WP-Safety

HootKit Security & Risk Analysis

wordpress.org/plugins/hootkit

HootKit is a great companion plugin for WordPress themes by wpHoot.

8K active installs v3.0.5 PHP 7.4+ WP 6.0+ Updated Feb 22, 2026
demo-contentsliderwidgetswphoot
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is HootKit Safe to Use in 2026?

Generally Safe

Score 100/100

HootKit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "hootkit" v3.0.5 plugin exhibits a generally good security posture, with no recorded vulnerabilities or critical issues identified in taint analysis. The plugin demonstrates strong adherence to secure coding practices, including the use of prepared statements for all SQL queries, a high percentage of properly escaped output, and a comprehensive set of nonce and capability checks. The attack surface, while present with 10 entry points, is entirely protected by authentication and authorization mechanisms, which is a significant strength.

However, the presence of the `unserialize` function is a notable concern. This function is inherently dangerous as it can lead to object injection vulnerabilities if not handled with extreme care and if the serialized data originates from an untrusted source. While no direct exploitation paths were found in the static analysis or taint flows, this function represents a potential backdoor for attackers if the plugin's input validation mechanisms were to fail or be bypassed in a future scenario. The plugin also performs external HTTP requests, which, while not inherently a vulnerability, could be a vector for certain types of attacks if not implemented securely (e.g., susceptible to SSRF).

Overall, "hootkit" v3.0.5 appears to be a well-developed plugin from a security perspective, with its strengths significantly outweighing its weaknesses. The lack of historical vulnerabilities further reinforces this. The primary area for improvement would be to audit and potentially refactor the usage of `unserialize` to mitigate the inherent risks associated with it. The plugin's robust use of built-in WordPress security features is commendable.

Key Concerns

  • Dangerous function: unserialize used
  • External HTTP requests present
Vulnerabilities
None known

HootKit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

HootKit Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
4 prepared
Unescaped Output
346
611 escaped
Nonce Checks
9
Capability Checks
15
File Operations
3
External Requests
6
Bundled Libraries
1

Dangerous Functions Found

unserialize$hybridmenuicon = unserialize( $hybridmenuicon );misc\import\include\importers\class-wxr-importer.php:996
unserialize$hootmenuicon = unserialize( $hootmenuicon );misc\import\include\importers\class-wxr-importer.php:1002
unserialize$hootmenu = unserialize( $hootmenu );misc\import\include\importers\class-wxr-importer.php:1008

Bundled Libraries

Select2

SQL Query Safety

100% prepared4 total queries

Output Escaping

64% escaped957 total outputs
Attack Surface

HootKit Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 6

authwp_ajax_hootkit_dismiss_noticeadmin\class-notice.php:76
authwp_ajax_hootkitsettingsadmin\class-settings.php:81
authwp_ajax_hootkit_adminsettings_ratedadmin\class-settings.php:85
authwp_ajax_hootkitimport_processmisc\import\include\class-importer.php:60
authwp_ajax_hk_carticon_refreshwidgets\products-carticon\admin.php:126
noprivwp_ajax_hk_carticon_refreshwidgets\products-carticon\admin.php:127

Shortcodes 4

[mappress] misc\import\include\functions.php:14
[contact-form-7] misc\import\include\functions.php:17
[HKtimer] misc\shortcode-timer\admin.php:15
[hootkitwidget] misc\widgets-as-sc\admin.php:42
WordPress Hooks 118
actionafter_setup_themeadmin\class-dashmenu.php:37
actionadmin_menuadmin\class-dashmenu.php:64
actionadmin_noticesadmin\class-notice.php:27
actionadmin_print_footer_scriptsadmin\class-notice.php:28
actioncurrent_screenadmin\class-notice.php:33
actionafter_setup_themeadmin\class-settings.php:37
actionadmin_menuadmin\class-settings.php:72
actionadmin_enqueue_scriptsadmin\class-settings.php:78
filteradmin_footer_textadmin\class-settings.php:84
actionhootkit/deactivateadmin\class-settings.php:86
filterwp_prepare_themes_for_jsadmin\functions.php:38
actionadmin_enqueue_scriptsadmin\functions.php:58
actionplugins_loadedhootkit.php:75
actionplugins_loadedhootkit.php:83
actionafter_setup_themehootkit.php:86
actionafter_setup_themehootkit.php:87
actionplugins_loadedinclude\class-assets.php:58
actionwp_enqueue_scriptsinclude\class-assets.php:60
actionadmin_enqueue_scriptsinclude\class-assets.php:61
actionafter_setup_themeinclude\class-config.php:34
actionafter_setup_themeinclude\class-manifest.php:50
filterhoot_customize_pattern_pnoteinclude\class-themes.php:58
filterhoot_fontography_show_gfonts_noteinclude\class-themes.php:60
filterhootkit_before_widgetinclude\template-functions.php:103
filterhoot_attr_social-icons-iconinclude\template-functions.php:208
actionwp_enqueue_scriptsmisc\class-misc.php:78
actionafter_setup_thememisc\code\class-customcode.php:58
actionadmin_enqueue_scriptsmisc\code\code.php:36
actionhoot_manager_codemisc\code\code.php:39
actionadmin_initmisc\code\code.php:42
actioninitmisc\code\coderun.php:42
actionwp_headmisc\code\coderun.php:115
actionwp_body_openmisc\code\coderun.php:123
actionwp_footermisc\code\coderun.php:131
actioninitmisc\customizer.php:22
actioncustomize_preview_initmisc\customizer.php:25
actioncustomize_controls_enqueue_scriptsmisc\customizer.php:26
filterhootkit_customizer_optionsmisc\fly-cart\admin.php:19
actionwp_footermisc\fly-cart\admin.php:22
actionhootkit/deactivatemisc\import\class-import.php:44
actionafter_setup_thememisc\import\include\class-admin.php:59
actionadmin_enqueue_scriptsmisc\import\include\class-admin.php:101
actioncurrent_screenmisc\import\include\class-admin.php:103
actionadmin_menumisc\import\include\class-admin.php:106
filterwoocommerce_enable_setup_wizardmisc\import\include\class-admin.php:160
actionhootkitimport_plugin_activatedmisc\import\include\class-importer.php:104
filterhootkitimport_wp_import_term_metamisc\import\include\class-importer.php:329
filterhootkitimport_wp_import_post_metamisc\import\include\class-importer.php:331
filterhootkitimport_wp_import_comment_metamisc\import\include\class-importer.php:333
actionhootkitimport_wp_import_menu_itemmisc\import\include\class-importer.php:335
actionhootkitimport_wp_import_items_processedmisc\import\include\class-importer.php:338
actionhootkitimport_wp_import_terms_beforemisc\import\include\class-importer.php:340
actionhootkitimport_wp_import_menu_item_customurlmisc\import\include\class-importer.php:342
filterhootkitimport_wp_import_term_metamisc\import\include\class-importer.php:354
filterhootkitimport_wp_import_post_metamisc\import\include\class-importer.php:355
filterhootkitimport_wp_import_comment_metamisc\import\include\class-importer.php:356
actionhootkitimport_wp_import_menu_itemmisc\import\include\class-importer.php:357
actionhootkitimport_wp_import_items_processedmisc\import\include\class-importer.php:359
filterhootkitimport_wp_import_termsmisc\import\include\class-importer.php:360
actionhootkitimport_wp_import_terms_beforemisc\import\include\class-importer.php:361
filterhootkitimport_wp_import_menu_item_menu_idmisc\import\include\class-importer.php:362
actionhootkitimport_wp_import_menu_item_customurlmisc\import\include\class-importer.php:363
filterhootkitimport_widget_settings_arraymisc\import\include\class-importer.php:372
actionhootkitimport_after_single_widget_importmisc\import\include\class-importer.php:482
actionwpmisc\import\include\functions.php:30
filterhootkitimport_import_post_meta_keymisc\import\include\importers\class-wxr-importer.php:104
filterhttp_request_timeoutmisc\import\include\importers\class-wxr-importer.php:105
actionafter_setup_thememisc\tools\class-tools.php:44
actionhoot_manager_toolsexportmisc\tools\export.php:30
actionhoot_manager_toolsimport_noticemisc\tools\import.php:30
actionhoot_manager_toolsimportmisc\tools\import.php:31
filterhootkit_customizer_optionsmisc\top-banner\admin.php:20
actionwp_body_openmisc\top-banner\admin.php:24
actionwidgets_initmisc\widgets-as-sc\admin.php:19
actionwidgets_initwidgets\announce\admin.php:139
actionwidgets_initwidgets\buttons\admin.php:167
actionwidgets_initwidgets\carousel\admin.php:187
actionsiteorigin_panels_before_widget_formwidgets\class-hk-widget.php:62
actionwidgets_initwidgets\contact-info\admin.php:135
filterhoot_admin_widget_sanitize_fieldwidgets\contact-info\admin.php:156
actionwidgets_initwidgets\content-blocks\admin.php:227
actionwidgets_initwidgets\content-grid\admin.php:293
actionwidgets_initwidgets\content-posts-blocks\admin.php:226
actionwidgets_initwidgets\content-products-blocks\admin.php:229
actionwidgets_initwidgets\cover-image\admin.php:382
actionwidgets_initwidgets\cta\admin.php:181
actionwidgets_initwidgets\icon\admin.php:113
actionwidgets_initwidgets\icon-list\admin.php:131
actionwidgets_initwidgets\notice\admin.php:147
actionwidgets_initwidgets\number-blocks\admin.php:198
actionwidgets_initwidgets\page-content\admin.php:98
actionwidgets_initwidgets\post-grid\admin.php:283
actionwidgets_initwidgets\post-list\admin.php:279
actionwidgets_initwidgets\postcarousel\admin.php:196
actionwidgets_initwidgets\postlistcarousel\admin.php:204
actionwidgets_initwidgets\product-list\admin.php:280
actionwidgets_initwidgets\productcarousel\admin.php:220
actionwidgets_initwidgets\productlistcarousel\admin.php:204
actionwidgets_initwidgets\products-carticon\admin.php:121
actionwidgets_initwidgets\products-search\admin.php:105
actionwidgets_initwidgets\products-ticker\admin.php:174
actionwidgets_initwidgets\profile\admin.php:202
filterhoot_admin_widget_sanitize_fieldwidgets\profile\admin.php:228
actionwidgets_initwidgets\slider-image\admin.php:201
actionwidgets_initwidgets\slider-postimage\admin.php:210
actionwidgets_initwidgets\social-icons\admin.php:172
filterhoot_admin_widget_sanitize_fieldwidgets\social-icons\admin.php:193
actionwidgets_initwidgets\tabs\admin.php:114
actionwidgets_initwidgets\ticker\admin.php:150
actionwidgets_initwidgets\ticker-posts\admin.php:164
actionwidgets_initwidgets\toggle\admin.php:122
actionwidgets_initwidgets\vcards\admin.php:243
filterhoot_admin_widget_sanitize_fieldwidgets\vcards\admin.php:269
filterhootkit_widget_templatewidgets-v2\announce\admin.php:30
filterhootkit_icon_list_widget_settingswidgets-v2\icon-list\admin.php:48
filterhootkit_widget_templatewidgets-v2\products-carticon\admin.php:30
actionwidgets_initwidgets-v3\content-grid\admin.php:290
actionwidgets_initwidgets-v3\post-grid\admin.php:341
Maintenance & Trust

HootKit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 22, 2026
PHP min version7.4
Downloads384K

Community Trust

Rating88/100
Number of ratings22
Active installs8K
Alternatives

HootKit Alternatives

SiteOrigin Widgets Bundle

SiteOrigin Widgets Bundle

so-widgets-bundle

A
95

Essential elements for modern websites. Add buttons, sliders, heroes, maps, images, carousels, features, icons, more. Create dynamic pages easily.

400K 11 CVEs
HT Slider For Elementor

HT Slider For Elementor

ht-slider-for-elementor

A
96

The HT Slider is an Elementor slider plugin that enables you to add advanced sliders to your WordPress website.

20K 3 CVEs
Slide everything for Elementor

Slide everything for Elementor

slide-everything-for-elementor

A
100

Creates a simple Swiper slider out of container elements. Flexbox has to be active.

6K No CVEs
Hoot Import

Hoot Import

hoot-import

A
100

Hoot Import lets you import demo content for WordPress themes by wpHoot.

1K No CVEs
VikWidgetsLoader – Collection of Widgets

VikWidgetsLoader – Collection of Widgets

vikwidgetsloader

A
85

A variety of Widgets to enhance your website. Add sliders, grids and icons to your pages.

1K No CVEs
Developer Profile

HootKit Developer Profile

wpHoot

34 plugins · 18K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect HootKit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hootkit/misc/import/assets/css/import.css/wp-content/plugins/hootkit/misc/code/assets/css/customcode.css/wp-content/plugins/hootkit/misc/tools/assets/css/tools.css/wp-content/plugins/hootkit/admin/assets/css/settings.css/wp-content/plugins/hootkit/admin/assets/css/dashmenu.css/wp-content/plugins/hootkit/admin/assets/js/settings.js/wp-content/plugins/hootkit/admin/assets/js/dashmenu.js/wp-content/plugins/hootkit/assets/js/hootkit.js+1 more
Script Paths
/wp-content/plugins/hootkit/misc/import/assets/js/import.js/wp-content/plugins/hootkit/misc/code/assets/js/customcode.js/wp-content/plugins/hootkit/misc/tools/assets/js/tools.js
Version Parameters
hootkit/assets/css/hootkit.css?ver=hootkit/assets/js/hootkit.js?ver=

HTML / DOM Fingerprints

CSS Classes
hootkit-admin-wraphootkit-settingshk-icon-menuhk-icon-menu-lihk-icon-menu-li-activehk-icon-menu-li-texthk-title
HTML Comments
<!-- Plugin Info --><!-- Run in Debug mode to load unminified CSS and JS, and add other developer data to code. --><!-- If this file is called directly, abort. --><!-- Admin Functions and Settings -->+19 more
Data Attributes
data-hootkit-iddata-hootkit-content
JS Globals
HootKithootkit_params
REST Endpoints
/wp-json/hootkit/v1/settings/wp-json/hootkit/v1/modules/wp-json/hootkit/v1/themes
FAQ

Frequently Asked Questions about HootKit