WP-Safety

EWZ-Rating Security & Risk Analysis

wordpress.org/plugins/ewz-rating

Companion plugin to EntryWizard, for display and judging of the uploaded images.

50 active installs v1.1.40 PHP 7.0+ WP 3.5+ Updated Feb 21, 2026
camera-clubcompetitionimagespreadsheetupload
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is EWZ-Rating Safe to Use in 2026?

Generally Safe

Score 100/100

EWZ-Rating has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The ewz-rating plugin version 1.1.40 exhibits a mixed security posture. On the positive side, the plugin has no known vulnerabilities (CVEs) and demonstrates good practices in certain areas, such as utilizing prepared statements for the vast majority of its SQL queries and implementing a significant number of nonce checks and capability checks. The absence of external HTTP requests and bundled libraries also reduces certain attack vectors.

However, several concerning aspects were identified in the static analysis. The taint analysis revealed two flows with unsanitized paths, both categorized as high severity. This indicates a potential for attackers to manipulate input that could lead to unintended or malicious behavior, despite the limited number of total flows analyzed. Furthermore, a significant portion of the plugin's output (51%) is not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is displayed without adequate sanitization.

The plugin's vulnerability history is clean, which is a strong positive signal. It suggests that the developers may be diligent about security or that the plugin has not been a significant target. However, the presence of high-severity taint flows and unescaped output in the current version indicates that past good security practices might not have been consistently maintained or that new vulnerabilities have been introduced. Therefore, while the lack of known CVEs is encouraging, the identified code signals warrant attention and remediation.

Key Concerns

  • High severity taint flows
  • Significant unescaped output
Vulnerabilities
None known

EWZ-Rating Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

EWZ-Rating Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
114 prepared
Unescaped Output
53
51 escaped
Nonce Checks
22
Capability Checks
7
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

86% prepared132 total queries

Output Escaping

49% escaped104 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
ewz_done_callback (includes\ewz-admin-rating.php:325)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

EWZ-Rating Attack Surface

Entry Points21
Unprotected0

AJAX Handlers 20

authwp_ajax_ewz_delete_rformincludes\ewz-admin-rating.php:182
authwp_ajax_ewz_forms_batch_deleteincludes\ewz-admin-rating.php:215
authwp_ajax_ewz_recalcincludes\ewz-admin-rating.php:240
authwp_ajax_ewz_judge_closeincludes\ewz-admin-rating.php:262
authwp_ajax_ewz_reopenincludes\ewz-admin-rating.php:288
authwp_ajax_ewz_del_judge_ratingsincludes\ewz-admin-rating.php:314
authwp_ajax_ewz_doneincludes\ewz-admin-rating.php:346
authwp_ajax_ewz_del_rating_fieldincludes\ewz-admin-rating.php:378
authwp_ajax_ewz_del_schemeincludes\ewz-admin-rating.php:406
authwp_ajax_ewz_delete_ratingincludes\ewz-admin-rating.php:436
authwp_ajax_ewz_save_ratingincludes\ewz-admin-rating.php:466
authwp_ajax_ewz_hide_rformsincludes\ewz-admin-rating.php:500
authwp_ajax_ewz_set_judge_prefsincludes\ewz-admin-rating.php:536
authwp_ajax_ewz_get_judge_countincludes\ewz-admin-rating.php:568
authwp_ajax_ewz_scheme_changesincludes\ewz-admin-rating.php:629
authwp_ajax_ewz_rform_changesincludes\ewz-admin-rating.php:668
authwp_ajax_ewz_save_scheme_orderincludes\ewz-admin-rating.php:692
authwp_ajax_ewz_save_rating_form_orderincludes\ewz-admin-rating.php:713
authwp_ajax_ewz_toggle_scheme_statusincludes\ewz-admin-rating.php:771
authwp_ajax_ewz_hide_schemesincludes\ewz-admin-rating.php:814

Shortcodes 1

[ewz_show_rating] ewz-rating.php:59
WordPress Hooks 29
filterplugin_auto_update_setting_htmlewz-rating.php:49
actionadmin_noticesewz-rating.php:72
actionadmin_initewz-rating.php:73
actionadmin_noticesewz-rating.php:77
actionadmin_initewz-rating.php:78
actionadmin_noticesewz-rating.php:103
actiondelete_user_formewz-rating.php:107
actiondeleted_userewz-rating.php:108
actionplugins_loadedewz-rating.php:111
actionewz_before_delete_webformewz-rating.php:137
actionewz_before_delete_layoutewz-rating.php:138
actionewz_before_delete_fieldewz-rating.php:139
actionewz_before_delete_itemewz-rating.php:140
actionewz_after_helpewz-rating.php:141
actionewz_before_helpewz-rating.php:142
actionewz_additional_permissionsewz-rating.php:143
filterewz_user_item_dataewz-rating.php:145
filterewz_after_settings_inputewz-rating.php:189
filterewz_settings_defaultsewz-rating.php:190
filtermce_buttons_2ewz-rating.php:204
filtermce_external_pluginsewz-rating.php:205
actioncurrent_screenewz-rating.php:212
actionwp_enqueue_scriptsewz-rating.php:269
actionadmin_initewz-rating.php:328
actionadmin_initincludes\ewz-admin-rating.php:116
actionadmin_menuincludes\ewz-admin-rating.php:143
actioninitincludes\ewz-admin-rating.php:748
actionwp_footerincludes\ewz-rating-shortcode.php:168
actionwp_footerincludes\ewz-rating-shortcode.php:308
Maintenance & Trust

EWZ-Rating Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 21, 2026
PHP min version7.0
Downloads6K

Community Trust

Rating100/100
Number of ratings5
Active installs50
Alternatives

EWZ-Rating Alternatives

EntryWizard

EntryWizard

entrywizard

A
100

Uploading by logged-in users of sets of image files and associated data. Administrators design the upload form, and download the images and data.

100 No CVEs
Auto Upload Images

Auto Upload Images

auto-upload-images

C
58

Automatically detect external images in the post content and import images to your site then adding to the media library and replace image urls.

30K 1 unpatched
Clean Image Filenames

Clean Image Filenames

clean-image-filenames

A
100

This plugin automatically converts language accent characters to non-accent characters in filenames when uploading to the media library.

30K No CVEs
Disable "BIG Image" Threshold

Disable "BIG Image" Threshold

disable-big-image-threshold

A
85

Disables the "BIG image" threshold introduced in WordPress 5.3.

10K No CVEs
Disable Media Sizes

Disable Media Sizes

disable-media-sizes

A
100

Provides options to disable the extra images generated by WordPress.

10K No CVEs
Developer Profile

EWZ-Rating Developer Profile

Ilia Tyker

2 plugins · 150 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect EWZ-Rating

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ewz-rating/admin/css/ewz-rating-admin.css/wp-content/plugins/ewz-rating/css/ewz-rating.css/wp-content/plugins/ewz-rating/js/ewz-rating-public.js/wp-content/plugins/ewz-rating/js/ewz-rating-admin.js/wp-content/plugins/ewz-rating/admin/js/ewz-rating-admin-schemes.js/wp-content/plugins/ewz-rating/admin/js/ewz-rating-admin-forms.js/wp-content/plugins/ewz-rating/admin/js/ewz-rating-admin-help.js

HTML / DOM Fingerprints

CSS Classes
ewz-rating-resultsewz-rating-title
HTML Comments
<!-- Rating Info Goes Here --><!-- Rating Form Goes Here --><!-- Rating Results Go Here --><!-- Rating Form Section -->+1 more
Data Attributes
data-ewz-rating-iddata-ewz-rating-scheme-iddata-ewz-rating-item-iddata-ewz-rating-form-id
JS Globals
ewz_rating_vars
Shortcode Output
[ewz_show_rating][ewz_rating_form]
FAQ

Frequently Asked Questions about EWZ-Rating