Does Favorites have any unpatched vulnerabilities?

Yes — Favorites currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Favorites compatible with WordPress 6.8.5?

According to WordPress.org data, Favorites 2.3.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Favorites compatible with PHP 5.4+?

Favorites requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Favorites updated?

Favorites was last updated on Apr 10, 2025. Frequent updates are generally a positive security signal.

What is Favorites's security score?

Favorites has a WP-Safety security score of 71/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Favorites Security & Risk Analysis

wordpress.org/plugins/favorites

Favorites for any post type. Easily add favoriting/liking, wishlists, or any other similar functionality using the developer-friendly API.

10K active installs v2.3.6 PHP 5.4+ WP 3.8+ Updated Apr 10, 2025

bookmarkfavoritefavoriteslikelikes

B · Generally Safe

CVEs total4

Unpatched1

Last CVEJul 21, 2025

Plugin page Download

Safety Verdict

Is Favorites Safe to Use in 2026?

Mostly Safe

Score 71/100

Favorites is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: Jul 21, 2025Updated 11mo ago

Risk Assessment

The 'favorites' plugin version 2.3.6 exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in its SQL query handling by utilizing prepared statements, the lack of authorization checks on 12 out of 12 AJAX entry points creates a broad attack surface for unauthorized actions. Furthermore, the static analysis reveals that only 53% of output is properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history is particularly alarming. With a total of 4 known CVEs, one of which remains unpatched and is classified as high severity, the plugin has a history of severe security flaws. The common vulnerability types, including Remote File Inclusion and XSS, directly align with the static analysis findings of unprotected AJAX handlers and insufficient output escaping. This pattern suggests persistent weaknesses in input validation and privilege management within the plugin.

In conclusion, despite a positive aspect regarding prepared SQL statements, the 'favorites' plugin version 2.3.6 presents a high-risk profile. The combination of a large number of unprotected AJAX endpoints, moderate output escaping, and a history of critical and high-severity vulnerabilities, including an unpatched high-severity CVE, necessitates immediate attention and patching. The plugin's attack surface and historical trends point to potential exploitation scenarios.

Key Concerns

Unpatched high severity CVE
Unprotected AJAX handlers
Insufficient output escaping
Missing nonce checks on AJAX
Missing capability checks
Medium severity CVEs (3)

Vulnerabilities

Favorites Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2025-60202high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Favorites <= 2.3.6 - Unauthenticated Local File Inclusion

Jul 21, 2025Unpatched

CVE-2025-1452medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favorites <= 2.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 4, 2025 Patched in 2.3.5 (49d)

CVE-2024-2948medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favorites <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 29, 2024 Patched in 2.3.4 (210d)

CVE-2023-2304medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Favorites <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

May 30, 2023 Patched in 2.3.3 (238d)

Code Analysis

Analyzed Mar 16, 2026

Favorites Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

42 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

53% escaped79 total outputs

Attack Surface

12 unprotected

Favorites Attack Surface

Entry Points18

Unprotected12

AJAX Handlers 12

noprivwp_ajax_favorites_favoriteapp\Events\RegisterPublicEvents.php:16

authwp_ajax_favorites_favoriteapp\Events\RegisterPublicEvents.php:17

noprivwp_ajax_favorites_arrayapp\Events\RegisterPublicEvents.php:20

authwp_ajax_favorites_arrayapp\Events\RegisterPublicEvents.php:21

noprivwp_ajax_favorites_clearapp\Events\RegisterPublicEvents.php:24

authwp_ajax_favorites_clearapp\Events\RegisterPublicEvents.php:25

noprivwp_ajax_favorites_totalcountapp\Events\RegisterPublicEvents.php:28

authwp_ajax_favorites_totalcountapp\Events\RegisterPublicEvents.php:29

noprivwp_ajax_favorites_listapp\Events\RegisterPublicEvents.php:32

authwp_ajax_favorites_listapp\Events\RegisterPublicEvents.php:33

noprivwp_ajax_favorites_cookie_consentapp\Events\RegisterPublicEvents.php:36

authwp_ajax_favorites_cookie_consentapp\Events\RegisterPublicEvents.php:37

Shortcodes 6

[favorite_button] app\API\Shortcodes\ButtonShortcode.php:14

[clear_favorites_button] app\API\Shortcodes\ClearFavoritesShortcode.php:14

[favorite_count] app\API\Shortcodes\FavoriteCountShortcode.php:14

[post_favorites] app\API\Shortcodes\PostFavoritesShortcode.php:14

[user_favorite_count] app\API\Shortcodes\UserFavoriteCount.php:20

[user_favorites] app\API\Shortcodes\UserFavoritesShortcode.php:22

WordPress Hooks 18

actionadmin_enqueue_scriptsapp\Activation\Dependencies.php:32

actionadmin_enqueue_scriptsapp\Activation\Dependencies.php:33

actionwp_enqueue_scriptsapp\Activation\Dependencies.php:34

actionwp_enqueue_scriptsapp\Activation\Dependencies.php:35

actioninitapp\Bootstrap.php:20

actionadmin_initapp\Bootstrap.php:21

actionplugins_loadedapp\Bootstrap.php:23

actionadmin_initapp\Config\Settings.php:33

actionadmin_menuapp\Config\Settings.php:34

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:136

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:137

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:138

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:139

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:140

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:141

filterfavorites/authentication_modal_contentapp\Config\SettingsRepository.php:142

filterthe_contentapp\Entities\Post\PostHooks.php:30

actionadd_meta_boxesapp\Entities\Post\PostMeta.php:17

Maintenance & Trust

Favorites Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 10, 2025

PHP min version5.4

Downloads293K

Community Trust

Rating92/100

Number of ratings132

Active installs10K

Alternatives

Favorites Alternatives

My Favorites

my-favorites

Save user's favorite posts and list them.

1K 2 CVEs

Keyring Reactions Importer

keyring-reactions-importer

A social reactions ( comments, like, favs, etc. ) importer.

10 No CVEs

Slickstream: Engagement and Conversions

slick-engagement

Use Slickstream to upgrade your site search. Get beautiful as-you-type search, relevant content recommendations, user favorites and more!

2K 2 CVEs

Admin Bookmarks

my-admin-bookmarks

100

Bookmark your favorite posts, pages or custom post types within the WordPress admin

500 No CVEs

DBWD Bookmark Page

dbwd-bookmark-page

Adds a "Bookmark this Page" button to your header WITHOUT editing your theme - Firefox and IE tested.

30 No CVEs

Developer Profile

Favorites Developer Profile

Kyle Phillips

3 plugins · 100K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

399 days

View full developer profile

Detection Fingerprints

How We Detect Favorites

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/favorites/assets/css/favorites-admin.css/wp-content/plugins/favorites/assets/js/favorites-admin.min.js/wp-content/plugins/favorites/assets/css/favorites.css/wp-content/plugins/favorites/assets/js/favorites.js/wp-content/plugins/favorites/assets/js/favorites.min.js

Script Paths

/wp-content/plugins/favorites/assets/js/favorites.min.js/wp-content/plugins/favorites/assets/js/favorites.js

Version Parameters

favorites-adminsimple-favoritesfavorites

HTML / DOM Fingerprints

CSS Classes

btn-favorite

HTML Comments

This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2, as 
    published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

Data Attributes

data-iddata-site-iddata-group-id

JS Globals

favorites_data

Shortcode Output

[favorite_button][clear_favorites_button][favorite_count]

FAQ