WP-Safety

Featured Post Creative Security & Risk Analysis

wordpress.org/plugins/featured-post-creative

Display Featured post on your website with 2 shortcode and 1 widget. Also work with Gutenberg shortcode block.

1K active installs v1.5.7 PHP + WP 4.0+ Updated Feb 19, 2026
display-featured-postsfeatured-post-brick-layoutfeatured-post-widgetfree-featured-postsresponsive-featured-post-grid
98
A · Safe
CVEs total2
Unpatched0
Last CVENov 26, 2025
Plugin page Download
Safety Verdict

Is Featured Post Creative Safe to Use in 2026?

Generally Safe

Score 98/100

Featured Post Creative has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 26, 2025Updated 1mo ago
Risk Assessment

The "featured-post-creative" plugin v1.5.7 exhibits a mixed security posture. On the positive side, the static analysis reveals a relatively small attack surface with all identified entry points (AJAX handlers, shortcodes, cron events) appearing to have authentication checks. The code also demonstrates good practices regarding SQL queries, exclusively using prepared statements, and a high percentage of output escaping. Furthermore, the presence of multiple nonce and capability checks suggests an effort to secure the plugin's functionalities.

However, a significant concern arises from the presence of the `unserialize` function, which is inherently risky if not handled with extreme caution, especially when dealing with untrusted data. While the taint analysis did not reveal any unsanitized paths or critical/high severity flows, the potential for unserialize vulnerabilities cannot be ignored without deeper inspection of its usage. The vulnerability history, with two known medium-severity CVEs in the past, both related to missing authorization, indicates a recurring pattern of authorization weaknesses, even though no CVEs are currently unpatched. This history suggests a need for ongoing vigilance and thorough security reviews for this plugin.

In conclusion, while the plugin demonstrates some solid security practices like prepared statements and output escaping, the use of `unserialize` and the historical pattern of authorization vulnerabilities warrant careful consideration. The lack of unpatched CVEs is a positive sign, but the potential for future issues exists if the identified risks are not addressed. A more in-depth review of how `unserialize` is implemented would be beneficial.

Key Concerns

  • Presence of the unserialize function
  • History of medium severity CVEs (Missing Authorization)
Vulnerabilities
2

Featured Post Creative Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-66106medium · 4.3Missing Authorization

Featured Post Creative <= 1.5.5 - Missing Authorization

Nov 26, 2025 Patched in 1.5.6 (6d)
CVE-2023-30488medium · 5.3Missing Authorization

Featured Post Creative <= 1.2.7 - Missing Authorization via wpfp_update_featured_post

Apr 13, 2023 Patched in 1.2.8 (285d)
Code Analysis
Analyzed Mar 16, 2026

Featured Post Creative Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
24
218 escaped
Nonce Checks
7
Capability Checks
7
File Operations
3
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$info = @unserialize($data);wpos-analytics\includes\class-anylc-admin.php:696

Output Escaping

90% escaped242 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<class-wpfp-admin> (includes\admin\class-wpfp-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Featured Post Creative Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 1

authwp_ajax_wpfp_update_featured_postincludes\admin\class-wpfp-admin.php:41

Shortcodes 2

[fpc_post_grid] includes\shortcode\wpfp-recent-post-grid.php:131
[fpc_post_block] includes\shortcode\wpfp-recent-post.php:123
WordPress Hooks 31
actionadd_meta_boxesincludes\admin\class-wpfp-admin.php:20
actionsave_postincludes\admin\class-wpfp-admin.php:23
actionadmin_menuincludes\admin\class-wpfp-admin.php:26
actionadmin_initincludes\admin\class-wpfp-admin.php:29
filterplugin_row_metaincludes\admin\class-wpfp-admin.php:44
actioninitincludes\admin\supports\gutenberg-block.php:134
actionenqueue_block_editor_assetsincludes\admin\supports\gutenberg-block.php:157
filterblock_categories_allincludes\admin\supports\gutenberg-block.php:178
actionadmin_enqueue_scriptsincludes\class-wpfp-script.php:20
actionwp_enqueue_scriptsincludes\class-wpfp-script.php:23
actionwp_headincludes\class-wpfp-script.php:26
actionwidgets_initincludes\widgets\class-wpfp-featured-widget-list.php:230
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:45
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:48
actionadmin_initwpos-analytics\includes\class-anylc-admin.php:51
actionadmin_noticeswpos-analytics\includes\class-anylc-admin.php:54
actionadmin_footerwpos-analytics\includes\class-anylc-admin.php:57
actionwp_loadedwpos-analytics\includes\class-anylc-admin.php:60
actioninitwpos-analytics\includes\class-anylc-admin.php:63
filtercron_scheduleswpos-analytics\includes\class-anylc-admin.php:66
actionwpos_monthly_cron_hookwpos-analytics\includes\class-anylc-admin.php:69
actionrest_api_initwpos-analytics\includes\class-anylc-admin.php:72
filterrest_pre_serve_requestwpos-analytics\includes\class-anylc-admin.php:585
actionadmin_enqueue_scriptswpos-analytics\includes\class-anylc-script.php:20
actionactivated_pluginwpos-analytics\wpos-analytics.php:244
actionplugins_loadedwpos-analytics\wpos-analytics.php:258
actionplugins_loadedwpos-featured-post-creative.php:86
actionadmin_noticeswpos-featured-post-creative.php:179
actionadmin_menuwpos-plugins\includes\admin\class-espbw-admin.php:19
actionadmin_enqueue_scriptswpos-plugins\includes\class-espbw-script.php:19
actionplugins_loadedwpos-plugins\wpos-recommendation.php:185

Scheduled Events 1

wpos_monthly_cron_hook
Maintenance & Trust

Featured Post Creative Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 19, 2026
PHP min version
Downloads61K

Community Trust

Rating92/100
Number of ratings9
Active installs1K
Alternatives

Featured Post Creative Alternatives

Featured Posts Pro

Featured Posts Pro

featured-posts-pro

A
85

This plugin gives Administrator/Editor an easy option to mark posts, pages & custom posts as featured posts and provides a widget to list the rece &hellip;

100 No CVEs
Developer Profile

Featured Post Creative Developer Profile

Essential Plugin

33 plugins · 205K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
219 days
View full developer profile
Detection Fingerprints

How We Detect Featured Post Creative

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/featured-post-creative/assets/css/wpfp-style.css/wp-content/plugins/featured-post-creative/assets/js/wpfp-scripts.js
Script Paths
/wp-content/plugins/featured-post-creative/assets/js/blocks.build.js
Version Parameters
featured-post-creative/assets/css/wpfp-style.css?ver=featured-post-creative/assets/js/wpfp-scripts.js?ver=featured-post-creative/assets/js/blocks.build.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpfp-featured-post
Data Attributes
data-wpfp-id
JS Globals
Wpfp_Block
Shortcode Output
[wpfp_featured_posts][wpfp_featured_posts_grid]
FAQ

Frequently Asked Questions about Featured Post Creative