FAQ Plus – WordPress FAQ Plugin Security & Risk Analysis
wordpress.org/plugins/faq-plusWordPress FAQ Plugin helps you to easily display frequently asked questions on your WordPress website without coding.
Is FAQ Plus – WordPress FAQ Plugin Safe to Use in 2026?
Generally Safe
Score 100/100FAQ Plus – WordPress FAQ Plugin has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "faq-plus" v1.0.0 plugin exhibits a generally good security posture, with no known vulnerabilities or CVEs recorded. The static analysis shows no direct attack surface points like unprotected AJAX handlers or REST API routes. Additionally, the plugin avoids dangerous functions, file operations, and external HTTP requests, which are common vectors for exploits. The use of prepared statements for all SQL queries is a significant strength, mitigating the risk of SQL injection vulnerabilities.
However, there are areas for improvement. A concerning signal from the taint analysis is the presence of "flows with unsanitized paths," even though they are not classified as critical or high severity. This suggests that while paths are not directly exploitable in this version, there's a potential for unexpected behavior or a precursor to future vulnerabilities if not addressed. The output escaping is also only 65% proper, meaning a portion of the output is not being sanitized, potentially leading to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully. The absence of nonce and capability checks on the identified shortcode entry point is another notable concern, as it allows any user, regardless of their role or intent, to potentially trigger the shortcode's functionality.
Key Concerns
- Unsanitized paths in taint flows
- Insufficient output escaping
- Missing nonce checks on shortcode
- Missing capability checks on shortcode
FAQ Plus – WordPress FAQ Plugin Security Vulnerabilities
FAQ Plus – WordPress FAQ Plugin Release Timeline
FAQ Plus – WordPress FAQ Plugin Code Analysis
Output Escaping
Data Flow Analysis
FAQ Plus – WordPress FAQ Plugin Attack Surface
Shortcodes 1
WordPress Hooks 11
Maintenance & Trust
FAQ Plus – WordPress FAQ Plugin Maintenance & Trust
Maintenance Signals
Community Trust
FAQ Plus – WordPress FAQ Plugin Alternatives
FAQ Schema – Accordion, Tab, Slider & Gutenberg Block
faq-schema-ultimate
Create responsive FAQs with accordion, tabs, and slider layouts. Includes FAQ Schema markup, Gutenberg blocks, and Elementor widgets.
FAQ Manager For Divi, Gutenberg Block & Shortcode
faq-manager-with-structured-data
Easily create, manage bookmarkable FAQs on your website. Use divi module, FAQ block or shortcode to display FAQs. Boost SEO with FAQPage schema & …
FAQ Schema
faq-schema
FAQ schema is an easy to use plugin which easily can add faq schema on your post, page or any other post type you just need to use a simple
FAQ Magic – AI powered FAQ generator
faq-magic
FAQ Plugin with a built-in AI powered FAQ generator to create SEO-friendly FAQs, FAQ schema, FAQ blocks, and flexible FAQ accordion layouts.
Faq Module For Divi
faq-module-for-divi
Faq Module For Divi plugin is depreciated. Use our https://wordpress.org/plugins/faq-manager-with-structured-data/ plugin that has latest faq divi mod …
FAQ Plus – WordPress FAQ Plugin Developer Profile
1 plugin · 10 total installs
How We Detect FAQ Plus – WordPress FAQ Plugin
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/faq-plus/assets/css/admin_faqp.css/wp-content/plugins/faq-plus/assets/js/admin_nikan_faqp.jsassets/js/admin_nikan_faqp.jsHTML / DOM Fingerprints
nikan_faqp_faqp_display_typenikan_faqpsnikan_faqp_dropmenikan_faqp_rownikan_faqp_remove_rownikan_faqp_accordionnikan_faqp_open_rownikan_faqp_form_row+3 morename="nikan_faqp_question[]"name="nikan_faqp_answer[]"name="faqp_display_type"nikan_faqp_object