Favicon by RealFaviconGenerator Security & Risk Analysis

wordpress.org/plugins/favicon-by-realfavicongenerator

Create and install your favicon for all platforms: PC/Mac, iPhone/iPad, Android devices, Windows 8 tablets...

200K active installs v1.3.46 PHP + WP 3.5+ Updated Mar 2, 2026
apple-touch-iconfaviconiconiphonelogo
90
A · Safe
CVEs total5
Unpatched0
Last CVEMay 30, 2026
Safety Verdict

Is Favicon by RealFaviconGenerator Safe to Use in 2026?

Generally Safe

Score 90/100

Favicon by RealFaviconGenerator has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: May 30, 2026Updated 4mo ago
Risk Assessment

The plugin 'favicon-by-realfavicongenerator' v1.3.46 exhibits a mixed security posture. While the static analysis shows a remarkably small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events, and the taint analysis found no critical or high-severity issues, there are significant concerns related to its past vulnerability history and code signals. The plugin has a history of 4 known CVEs, including one high-severity and three medium-severity vulnerabilities, primarily related to Cross-Site Request Forgery and Cross-Site Scripting. The most recent vulnerability was patched in April 2024, suggesting active patching, but the recurring nature of these vulnerability types is a concern. Furthermore, the presence of SQL queries not using prepared statements and a lack of capability checks on any entry points (though the entry point count is zero) are weaknesses that, if an attack vector were to emerge, could be exploited. The high percentage of properly escaped output is a strength, but it does not entirely mitigate the risks posed by the historical vulnerabilities and the raw SQL query.

Key Concerns

  • 1 High severity CVE (unpatched)
  • 3 Medium severity CVEs (unpatched)
  • SQL queries without prepared statements
  • 0 Capability checks on entry points
  • Flows with unsanitized paths
Vulnerabilities
5 published

Favicon by RealFaviconGenerator Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2026-42754high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.3.46 - Unauthenticated Stored Cross-Site Scripting

May 30, 2026 Patched in 1.3.47 (3d)
CVE-2024-31422medium · 4.3Cross-Site Request Forgery (CSRF)

Favicon <= 1.3.29 - Cross-Site Request Forgery to Notice Dismissal

Apr 10, 2024 Patched in 1.3.30 (8d)
CVE-2022-0471medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.3.22 - Reflected Cross-Site Scripting

Mar 21, 2022 Patched in 1.3.23 (673d)
CVE-2021-24437medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.3.21 - Reflected Cross-Site Scripting

Jul 27, 2021 Patched in 1.3.21 (910d)
CVE-2015-10116high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.2.12 - Reflected Cross-Site Scripting

Apr 1, 2015 Patched in 1.2.13 (3219d)
Version History

Favicon by RealFaviconGenerator Release Timeline

v1.3.46Current1 CVE2 files changed
v1.3.451 CVE2 files changed
v1.3.441 CVE2 files changed
v1.3.431 CVE2 files changed
v1.3.421 CVE2 files changed
v1.3.411 CVE2 files changed
v1.3.401 CVE2 files changed
v1.3.391 CVE2 files changed
v1.3.381 CVE2 files changed
v1.3.371 CVE2 files changed
v1.3.361 CVE2 files changed
v1.3.351 CVE3 files changed
v1.3.341 CVE2 files changed
v1.3.331 CVE2 files changed
v1.3.321 CVE11 files changed
v1.3.223 CVEs34 files changed
v1.3.213 CVEs61 files changed
v1.1.05 CVEs7 files changed
v1.0.75 CVEs6 files changed
Code Analysis
Analyzed Mar 16, 2026

Favicon by RealFaviconGenerator Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
4
46 escaped
Nonce Checks
2
Capability Checks
0
File Operations
9
External Requests
4
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

92% escaped50 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
install_new_favicon (admin\class-favicon-by-realfavicongenerator-admin.php:186)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Favicon by RealFaviconGenerator Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 12
actioninitadmin\class-favicon-by-realfavicongenerator-admin.php:22
actionadmin_headadmin\class-favicon-by-realfavicongenerator-admin.php:24
filtergenesis_pre_load_faviconadmin\class-favicon-by-realfavicongenerator-admin.php:27
actioninitadmin\class-favicon-by-realfavicongenerator-admin.php:33
actionadmin_menuadmin\class-favicon-by-realfavicongenerator-admin.php:62
actionadmin_noticesadmin\class-favicon-by-realfavicongenerator-admin.php:77
actionadmin_initadmin\class-favicon-by-realfavicongenerator-admin.php:78
actionplugins_loadedfavicon-by-realfavicongenerator.php:40
actionplugins_loadedfavicon-by-realfavicongenerator.php:51
actionwp_headpublic\class-favicon-by-realfavicongenerator.php:12
actionlogin_headpublic\class-favicon-by-realfavicongenerator.php:13
filtergenesis_pre_load_faviconpublic\class-favicon-by-realfavicongenerator.php:16
Maintenance & Trust

Favicon by RealFaviconGenerator Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 2, 2026
PHP min version
Downloads5.3M

Community Trust

Rating98/100
Number of ratings801
Active installs200K
Developer Profile

Favicon by RealFaviconGenerator Developer Profile

phbernard

1 plugin · 200K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
963 days
View full developer profile
Detection Fingerprints

How We Detect Favicon by RealFaviconGenerator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/favicon-by-realfavicongenerator/public/css/site.css/wp-content/plugins/favicon-by-realfavicongenerator/public/js/site.js/wp-content/plugins/favicon-by-realfavicongenerator/admin/assets/css/admin.css
Generator Patterns
Favicon by RealFaviconGenerator
Version Parameters
favicon-by-realfavicongenerator/public/css/site.css?ver=favicon-by-realfavicongenerator/public/js/site.js?ver=favicon-by-realfavicongenerator/admin/assets/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
favicon_settings_pagefbrfg-settings-wrapfavicon_appearance_pagefbrfg-appearance-wrap
HTML Comments
<!-- Favicon by RealFaviconGenerator --><!-- Favicon settings --><!-- Favicon Appearance settings -->
Data Attributes
data-plugin-slug="favicon-by-realfavicongenerator"data-realfavicongenerator-ajax-url
JS Globals
window.FaviconByRealFaviconGeneratorAdmin
REST Endpoints
/wp-json/favicon-by-realfavicongenerator/v1/settings
FAQ

Frequently Asked Questions about Favicon by RealFaviconGenerator