Github Shortcode Security & Risk Analysis

wordpress.org/plugins/github-shortcode

Easily display GitHub Repositories in Pages/Posts.

10 active installs v0.1 PHP + WP 3.0.1+ Updated Nov 25, 2013
embedgithubshortcode
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 26, 2026
Safety Verdict

Is Github Shortcode Safe to Use in 2026?

Use With Caution

Score 63/100

Github Shortcode has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 26, 2026Updated 12yr ago
Risk Assessment

The "github-shortcode" plugin v0.1 presents a generally strong security posture based on the static analysis. The absence of dangerous functions, external HTTP requests, file operations, and a complete reliance on prepared statements for any potential SQL queries are excellent security practices. The fact that all outputs are properly escaped further mitigates risks related to cross-site scripting (XSS). The plugin also demonstrates a minimal attack surface with only one shortcode and no identified AJAX handlers or REST API routes, and crucially, no entry points were found to be unprotected.

However, the lack of any nonces or capability checks across all entry points, even with a small attack surface, is a significant concern. While the current version has no known vulnerabilities or reported CVEs, this history doesn't guarantee future security, especially given the missing security controls. The absence of taint analysis flows and the very low version number (0.1) suggest this might be an early development stage. Therefore, while the code itself appears clean, the lack of fundamental security checks for its single entry point leaves it susceptible to potential privilege escalation or unauthorized actions if exploited. Continuous monitoring and adding appropriate nonce and capability checks are strongly recommended.

Key Concerns

  • Missing nonce checks on shortcode
  • Missing capability checks on shortcode
Vulnerabilities
1 published

Github Shortcode Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8042medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 26, 2026Unpatched
Version History

Github Shortcode Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Github Shortcode Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0
Attack Surface

Github Shortcode Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[github] githubshortcode.php:16
WordPress Hooks 1
actioninitgithubshortcode.php:15
Maintenance & Trust

Github Shortcode Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedNov 25, 2013
PHP min version
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Github Shortcode Developer Profile

Jason Stallings

4 plugins · 50 total installs

80
trust score
Avg Security Score
80/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Github Shortcode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/github-shortcode/jquery.githubRepoWidget.min.js
Script Paths
/wp-content/plugins/github-shortcode/jquery.githubRepoWidget.min.js

HTML / DOM Fingerprints

CSS Classes
github-widget
Data Attributes
data-repo
Shortcode Output
<div class="github-widget" data-repo="
FAQ

Frequently Asked Questions about Github Shortcode