WP-Safety

Focus – Featured Posts Widget & Shortcode Security & Risk Analysis

wordpress.org/plugins/focus-slider

Spotlight your Posts using Focus - a multi purpose WordPress Featured Slider Widgets and Shortcode Plugin to display your posts elegantly.

30 active installs v1.0 PHP + WP 4.0+ Updated Unknown
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Focus – Featured Posts Widget & Shortcode Safe to Use in 2026?

Generally Safe

Score 100/100

Focus – Featured Posts Widget & Shortcode has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The focus-slider v1.0 plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query handling and a lack of known historical vulnerabilities, several concerning elements are present in its static analysis. The presence of two dangerous `unserialize` functions without clear sanitization or authentication checks is a significant risk, potentially leading to remote code execution if exploited via unsanitized input. The taint analysis reveals one flow with an unsanitized path, reinforcing concerns about potential injection vulnerabilities. Furthermore, the plugin has a notable attack surface with two out of four AJAX handlers lacking authentication checks. The low percentage of properly escaped output is another red flag, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities. The plugin's history of zero CVEs is positive, suggesting it has either not been a target or has historically been well-maintained, but this does not negate the immediate risks identified in the current codebase.

Key Concerns

  • Unsanitized unserialize function
  • AJAX handlers without auth checks
  • Low output escaping percentage
  • Taint flow with unsanitized path
  • Unsanitized unserialize function (second instance)
Vulnerabilities
None known

Focus – Featured Posts Widget & Shortcode Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Focus – Featured Posts Widget & Shortcode Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
80
14 escaped
Nonce Checks
1
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$categories = unserialize( $value );core\functions.shortcodes.php:226
unserialize$cat_values = ( isset( $instance['categories'] ) ) ? unserialize( $instance['categories'] ) : array(core\functions.widget.php:126

Bundled Libraries

TinyMCE

Output Escaping

15% escaped94 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
focuswp_extract_shortcodes (core\functions.media-frame.php:94)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Focus – Featured Posts Widget & Shortcode Attack Surface

Entry Points5
Unprotected2

AJAX Handlers 4

authwp_ajax_focuswp_media_uploadcore\functions.media-frame.php:29
noprivwp_ajax_focuswp_media_uploadcore\functions.media-frame.php:30
authwp_ajax_focuswp_extract_shortcodescore\functions.media-frame.php:32
authwp_ajax_focuswp_hideRatingcore\functions.notices.php:16

Shortcodes 1

[focus-slides] core\functions.shortcodes.php:33
WordPress Hooks 32
actionwp_enqueue_scriptscore\functions.enqueue.php:13
actionadmin_enqueue_scriptscore\functions.enqueue.php:14
actionplugins_loadedcore\functions.media-frame.php:10
filtermedia_upload_tabscore\functions.media-frame.php:25
actionmedia_upload_focuswp_mediacore\functions.media-frame.php:27
actionadmin_noticescore\functions.notices.php:14
actionadmin_enqueue_scriptscore\functions.screen.php:13
actionadmin_menucore\functions.screen.php:14
actionactivated_plugincore\functions.screen.php:15
actionadmin_headcore\functions.screen.php:16
filteradmin_footer_textcore\functions.screen.php:17
actioninitcore\functions.shortcodes.php:20
actionfocuswp_slide_headcore\functions.shortcodes.php:21
actionfocuswp_slide_contentcore\functions.shortcodes.php:22
actionfocuswp_slide_contentcore\functions.shortcodes.php:23
actionfocuswp_content_metacore\functions.shortcodes.php:24
actionfocuswp_widget_displaycore\functions.shortcodes.php:26
filterfocuswp_item_classescore\functions.shortcodes.php:29
actionadmin_initcore\functions.tinymce.php:20
actionadmin_headcore\functions.tinymce.php:21
filtermce_external_pluginscore\functions.tinymce.php:39
filtermce_buttonscore\functions.tinymce.php:40
actionfocuswp_widget__before_tabcore\functions.widget.php:26
actionfocuswp_widget__tabcore\functions.widget.php:27
actionfocuswp_widget__tabcore\functions.widget.php:28
actionfocuswp_widget__tabcontentcore\functions.widget.php:29
actionfocuswp_widget__tabcontentcore\functions.widget.php:30
actionfocuswp_widget__tabcontentcore\functions.widget.php:31
actionfocuswp_tab__options_contentcore\functions.widget.php:32
actioncreate_termcore\functions.widget.php:34
actionwidgets_initcore\functions.widget.php:289
filterwidget_textplugin.php:24
Maintenance & Trust

Focus – Featured Posts Widget & Shortcode Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedUnknown
PHP min version
Downloads3K

Community Trust

Rating96/100
Number of ratings4
Active installs30
Alternatives

Focus – Featured Posts Widget & Shortcode Alternatives

No alternatives data available yet.

Developer Profile

Focus – Featured Posts Widget & Shortcode Developer Profile

Jeffrey Carandang

7 plugins · 5K total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Focus – Featured Posts Widget & Shortcode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/focus-slider/assets/css/focuswp.css/wp-content/plugins/focus-slider/assets/css/focus-admin.css/wp-content/plugins/focus-slider/assets/js/jquery.focus.min.js/wp-content/plugins/focus-slider/assets/js/jquery.focus.admin.min.js/wp-content/plugins/focus-slider/assets/js/jquery.media-frame.js/wp-content/plugins/focus-slider/assets/css/welcome.css
Script Paths
/wp-content/plugins/focus-slider/assets/js/jquery.focus.min.js/wp-content/plugins/focus-slider/assets/js/jquery.focus.admin.min.js/wp-content/plugins/focus-slider/assets/js/jquery.media-frame.js

HTML / DOM Fingerprints

CSS Classes
focuswp-media-frame-wrapperfocuswp-media-framefocuswp-media-frame-innerfocuswp-widget--tabsfocuswp-widget--tabs ulfocuswp-widget--tabcontentfocuswp-media-frame-submitfocuswp-query-submit+4 more
HTML Comments
<!-- avoid direct calls to this file --><!-- Install --><!-- Runs on plugin install to populates the settings fields for those plugin --><!-- pages. -->+7 more
Data Attributes
data-wp-focuswpselectid="focuswp-media-frame"name="widget-focuswp_widget"nonce_fieldaction="/wp-admin/admin-ajax.php"value="focuswp_media_upload"
JS Globals
FOCUSWP_SLIDER_SCRIPTSFOCUSWP_SLIDER_MEDIA_FRAMEFOCUSWP_SLIDER_SCREEN
REST Endpoints
/wp-json/focuswp-media-upload/wp-json/focuswp-extract-shortcodes
Shortcode Output
<span class="focuswp">
FAQ

Frequently Asked Questions about Focus – Featured Posts Widget & Shortcode