WP-Safety

Favicon by RealFaviconGenerator Security & Risk Analysis

wordpress.org/plugins/favicon-by-realfavicongenerator

Create and install your favicon for all platforms: PC/Mac, iPhone/iPad, Android devices, Windows 8 tablets...

200K active installs v1.3.46 PHP + WP 3.5+ Updated Mar 2, 2026
apple-touch-iconfaviconiconiphonelogo
98
A · Safe
CVEs total4
Unpatched0
Last CVEApr 10, 2024
Plugin page Download
Safety Verdict

Is Favicon by RealFaviconGenerator Safe to Use in 2026?

Generally Safe

Score 98/100

Favicon by RealFaviconGenerator has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Apr 10, 2024Updated 2mo ago
Risk Assessment

The plugin 'favicon-by-realfavicongenerator' v1.3.46 exhibits a mixed security posture. While the static analysis shows a remarkably small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events, and the taint analysis found no critical or high-severity issues, there are significant concerns related to its past vulnerability history and code signals. The plugin has a history of 4 known CVEs, including one high-severity and three medium-severity vulnerabilities, primarily related to Cross-Site Request Forgery and Cross-Site Scripting. The most recent vulnerability was patched in April 2024, suggesting active patching, but the recurring nature of these vulnerability types is a concern. Furthermore, the presence of SQL queries not using prepared statements and a lack of capability checks on any entry points (though the entry point count is zero) are weaknesses that, if an attack vector were to emerge, could be exploited. The high percentage of properly escaped output is a strength, but it does not entirely mitigate the risks posed by the historical vulnerabilities and the raw SQL query.

Key Concerns

  • 1 High severity CVE (unpatched)
  • 3 Medium severity CVEs (unpatched)
  • SQL queries without prepared statements
  • 0 Capability checks on entry points
  • Flows with unsanitized paths
Vulnerabilities
4 published

Favicon by RealFaviconGenerator Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2024-31422medium · 4.3Cross-Site Request Forgery (CSRF)

Favicon <= 1.3.29 - Cross-Site Request Forgery to Notice Dismissal

Apr 10, 2024 Patched in 1.3.30 (8d)
CVE-2022-0471medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.3.22 - Reflected Cross-Site Scripting

Mar 21, 2022 Patched in 1.3.23 (673d)
CVE-2021-24437medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.3.21 - Reflected Cross-Site Scripting

Jul 27, 2021 Patched in 1.3.21 (910d)
CVE-2015-10116high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favicon by RealFaviconGenerator <= 1.2.12 - Reflected Cross-Site Scripting

Apr 1, 2015 Patched in 1.2.13 (3219d)
Version History

Favicon by RealFaviconGenerator Release Timeline

v1.3.46Current2 files changed
v1.3.452 files changed
v1.3.442 files changed
v1.3.432 files changed
v1.3.422 files changed
v1.3.412 files changed
v1.3.402 files changed
v1.3.392 files changed
v1.3.382 files changed
v1.3.372 files changed
v1.3.362 files changed
v1.3.353 files changed
v1.3.342 files changed
v1.3.332 files changed
v1.3.3211 files changed
v1.3.222 CVEs34 files changed
CVE-2022-0471 CVE-2024-31422
v1.3.212 CVEs61 files changed
CVE-2022-0471 CVE-2024-31422
v1.1.04 CVEs7 files changed
CVE-2022-0471 CVE-2024-31422 CVE-2015-10116 +1 more
v1.0.74 CVEs6 files changed
CVE-2022-0471 CVE-2024-31422 CVE-2015-10116 +1 more
v1.0.64 CVEs
CVE-2022-0471 CVE-2024-31422 CVE-2015-10116 +1 more
Code Analysis
Analyzed Mar 16, 2026

Favicon by RealFaviconGenerator Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
4
46 escaped
Nonce Checks
2
Capability Checks
0
File Operations
9
External Requests
4
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

92% escaped50 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
install_new_favicon (admin\class-favicon-by-realfavicongenerator-admin.php:186)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Favicon by RealFaviconGenerator Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 12
actioninitadmin\class-favicon-by-realfavicongenerator-admin.php:22
actionadmin_headadmin\class-favicon-by-realfavicongenerator-admin.php:24
filtergenesis_pre_load_faviconadmin\class-favicon-by-realfavicongenerator-admin.php:27
actioninitadmin\class-favicon-by-realfavicongenerator-admin.php:33
actionadmin_menuadmin\class-favicon-by-realfavicongenerator-admin.php:62
actionadmin_noticesadmin\class-favicon-by-realfavicongenerator-admin.php:77
actionadmin_initadmin\class-favicon-by-realfavicongenerator-admin.php:78
actionplugins_loadedfavicon-by-realfavicongenerator.php:40
actionplugins_loadedfavicon-by-realfavicongenerator.php:51
actionwp_headpublic\class-favicon-by-realfavicongenerator.php:12
actionlogin_headpublic\class-favicon-by-realfavicongenerator.php:13
filtergenesis_pre_load_faviconpublic\class-favicon-by-realfavicongenerator.php:16
Maintenance & Trust

Favicon by RealFaviconGenerator Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 2, 2026
PHP min version
Downloads5.3M

Community Trust

Rating98/100
Number of ratings801
Active installs200K
Alternatives

Favicon by RealFaviconGenerator Alternatives

Multicons

Multicons

multicons

A
100

Multicons is a multi-favicon code generator which automatically inserts the necessary meta tags for favicons.

2K 1 CVE
wp-logo-login | تغییر لوگو ورود و سربرگ

wp-logo-login | تغییر لوگو ورود و سربرگ

change-logo-login

A
85

With the help of this plugin, you can change the logo of the WordPress admin section.

10 No CVEs
All In One Favicon

All In One Favicon

all-in-one-favicon

B
84

Easily add a Favicon to your site and the WordPress admin pages. Complete with upload functionality. Supports all three Favicon types (ico,png,gif).

70K 2 CVEs
Favicon Rotator

Favicon Rotator

favicon-rotator

A
88

Easily set site favicon and even rotate through multiple icons

20K 2 CVEs
WP Favicon Remover

WP Favicon Remover

wp-favicon-remover

A
100

This plugin adds the functionality to remove the WordPress default favicon since WordPress 5.4.

10K No CVEs
Developer Profile

Favicon by RealFaviconGenerator Developer Profile

phbernard

1 plugin · 200K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
1203 days
View full developer profile
Detection Fingerprints

How We Detect Favicon by RealFaviconGenerator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/favicon-by-realfavicongenerator/public/css/site.css/wp-content/plugins/favicon-by-realfavicongenerator/public/js/site.js/wp-content/plugins/favicon-by-realfavicongenerator/admin/assets/css/admin.css
Generator Patterns
Favicon by RealFaviconGenerator
Version Parameters
favicon-by-realfavicongenerator/public/css/site.css?ver=favicon-by-realfavicongenerator/public/js/site.js?ver=favicon-by-realfavicongenerator/admin/assets/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
favicon_settings_pagefbrfg-settings-wrapfavicon_appearance_pagefbrfg-appearance-wrap
HTML Comments
<!-- Favicon by RealFaviconGenerator --><!-- Favicon settings --><!-- Favicon Appearance settings -->
Data Attributes
data-plugin-slug="favicon-by-realfavicongenerator"data-realfavicongenerator-ajax-url
JS Globals
window.FaviconByRealFaviconGeneratorAdmin
REST Endpoints
/wp-json/favicon-by-realfavicongenerator/v1/settings
FAQ

Frequently Asked Questions about Favicon by RealFaviconGenerator