WP-Safety

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Security & Risk Analysis

wordpress.org/plugins/insert-php

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing …

60K active installs v2.7.2 PHP 7.0+ WP 5.6+ Updated Jan 27, 2026
code-snippetscustom-codeheader-footer-scriptsinsert-phpsnippet
91
A · Safe
CVEs total7
Unpatched0
Last CVEJun 14, 2024
Plugin page Download
Safety Verdict

Is Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Safe to Use in 2026?

Generally Safe

Score 91/100

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Jun 14, 2024Updated 2mo ago
Risk Assessment

The "insert-php" plugin v2.7.2 exhibits a mixed security posture. While it boasts a significant number of auth checks on its AJAX handlers and appears to have no currently unpatched CVEs, several concerning signals emerge from the static analysis and its vulnerability history. The presence of the `unserialize` function, combined with taint analysis revealing flows with unsanitized paths, raises a red flag for potential code injection or deserialization vulnerabilities, especially when coupled with the plugin's history of "Improper Control of Generation of Code ('Code Injection')" and "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')". The vulnerability history also indicates a pattern of "Improper Access Control" and "Missing Authorization", which, despite the current auth checks, suggests past weaknesses in how user input and actions were validated. The large number of file operations and external HTTP requests also present potential vectors for exploitation if not handled with extreme care. Overall, while there are good practices like extensive nonce and capability checks, the presence of dangerous functions, concerning taint flows, and a history of severe vulnerabilities necessitate caution.

Key Concerns

  • Dangerous function 'unserialize' found
  • Taint flows with unsanitized paths
  • Multiple past critical/high vulnerabilities
  • 7 total CVEs, including critical and high
  • SQL queries with low prepared statement usage (57%)
  • 11 file operations
  • 3 external HTTP requests
Vulnerabilities
7

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Security Vulnerabilities

CVEs by Year

3 CVEs in 2019
2019
1 CVE in 2020
2020
1 CVE in 2022
2022
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
4

7 total CVEs

CVE-2024-3105critical · 9.9Improper Control of Generation of Code ('Code Injection')

Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution

Jun 14, 2024 Patched in 2.5.1 (1d)
CVE-2024-35751medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 6, 2024 Patched in 2.5.1 (477d)
WF-95bae3f2-313b-4b6c-a81c-8af6f169151b-insert-phpmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Woody code snippets <= 2.4.5 - Reflected Cross-Site Scripting

Jun 2, 2022 Patched in 2.4.6 (600d)
CVE-2020-36759medium · 4.3Cross-Site Request Forgery (CSRF)

Woody code snippets <= 2.3.9 - Cross-Site Request Forgery Bypass

Sep 16, 2020 Patched in 2.3.10 (1224d)
CVE-2019-16289medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Woody Ad Snippets <= 2.2.8 - Authenticated Cross-Site Scripting

Sep 13, 2019 Patched in 2.2.9 (1593d)
CVE-2019-14773high · 7.5Improper Access Control

Woody Ad Snippets <= 2.2.5 - Arbitrary Post Deletion

Aug 9, 2019 Patched in 2.2.6 (1628d)
CVE-2019-15858high · 8.8Missing Authorization

Woody Ad Snippets <= 2.2.4 - Missing Authorization to Settings Import

Aug 2, 2019 Patched in 2.2.5 (1635d)
Code Analysis
Analyzed Mar 16, 2026

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
3 prepared
Unescaped Output
54
225 escaped
Nonce Checks
20
Capability Checks
24
File Operations
11
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialized_filters = unserialize( $post['meta']['filters'] );includes\class.helpers.php:441

Bundled Libraries

TinyMCE

SQL Query Safety

43% prepared7 total queries

Output Escaping

81% escaped279 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
render_snippet_dropdown (admin\includes\class.common.snippet.php:181)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Attack Surface

Entry Points13
Unprotected0

AJAX Handlers 13

authwp_ajax_wbcr_inp_ajax_get_user_rolesadmin\ajax\ajax.php:50
authwp_ajax_wbcr_inp_ajax_get_post_typesadmin\ajax\ajax.php:84
authwp_ajax_wbcr_inp_ajax_get_taxonomiesadmin\ajax\ajax.php:119
authwp_ajax_wbcr_inp_ajax_get_page_listadmin\ajax\ajax.php:251
authwp_ajax_winp_permalinkadmin\ajax\ajax.php:282
authwp_ajax_wbcr_inp_ajax_validate_snippetadmin\ajax\ajax.php:410
authwp_ajax_winp_get_snippet_libraryadmin\ajax\snippet-library.php:40
authwp_ajax_winp_snippet_createadmin\ajax\snippet-library.php:61
authwp_ajax_winp_snippet_deleteadmin\ajax\snippet-library.php:81
authwp_ajax_winp_sts_displayadmin\ajax\snippet-library.php:111
authwp_ajax_winp_dismiss_noticeadmin\includes\class.notices.php:44
authwp_ajax_change_priorityadmin\includes\class.snippets.viewtable.php:64
authwp_ajax_change_snippet_statusadmin\includes\class.snippets.viewtable.php:65
WordPress Hooks 97
actionadmin_initadmin\boot.php:19
actionadmin_enqueue_scriptsadmin\boot.php:66
actionadmin_enqueue_scriptsadmin\boot.php:67
actioninitadmin\boot.php:103
actionadmin_print_scripts-post.phpadmin\boot.php:106
actionadmin_print_scripts-post-new.phpadmin\boot.php:107
actionadmin_print_scripts-widgets.phpadmin\boot.php:108
actionwp_trash_postadmin\boot.php:126
filtercustom_menu_orderadmin\boot.php:147
filteradmin_menuadmin\boot.php:148
filteradmin_menuadmin\boot.php:185
actioncurrent_screenadmin\boot.php:215
filterpost_row_actionsadmin\includes\class.actions.snippet.php:31
actionpost_submitbox_startadmin\includes\class.actions.snippet.php:43
actionadmin_initadmin\includes\class.actions.snippet.php:44
actioncurrent_screenadmin\includes\class.actions.snippet.php:45
actionadmin_enqueue_scriptsadmin\includes\class.actions.snippet.php:46
actionadmin_initadmin\includes\class.admin.notices.php:24
actionadmin_initadmin\includes\class.admin.notices.php:25
actioncurrent_screenadmin\includes\class.common.snippet.php:24
actionedit_form_before_permalinkadmin\includes\class.common.snippet.php:25
actionadmin_noticesadmin\includes\class.common.snippet.php:26
actionbefore_delete_postadmin\includes\class.common.snippet.php:27
actionsave_postadmin\includes\class.common.snippet.php:28
actionauto-draft_to_publishadmin\includes\class.common.snippet.php:30
filterscript_loader_srcadmin\includes\class.common.snippet.php:32
actionadmin_headadmin\includes\class.common.snippet.php:565
actionadmin_headadmin\includes\class.common.snippet.php:569
actionrestrict_manage_postsadmin\includes\class.filter.snippet.php:19
filterparse_queryadmin\includes\class.filter.snippet.php:20
actioninitadmin\includes\class.gutenberg.snippet.php:38
actionadmin_noticesadmin\includes\class.notices.php:43
actionadmin_enqueue_scriptsadmin\includes\class.notices.php:45
actionadmin_enqueue_scriptsadmin\includes\class.snippets.viewtable.php:57
filterpost_row_actionsadmin\includes\class.snippets.viewtable.php:60
actionadmin_initadmin\includes\class.snippets.viewtable.php:68
actionadd_meta_boxesadmin\metaboxes\snippet-metabox.php:22
actionadmin_enqueue_scriptsadmin\metaboxes\snippet-metabox.php:67
actionadmin_enqueue_scriptsadmin\metaboxes\snippet-metabox.php:68
actionadmin_headadmin\metaboxes\snippet-metabox.php:70
filterwp_default_editoradmin\metaboxes\snippet-metabox.php:71
actionadmin_footer-post.phpadmin\metaboxes\snippet-metabox.php:72
actionadmin_footer-post-new.phpadmin\metaboxes\snippet-metabox.php:73
actionedit_form_after_editoradmin\metaboxes\snippet-metabox.php:74
filteradmin_body_classadmin\metaboxes\snippet-metabox.php:76
actionedit_form_topadmin\metaboxes\snippet-metabox.php:77
actionpost_submitbox_misc_actionsadmin\metaboxes\snippet-metabox.php:78
actionedit_form_after_titleadmin\metaboxes\snippet-metabox.php:79
filterpre_post_contentadmin\metaboxes\snippet-metabox.php:81
filtercontent_save_preadmin\metaboxes\snippet-metabox.php:82
actionsave_postadmin\metaboxes\snippet-metabox.php:84
actionsave_postadmin\metaboxes\snippet-metabox.php:85
filtercontent_save_preadmin\metaboxes\snippet-metabox.php:516
actionadmin_menuadmin\pages\class.new-item.php:29
actionadmin_menuadmin\pages\class.settings.php:29
actionadmin_menuadmin\pages\class.snippet-library.php:29
actioninitadmin\types\snippets-post-types.php:70
actionadmin_headadmin\types\snippets-post-types.php:71
actionadmin_headadmin\types\snippets-post-types.php:72
filterpost_updated_messagesadmin\types\snippets-post-types.php:73
actioninitadmin\types\snippets-taxonomy.php:38
actionadmin_bar_menuincludes\class.admin-bar.php:51
actionwp_enqueue_scriptsincludes\class.admin-bar.php:52
actionadmin_enqueue_scriptsincludes\class.admin-bar.php:53
actionwp_footerincludes\class.admin-bar.php:54
actionadmin_footerincludes\class.admin-bar.php:55
filterwinp_skip_snippet_executionincludes\class.execute.snippet.php:79
actioninitincludes\class.execute.snippet.php:125
actionwp_headincludes\class.execute.snippet.php:128
actionwp_footerincludes\class.execute.snippet.php:129
actionthe_postincludes\class.execute.snippet.php:130
filterthe_contentincludes\class.execute.snippet.php:131
filterthe_excerptincludes\class.execute.snippet.php:132
actionwp_headincludes\class.execute.snippet.php:139
filterwoocommerce_product_loop_startincludes\class.execute.snippet.php:408
filterwoocommerce_product_loop_endincludes\class.execute.snippet.php:416
actionwoocommerce_before_single_productincludes\class.execute.snippet.php:424
actionwoocommerce_after_single_productincludes\class.execute.snippet.php:427
actionwoocommerce_before_single_product_summaryincludes\class.execute.snippet.php:430
actionwoocommerce_after_single_product_summaryincludes\class.execute.snippet.php:433
actionwoocommerce_single_product_summaryincludes\class.execute.snippet.php:436
actionwoocommerce_single_product_summaryincludes\class.execute.snippet.php:439
actionwoocommerce_single_product_summaryincludes\class.execute.snippet.php:442
actioninitincludes\class.plugin.php:68
actionrest_api_initincludes\class.rest.php:22
actionwp_enqueue_scriptsincludes\shortcodes\shortcodes.php:61
actionadmin_noticesinsert_php.php:23
actionplugins_loadedinsert_php.php:84
actionplugins_loadedinsert_php.php:92
actionadmin_initinsert_php.php:123
actionadmin_noticesinsert_php.php:134
filterwp_php_error_messageinsert_php.php:183
actionplugins_loadedinsert_php.php:197
filterthemeisle_sdk_productsinsert_php.php:257
actioninitinsert_php.php:291
actionadmin_noticesinsert_php.php:309
actionnetwork_admin_noticesinsert_php.php:310
Maintenance & Trust

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version7.0
Downloads1.7M

Community Trust

Rating90/100
Number of ratings220
Active installs60K
Alternatives

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Alternatives

FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

easy-code-manager

A
99

Add header and footer scripts, PHP Snippets, Custom CSS /JS snippets with advanced conditional logic, and more...

40K 1 CVE
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

A
99

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs
Insert PHP Code Snippet

Insert PHP Code Snippet

insert-php-code-snippet

A
96

Add PHP code to your pages and posts easily using shortcodes.

100K 3 CVEs
WP Coder – Insert & Manage Code Snippets

WP Coder – Insert & Manage Code Snippets

wp-coder

A
95

Snippets made simple — easily insert and manage custom PHP, CSS, JS & HTML without coding in theme files.

10K 5 CVEs
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

add-custom-codes

D
39

Add custom codes to your wordpress site. A completely free plugin to add Custom PHP functions, HTML, CSS, Javascript, any other codes to your website.

1K 4 unpatched
Developer Profile

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Developer Profile

Themeisle

37 plugins · 2.2M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
420 days
View full developer profile
Detection Fingerprints

How We Detect Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/insert-php/admin/assets/img/icon-256x256.png

HTML / DOM Fingerprints

Shortcode Output
<div style="margin:20px 0;padding:20px; background:#ffe8e8;">If you see this message after saving the snippet to the Woody Code Snippets plugin, please enable safe mode in the Woody plugin. Safe mode will allow you to continue working in the admin panel of your site and change the snippet in which you made a php error.</div><a href="" class="button">Enable Safe Mode</a>
FAQ

Frequently Asked Questions about Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts