WP-Safety

Fast & Fancy Filter – 3F Security & Risk Analysis

wordpress.org/plugins/fast-fancy-filter-3f

Post search filter using WordPress REST API.

10 active installs v1.2.2 PHP + WP 5.0+ Updated Jun 22, 2021
ajax-filterapi-filterfiltergallerypost-filter
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 21, 2026
Download
Safety Verdict

Is Fast & Fancy Filter – 3F Safe to Use in 2026?

Use With Caution

Score 63/100

Fast & Fancy Filter – 3F has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 21, 2026Updated 4yr ago
Risk Assessment

The "fast-fancy-filter-3f" v1.2.2 plugin presents a concerning security posture due to a significant number of unprotected entry points. While the plugin demonstrates good practices in areas like SQL query sanitization and output escaping, the absence of authentication checks on six out of seven identified entry points, specifically AJAX handlers, creates a substantial attack surface. The taint analysis shows flows with unsanitized paths, although these are not classified as critical or high severity, they still warrant attention as they could potentially lead to vulnerabilities if exploited in conjunction with the unprotected entry points. The lack of known vulnerabilities or CVEs in its history is a positive sign, suggesting a potentially mature codebase or a lack of past exploitation. However, this does not negate the immediate risks posed by the unprotected entry points. The plugin's strengths lie in its secure handling of SQL and most output, but the critical weakness of unprotected AJAX handlers requires immediate attention.

Key Concerns

  • AJAX handlers without authentication checks
  • Flows with unsanitized paths (taint analysis)
  • AJAX handlers without capability checks
  • No nonce checks on AJAX handlers
Vulnerabilities
1 published

Fast & Fancy Filter – 3F Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-6396medium · 4.3Cross-Site Request Forgery (CSRF)

Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action

Apr 21, 2026Unpatched
Version History

Fast & Fancy Filter – 3F Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

Fast & Fancy Filter – 3F Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
191 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

96% escaped198 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
fff_menu_page_general_content (includes/admin/class-admin.php:124)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Fast & Fancy Filter – 3F Attack Surface

Entry Points7
Unprotected6

AJAX Handlers 6

authwp_ajax_fff_save_settinsincludes/admin/class-admin.php:24
noprivwp_ajax_fff_save_settinsincludes/admin/class-admin.php:25
authwp_ajax_fff_remove_filterincludes/admin/class-admin.php:28
noprivwp_ajax_fff_remove_filterincludes/admin/class-admin.php:29
authwp_ajax_fff_get_taxonomiesincludes/admin/class-admin.php:32
noprivwp_ajax_fff_get_taxonomiesincludes/admin/class-admin.php:33

Shortcodes 1

[ff_filter] includes/front/class-front.php:22
WordPress Hooks 6
actionadmin_enqueue_scriptsincludes/admin/class-admin.php:18
actionadmin_menuincludes/admin/class-admin.php:21
actionwp_enqueue_scriptsincludes/front/class-front.php:13
actioninitincludes/front/class-front.php:16
actionrest_api_initincludes/front/class-front.php:19
actioninitincludes/front/class-front.php:24
Maintenance & Trust

Fast & Fancy Filter – 3F Maintenance & Trust

Maintenance Signals

WordPress version tested5.7.15
Last updatedJun 22, 2021
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings2
Active installs10
Alternatives

Fast & Fancy Filter – 3F Alternatives

Filter Everything&nbsp;— WordPress & WooCommerce Filters

Filter Everything&nbsp;— WordPress & WooCommerce Filters

filter-everything

A
100

The most flexible filters plugin for WordPress & WooCommerce – filter anything.

50K No CVEs
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

ultimate-post

A
88

A highly customizable plugin to create news, magazines, and any kind of blog site with post grid, post filter, post slider, and post blocks.

40K 24 CVEs
Better Post & Filter Widgets for Elementor

Better Post & Filter Widgets for Elementor

better-post-filter-widgets-for-elementor

A
99

The only free pro-grade Elementor filtering system for posts, taxonomies, custom fields, ACF, WooCommerce, WPML & more. Ditch paid limits!

2K 1 CVE
AJAX Post Search and Filter

AJAX Post Search and Filter

ajax-post-search-and-filter

A
100

A lightweight and flexible AJAX-based search and filter plugin for posts. Supports multiple taxonomies and custom post types via shortcode.

0 No CVEs
Ajax Smart Filter

Ajax Smart Filter

ajax-smart-filter

A
100

Ajax Smart Filter is a powerful, professional, real-time AJAX filtering plugin for WordPress.

0 No CVEs
Developer Profile

Fast & Fancy Filter – 3F Developer Profile

Webarea

2 plugins · 40 total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Fast & Fancy Filter – 3F

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fast-fancy-filter-3f/assets/css/icon-style.css/wp-content/plugins/fast-fancy-filter-3f/assets/css/admin-style.css/wp-content/plugins/fast-fancy-filter-3f/assets/js/lottie-player.js/wp-content/plugins/fast-fancy-filter-3f/assets/js/admin-scripts.js/wp-content/plugins/fast-fancy-filter-3f/assets/img/icon.svg
Script Paths
/wp-content/plugins/fast-fancy-filter-3f/assets/js/lottie-player.js/wp-content/plugins/fast-fancy-filter-3f/assets/js/admin-scripts.js
Version Parameters
fast-fancy-filter-3f/assets/css/icon-style.css?ver=fast-fancy-filter-3f/assets/css/admin-style.css?ver=fast-fancy-filter-3f/assets/js/lottie-player.js?ver=fast-fancy-filter-3f/assets/js/admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
fff-main-admin-titlefff-new-filter-formfff-buttonfff-saved-popup-contfff-popup-save-filerfff-saved-popuplottieanimationfff-saved-popup-bttns+3 more
Data Attributes
data-lottie-src
JS Globals
fff_ajax_urlfff_admin_page_urlfff_plugin_url
REST Endpoints
/wp-json/fff-filter/
FAQ

Frequently Asked Questions about Fast & Fancy Filter – 3F