WP-Safety

Float menu – awesome floating side menu Security & Risk Analysis

wordpress.org/plugins/float-menu

Easily create floating menus of varying complexity. Use its capabilities to place unique navigation on the site.

30K active installs v7.2.3 PHP 7.4+ WP 4.3+ Updated Feb 14, 2026
floating-menumenunavigationside-menusticky-menu
97
A · Safe
CVEs total4
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is Float menu – awesome floating side menu Safe to Use in 2026?

Generally Safe

Score 97/100

Float menu – awesome floating side menu has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Mar 27, 2025Updated 1mo ago
Risk Assessment

The float-menu plugin v7.2.3 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in several areas. The vast majority of output is properly escaped (98%), indicating a strong effort to prevent Cross-Site Scripting (XSS) vulnerabilities in rendered content. SQL queries largely utilize prepared statements (77%), which is crucial for preventing SQL injection. The presence of nonce checks and capability checks suggests some level of authorization and integrity protection is implemented.

However, several concerning aspects emerge from the analysis. The taint analysis reveals 8 flows with unsanitized paths, with 3 classified as high severity. This is a significant concern, as unsanitized paths can lead to various security issues, including directory traversal or arbitrary file read/write vulnerabilities, depending on how they are handled. The static analysis also highlights that 100% of the identified flows with unsanitized paths were not protected, directly correlating with the high severity taint findings. Furthermore, the plugin has a history of 4 known CVEs, all of which were medium severity and related to CSRF and XSS. While currently all are patched, this history suggests a pattern of vulnerabilities being introduced.

In conclusion, while float-menu v7.2.3 shows strengths in output escaping and prepared SQL statements, the presence of high-severity unsanitized path flows and a history of CSRF and XSS vulnerabilities necessitate caution. The unprotected nature of these flows is a critical weakness that needs immediate attention. The overall security is decent in general output handling but has specific, high-impact risks in its path handling.

Key Concerns

  • High severity taint flows (unsanitized paths)
  • All taint flows with unsanitized paths are unprotected
  • History of 4 medium CVEs (CSRF, XSS)
  • File operations detected
Vulnerabilities
4

Float menu – awesome floating side menu Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-30912medium · 4.3Cross-Site Request Forgery (CSRF)

Float menu <= 6.1.2 - Cross-Site Request Forgery to Settings Update

Mar 27, 2025 Patched in 6.1.3 (7d)
CVE-2024-2405medium · 4.3Cross-Site Request Forgery (CSRF)

Float menu – awesome floating side menu <= 6.0 - Cross-Site Request Forgery to Menu Deletion

Apr 11, 2024 Patched in 6.0.1 (27d)
CVE-2023-3225medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Float menu <= 5.0.2 - Authenticated(Administrator+) Stored Cross-Site Scripting

Jun 19, 2023 Patched in 5.0.3 (218d)
CVE-2022-0313medium · 4.3Cross-Site Request Forgery (CSRF)

Float Menu <= 4.3 - Arbitrary Menu Deletion via Cross-Site Request Forgery

Jan 24, 2022 Patched in 4.3.1 (729d)
Code Analysis
Analyzed Mar 16, 2026

Float menu – awesome floating side menu Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
20 prepared
Unescaped Output
8
315 escaped
Nonce Checks
4
Capability Checks
3
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

77% prepared26 total queries

Output Escaping

98% escaped323 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths
menu (classes\Admin\Dashboard.php:161)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Float menu – awesome floating side menu Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 11
actionadmin_initclasses\Admin\AdminActions.php:25
actionadmin_noticesclasses\Admin\AdminNotices.php:26
filterplugin_action_linksclasses\Admin\Dashboard.php:21
filteradmin_footer_textclasses\Admin\Dashboard.php:22
actionadmin_enqueue_scriptsclasses\Admin\Dashboard.php:23
actionadmin_menuclasses\Admin\Dashboard.php:24
actionplugins_loadedfloat-menu.php:71
actionadmin_menuincludes\class-wow-company.php:20
actionadmin_enqueue_scriptsincludes\class-wow-company.php:21
actionwp_footerpublic\class-wowp-public.php:35
actionwp_enqueue_scriptspublic\class-wowp-public.php:36
Maintenance & Trust

Float menu – awesome floating side menu Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 14, 2026
PHP min version7.4
Downloads793K

Community Trust

Rating88/100
Number of ratings41
Active installs30K
Alternatives

Float menu – awesome floating side menu Alternatives

F12 Floating Menu, sticky menu for WordPress

F12 Floating Menu, sticky menu for WordPress

f12-floating-menu

A
92

Easily add unlimited floating/sticky menus to your Website. The F12 Floating Menu comes with an easy-to-use interface, allowing you to have the full c &hellip;

400 No CVEs
WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons

WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons

wpb-floating-menu-or-categories

A
100

WPB Floating Menu or Categories allows you to increase your site usability by adding a sticky floating side menu or categories with icons.

300 No CVEs
Sticky Menu & Sticky Header

Sticky Menu & Sticky Header

sticky-menu-or-anything-on-scroll

A
100

Sticky Menu or Sticky Header sticks elements at the top of the screen when you scroll, or create a floating sticky menu or fixed widget.

100K 1 CVE
WP Mobile Bottom Menu

WP Mobile Bottom Menu

mobile-bottom-menu-for-wp

A
99

Smooth Navigation for Mobile. Create an Eye-Catching Sticky Bottom Menu with Limitless Customization Options.

10K 1 CVE
Catch Sticky Menu

Catch Sticky Menu

catch-sticky-menu

A
100

Catch Sticky Menu is a lightweight, simple yet feature-rich free WordPress plugin for sticky menu that allows you to lock the menu on your website.

2K No CVEs
Developer Profile

Float menu – awesome floating side menu Developer Profile

Wow-Company

25 plugins · 98K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
236 days
View full developer profile
Detection Fingerprints

How We Detect Float menu – awesome floating side menu

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/float-menu/assets/css/styles.css/wp-content/plugins/float-menu/assets/js/main.js/wp-content/plugins/float-menu/assets/js/settings.js/wp-content/plugins/float-menu/admin/assets/css/admin.css/wp-content/plugins/float-menu/admin/assets/js/admin.js
Script Paths
/wp-content/plugins/float-menu/assets/js/main.js/wp-content/plugins/float-menu/assets/js/settings.js/wp-content/plugins/float-menu/admin/assets/js/admin.js
Version Parameters
/wp-content/plugins/float-menu/assets/css/styles.css?ver=/wp-content/plugins/float-menu/assets/js/main.js?ver=/wp-content/plugins/float-menu/assets/js/settings.js?ver=/wp-content/plugins/float-menu/admin/assets/css/admin.css?ver=/wp-content/plugins/float-menu/admin/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wowfmp-containerwowfmp-menuwowfmp-item
HTML Comments
<!-- Float Menu Lite --><!-- Float Menu Lite End -->
Data Attributes
data-wowfmp-iddata-wowfmp-type
JS Globals
wowfmp_settingswowfmp_ajax_object
REST Endpoints
/wp-json/float-menu/v1/settings
Shortcode Output
[Float-Menu]
FAQ

Frequently Asked Questions about Float menu – awesome floating side menu