plugin, indicating a stable history and likely diligent maintenance. The static analysis shows a strong emphasis on security checks, with all identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) appearing to have authentication and capability checks in place. Furthermore, the high percentage of SQL queries using prepared statements and a reasonable rate of output escaping are commendable. The absence of external HTTP requests and bundled libraries also reduces potential attack vectors.

However, concerns arise from the presence of dangerous functions such as 'unserialize', 'preg_replace(/e)', and 'popen'. While the taint analysis did not reveal critical or high severity unsanitized flows, the mere existence of these functions can be a significant risk if not handled with extreme care, as they are often associated with remote code execution or deserialization vulnerabilities. The static analysis also found four flows with unsanitized paths, which, while not classified as critical or high, warrant further investigation to understand their potential impact. The ratio of properly escaped outputs, while above 50%, still suggests a small but non-zero risk of cross-site scripting (XSS) vulnerabilities if specific edge cases are not addressed.

Overall, the plugin's history of zero vulnerabilities and robust implementation of authentication/capability checks are strong points. Nevertheless, the identified dangerous functions and unsanitized path flows introduce potential risks that cannot be overlooked. A more in-depth manual code review focusing on the usage of 'unserialize', 'preg_replace(/e)', 'popen', and the identified unsanitized paths would be highly recommended to confirm the absence of exploitable vulnerabilities.

Key Concerns

Dangerous functions detected (unserialize, preg_replace(/e), popen)
Unsanitized paths found in taint analysis
Output escaping not fully comprehensive (70%)

Vulnerabilities

None known

EntryWizard Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

EntryWizard Code Analysis

Dangerous Functions

Raw SQL Queries

109 prepared

Unescaped Output

207 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$arr = @unserialize( $string );classes\ewz-base.php:175

preg_replace(/e)preg_replace( '/^.*\/eclasses\ewz-item.php:310

preg_replace(/e)preg_replace( '/^.*\/eclasses\ewz-item.php:317

preg_replace(/e)preg_replace( '/^.*\/eclasses\ewz-item.php:573

preg_replace(/e)preg_replace( '/^.*\/eclasses\ewz-item.php:577

preg_replace(/e)preg_replace( '/eclasses\ewz-webform.php:1494

popen$fp = popen("zip -0 -j -q - $fnames", 'r'); // see testing notesclasses\ewz-webform.php:787

popen$fp = popen( "zip --version", 'r' );includes\ewz-admin-webforms.php:642

SQL Query Safety

81% prepared134 total queries

Output Escaping

70% escaped294 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths

ewz_process_uploaded_admin_data (includes\ewz-admin-webforms.php:23)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

EntryWizard Attack Surface

Entry Points20

Unprotected0

AJAX Handlers 17

authwp_ajax_ewz_show_cron_eventsincludes\ewz-admin.php:354

authwp_ajax_ewz_save_layout_orderincludes\ewz-admin.php:375

authwp_ajax_ewz_save_webform_orderincludes\ewz-admin.php:397

authwp_ajax_ewz_webform_get_user_listincludes\ewz-admin.php:423

authwp_ajax_ewz_save_webformincludes\ewz-admin.php:465

authwp_ajax_ewz_save_layoutincludes\ewz-admin.php:503

authwp_ajax_ewz_gen_zipfileincludes\ewz-admin.php:559

authwp_ajax_ewz_del_layoutincludes\ewz-admin.php:591

authwp_ajax_ewz_del_fieldincludes\ewz-admin.php:625

authwp_ajax_ewz_del_itemincludes\ewz-admin.php:658

authwp_ajax_ewz_webforms_batch_deleteincludes\ewz-admin.php:698

authwp_ajax_ewz_hide_webformsincludes\ewz-admin.php:732

authwp_ajax_ewz_del_webformincludes\ewz-admin.php:763

authwp_ajax_ewz_upload_csvincludes\ewz-admin.php:802

authwp_ajax_ewz_uploadincludes\ewz-admin.php:835

authwp_ajax_ewz_set_ippincludes\ewz-admin.php:862

authwp_ajax_ewz_file_reportincludes\ewz-admin.php:883

Shortcodes 3

[ewz_show_webform] entrywizard.php:192

[ewz_followup] entrywizard.php:193

[ewz_show_webform] includes\ewz-admin.php:819

WordPress Hooks 27

actionadmin_noticesclasses\ewz-item.php:139

actionewz_do_action_webformclasses\ewz-webform.php:1463

filterplugin_auto_update_setting_htmlentrywizard.php:78

actionplugins_loadedentrywizard.php:80

actionplugins_loadedentrywizard.php:82

actionplugins_loadedentrywizard.php:84

actioninitentrywizard.php:87

actioninitentrywizard.php:90

actionadmin_initentrywizard.php:93

filterwp_privacy_personal_data_exportersentrywizard.php:97

actionwp_enqueue_scriptsentrywizard.php:99

actiondelete_user_formentrywizard.php:102

actiondeleted_userentrywizard.php:105

filtermce_buttons_2entrywizard.php:128

filtermce_external_pluginsentrywizard.php:129

actioncurrent_screenentrywizard.php:137

actionadmin_noticesentrywizard.php:206

actionadmin_initentrywizard.php:218

filterwp_image_editorsentrywizard.php:401

actionadmin_noticesentrywizard.php:513

actioninitewz-custom-data.php:5

actionadmin_initincludes\ewz-admin.php:156

actionadmin_menuincludes\ewz-admin.php:261

actioninitincludes\ewz-admin.php:323

actionwp_footerincludes\ewz-followup.php:161

actionwp_footerincludes\ewz-upload.php:99

filterupload_dirincludes\ewz-upload.php:783

Scheduled Events 1

ewz_do_action_webform

Maintenance & Trust

EntryWizard Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedFeb 15, 2026

PHP min version7.0

Downloads12K

Community Trust

Rating100/100

Number of ratings17

Active installs100

Alternatives

EntryWizard Alternatives

EWZ-Rating

ewz-rating

100

Companion plugin to EntryWizard, for display and judging of the uploaded images.

50 No CVEs

Auto Upload Images

auto-upload-images

Automatically detect external images in the post content and import images to your site then adding to the media library and replace image urls.

30K 1 unpatched

Clean Image Filenames

clean-image-filenames

100

This plugin automatically converts language accent characters to non-accent characters in filenames when uploading to the media library.

30K No CVEs

Disable "BIG Image" Threshold

disable-big-image-threshold

Disables the "BIG image" threshold introduced in WordPress 5.3.

10K No CVEs

Disable Media Sizes

disable-media-sizes

100

Provides options to disable the extra images generated by WordPress.

10K No CVEs

Developer Profile

EntryWizard Developer Profile

Ilia Tyker

2 plugins · 150 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect EntryWizard

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/entrywizard/css/ewz-public.css/wp-content/plugins/entrywizard/css/ewz-webform.css/wp-content/plugins/entrywizard/javascript/ewz-public.js/wp-content/plugins/entrywizard/javascript/ewz-webform.js/wp-content/plugins/entrywizard/javascript/ewz-admin.js/wp-content/plugins/entrywizard/javascript/ewz-shortcodes.js

Script Paths

/wp-content/plugins/entrywizard/javascript/ewz-public.js/wp-content/plugins/entrywizard/javascript/ewz-webform.js/wp-content/plugins/entrywizard/javascript/ewz-admin.js/wp-content/plugins/entrywizard/javascript/ewz-shortcodes.js

Version Parameters

entrywizard/javascript/ewz-shortcodes.js?ewzv=

HTML / DOM Fingerprints

CSS Classes

ewz-public-formewz-webform-containerewz-success-messageewz-error-messageewz-field-labelewz-field-inputewz-submit-buttonewz-admin-upload-wrap+2 more

HTML Comments

Data Attributes

data-ewz-webform-iddata-ewz-field-id

JS Globals

EWZdata

REST Endpoints

/wp-json/entrywizard/v1/webforms/wp-json/entrywizard/v1/upload/wp-json/entrywizard/v1/settings

Shortcode Output

[ewz_show_webform[ewz_followup

FAQ