WP-Safety

HW Image Widget Security & Risk Analysis

wordpress.org/plugins/hw-image-widget

Image widget that will allow you to choose responsive or fixed sized behavior. Includes TinyMCE rich text editing of the text description.

1K active installs v4.4 PHP + WP 3.5+ Updated Nov 28, 2017
imageimage-widgetresponsivewidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is HW Image Widget Safe to Use in 2026?

Generally Safe

Score 85/100

HW Image Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The hw-image-widget v4.4 plugin exhibits a generally positive security posture based on the provided static analysis. The absence of any entry points like AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the plugin's attack surface. Furthermore, the code's adherence to using prepared statements for all SQL queries is a strong security practice, mitigating the risk of SQL injection vulnerabilities.

However, a significant concern arises from the low percentage of properly escaped output. With 81 total outputs and only 23% properly escaped, there is a high likelihood of cross-site scripting (XSS) vulnerabilities. This means that user-supplied data or data manipulated by users could be injected into the plugin's output and executed in a visitor's browser, potentially leading to session hijacking, defacement, or other malicious activities. The lack of any recorded vulnerabilities in its history is a positive sign, suggesting a history of responsible development, but this should not overshadow the identified output escaping issues.

In conclusion, while the plugin has a minimal attack surface and strong database query practices, the poor output escaping is a critical weakness that requires immediate attention. The potential for XSS vulnerabilities presents a tangible risk to users, despite the plugin's otherwise clean history and code analysis.

Key Concerns

  • Low percentage of properly escaped output
Vulnerabilities
None known

HW Image Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

HW Image Widget Release Timeline

v4.4Current
v4.3
v4.2
v4.1
v4.0
v3.0
v2.7
v2.6
v2.5
v2.4
v2.3.2
v2.3.1
v2.3
v2.2
v2.1
v2.0
v1.6
v1.5
v1.4
v1.3
Code Analysis
Analyzed Mar 16, 2026

HW Image Widget Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
62
19 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

23% escaped81 total outputs
Attack Surface

HW Image Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 8
filtercfct-admin-edit-post-typehw-image-widget.php:38
filtercfct-build-enabled-post-typeshw-image-widget.php:39
filtercfct-module-cfct-widget-module-hwim-admin-formhw-image-widget.php:40
actionadmin_enqueue_scriptshw-image-widget.php:43
actionadmin_footerhw-image-widget.php:47
actioncustomize_controls_print_footer_scriptshw-image-widget.php:51
actionplugins_loadedhw-image-widget.php:54
actionwidgets_inithw-image-widget.php:55
Maintenance & Trust

HW Image Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedNov 28, 2017
PHP min version
Downloads40K

Community Trust

Rating88/100
Number of ratings14
Active installs1K
Alternatives

HW Image Widget Alternatives

Several Images Slider Widget

Several Images Slider Widget

several-images-slider-widget

A
92

This plugin will add Several Images Slider Widget. In this Widget you can set single or multiple images slider with link to all slides.

200 No CVEs
Animated Featured Image

Animated Featured Image

animated-featured-image

A
85

Responsive Featured Image for Sidebar Widgets with CSS3 Animations and Styles

10 No CVEs
Simple Image Widget

Simple Image Widget

simple-image-widget

A
100

A simple widget that makes it a breeze to add images to your sidebars.

10K No CVEs
Image Widget

Image Widget

image-widget-rb

A
100

Image Widget - most simple and fast way to create image widget to your sidebar

4K No CVEs
Hot Random Image

Hot Random Image

hot-random-image

A
97

Hot Random Image is a basic widget that shows a randomly picked image from a selected folder where images are stored.

2K 3 CVEs
Developer Profile

HW Image Widget Developer Profile

Håkan Wennerberg

3 plugins · 1K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect HW Image Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hw-image-widget/css/back-end.css/wp-content/plugins/hw-image-widget/css/front-end.css/wp-content/plugins/hw-image-widget/js/back-end.js/wp-content/plugins/hw-image-widget/js/front-end.js/wp-content/plugins/hw-image-widget/html/text-editor.php/wp-content/plugins/hw-image-widget/html/back-end.php/wp-content/plugins/hw-image-widget/html/hwim-template.php
Script Paths
/wp-content/plugins/hw-image-widget/js/back-end.js
Version Parameters
hw-image-widget/js/back-end.js?ver=hw-image-widget/css/back-end.css?ver=hw-image-widget/css/front-end.css?ver=hw-image-widget/js/front-end.js?ver=

HTML / DOM Fingerprints

CSS Classes
hwim-widgethwim-widget-content
HTML Comments
<!-- Widget Form --><!-- Text Editor --><!-- Image Options --><!-- Link Options -->+1 more
Data Attributes
data-hwim-iddata-hwim-textdata-hwim-srcdata-hwim-display-sizedata-hwim-display-widthdata-hwim-display-height+10 more
JS Globals
objectL10n
FAQ

Frequently Asked Questions about HW Image Widget