Does Web Icons have any unpatched vulnerabilities?

No. All known vulnerabilities in Web Icons have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Web Icons compatible with WordPress 6.9.4?

According to WordPress.org data, Web Icons 1.0.0.11 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Web Icons updated?

Web Icons was last updated on Dec 2, 2025. Frequent updates are generally a positive security signal.

What is Web Icons's security score?

Web Icons has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Web Icons Security & Risk Analysis

wordpress.org/plugins/icon

Web Icons plugin gives you scalable vector icons that can instantly be customized. More than 2.5k icons available.

1K active installs v1.0.0.11 PHP + WP 3.3+ Updated Dec 2, 2025

flat-iconiconicon-fonticonsweb-icon

A · Safe

CVEs total2

Unpatched0

Last CVEMar 28, 2024

Plugin page Download

Safety Verdict

Is Web Icons Safe to Use in 2026?

Generally Safe

Score 99/100

Web Icons has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 28, 2024Updated 4mo ago

Risk Assessment

The "icon" plugin v1.0.0.11 presents a mixed security posture. On the positive side, the static analysis reveals no dangerous functions, all SQL queries are properly prepared, and there are no file operations or external HTTP requests, which significantly reduces the potential for common web vulnerabilities. The presence of nonce and capability checks on its entry points is also a strong indicator of good security practices for its limited attack surface.

However, a significant concern arises from the vulnerability history. The plugin has had two known medium-severity vulnerabilities, both related to Cross-Site Scripting (XSS). The fact that the most recent vulnerability was in March 2024, and is currently unpatched (though the provided data states 'Currently unpatched: 0', the presence of known CVEs and a recent one implies the need for vigilance and updates), suggests a pattern of input sanitization issues. While the static analysis did not detect any unsanitized taint flows in this specific version, the historical context is a critical factor.

In conclusion, while the current code version has implemented several good security practices and has a small, protected attack surface, the historical prevalence of XSS vulnerabilities cannot be ignored. Users should be aware of this history and ensure they are using the latest available version of the plugin, as past issues may indicate potential lingering risks or a need for continued vigilance regarding input handling.

Key Concerns

Known CVEs exist for this plugin
Outputs not properly escaped
Bundled library TinyMCE

Vulnerabilities

Web Icons Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-30445medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Web Icons <= 1.0.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 1.0.0.11 (7d)

CVE-2024-29933medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Web Icons <= 1.0.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 25, 2024 Patched in 1.0.0.11 (8d)

Code Analysis

Analyzed Mar 16, 2026

Web Icons Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

23 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

61% escaped38 total outputs

Attack Surface

Web Icons Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 1

authwp_ajax_icon_get_icons_ajaxinc\admin\functions\icon-functions.php:80

Shortcodes 1

[wpicon] inc\frontend\icon-shortcode.php:58

WordPress Hooks 15

filterwidget_texticon.php:31

filterthe_excerpticon.php:32

filterthe_excerpticon.php:33

actioniniticon.php:34

actionadmin_initicon.php:81

actionmedia_buttonsinc\admin\functions\helpers.php:45

actionadmin_enqueue_scriptsinc\admin\functions\helpers.php:57

actionadmin_menuinc\admin\functions\icon-functions.php:106

actionadmin_footerinc\admin\iconpicker.php:99

actionadmin_initinc\admin\tinymce-plugin\shortcode-replacer.php:19

filtermce_external_pluginsinc\admin\tinymce-plugin\shortcode-replacer.php:22

actioncurrent_screeninc\admin\tinymce-plugin\shortcode-replacer.php:23

filtermce_buttonsinc\admin\tinymce-plugin\shortcode-replacer.php:34

actionenqueue_block_editor_assetsinc\admin\tinymce-plugin\shortcode-replacer.php:35

actionwp_enqueue_scriptsinc\frontend\icon-script.php:27

Maintenance & Trust

Web Icons Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 2, 2025

PHP min version

Downloads35K

Community Trust

Rating0/100

Number of ratings0

Active installs1K

Alternatives

Web Icons Alternatives

Skyboot Custom Icons for Elementor

skyboot-custom-icons-for-elementor

100

Skyboot Custom Icons for Elementor expands your Elementor icon library with 14,300+ icons from 15 packs, fully customizable in Elementor's editor.

200K No CVEs

Custom Icons for Elementor

custom-icons-for-elementor

Add custom icon fonts to the built in Elementor icon controls

10K 1 CVE

Icons Font Loader – Load Web Fonts and Icon Libraries

icons-font-loader

Load essential Flaticon webfonts into your WordPress site. Use icons anywhere on your site with simple integration, ensuring fast performance.

2K 3 CVEs

Dicode Icons Pack

dicode-icons-pack

100

Dicode Icons Pack by Designinvento provides ability to add custom font icons to your website from all time top icon libraries.

700 No CVEs

Hugeicons

hugeicons

100

Add beautiful Hugeicons to your WordPress site with an easy-to-use icon picker for both classic and block editors.

100 No CVEs

Developer Profile

Web Icons Developer Profile

GhozyLab

10 plugins · 21K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

872 days

View full developer profile

Detection Fingerprints

How We Detect Web Icons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/icon/inc/admin/assets/css/jquery.fonticonpicker.min.css/wp-content/plugins/icon/inc/admin/assets/css/iconpicker.css/wp-content/plugins/icon/inc/admin/assets/themes/bootstrap-theme/jquery.fonticonpicker.bootstrap.min.css/wp-content/plugins/icon/inc/global/assets/icons/icomoon/icomoon.css/wp-content/plugins/icon/inc/global/assets/icons/fontello/css/fontello.css/wp-content/plugins/icon/inc/global/assets/icons/openiconic/css/open-iconic-bootstrap.min.css/wp-content/plugins/icon/inc/global/assets/icons/fontawesome/font-awesome.min.css/wp-content/plugins/icon/inc/global/assets/icons/justvector/stylesheets/justvector.css+5 more

Script Paths

/wp-content/plugins/icon/inc/admin/assets/js/jquery.fonticonpicker.min.js/wp-content/plugins/icon/inc/admin/assets/js/icon-script.js/wp-content/plugins/icon/inc/admin/tinymce-plugin/wpicons/editor_plugin.js

Version Parameters

icon-fonticonpicker-css?ver=icon-iconpicker?ver=icon-fonticonpicker-bootstrap-theme?ver=icon-fonticonpicker-icomoon?ver=icon-fonticonpicker-fontello?ver=icon-fonticonpicker-openiconic?ver=icon-fonticonpicker-dashicons?ver=icon-fonticonpicker-fontawesome?ver=icon-fonticonpicker-justvector?ver=icon-fonticonpicker-paymentfont?ver=icon-fonticonpicker-js?ver=icon-main-js?ver=icon-editor-styles?ver=editor_plugin.js?ver=

HTML / DOM Fingerprints

CSS Classes

icon-picker

HTML Comments

Data Attributes

data-iconpicker-optdata-icon-versiondata-icon

JS Globals

icon_picker_opt

FAQ