WP-Safety

Insert PHP Code Snippet Security & Risk Analysis

wordpress.org/plugins/insert-php-code-snippet

Add PHP code to your pages and posts easily using shortcodes.

100K active installs v1.4.4 PHP + WP + Updated Oct 23, 2025
add-phpinsert-phpinsert-php-codeinsert-php-snippetinsert-php-tag
96
A · Safe
CVEs total3
Unpatched0
Last CVEOct 27, 2025
Plugin page Download
Safety Verdict

Is Insert PHP Code Snippet Safe to Use in 2026?

Generally Safe

Score 96/100

Insert PHP Code Snippet has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 27, 2025Updated 5mo ago
Risk Assessment

The 'insert-php-code-snippet' plugin version 1.4.5 exhibits a mixed security posture. While it demonstrates good practices in utilizing prepared statements for a majority of its SQL queries and includes a significant number of nonce and capability checks, notable concerns exist. The presence of one unprotected AJAX handler presents a direct entry point for potential unauthorized actions. Furthermore, the taint analysis reveals two high-severity flows with unsanitized paths, indicating a risk of injection vulnerabilities if these paths are exploited. The plugin's historical vulnerability data is a significant concern. Three past CVEs, primarily involving missing authorization, CSRF, and XSS, suggest recurring security weaknesses that attackers may continue to target. While no CVEs are currently unpatched, the pattern of past vulnerabilities, especially those related to authorization and input validation, combined with the identified unprotected AJAX handler and unsanitized taint flows, points to a need for careful review and ongoing vigilance. The plugin's strengths lie in its SQL query sanitization and its efforts to implement security checks. However, the unprotected entry point, high-severity taint flows, and historical vulnerability profile collectively indicate a medium to high-risk profile that requires immediate attention to address the identified weaknesses and prevent potential exploitation.

Key Concerns

  • Unprotected AJAX handler
  • High severity taint flows
  • Past CVEs (3 medium severity)
  • Low output escaping percentage
Vulnerabilities
3

Insert PHP Code Snippet Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-64356medium · 4.3Missing Authorization

Insert PHP Code Snippet <= 1.4.3 - Missing Authorization

Oct 27, 2025 Patched in 1.4.4 (9d)
CVE-2024-7420medium · 5.8Cross-Site Request Forgery (CSRF)

Insert PHP Code Snippet <= 1.3.6 - Cross-Site Request Forgery to Code Snippet Activate/Deactivate/Deletion

Aug 14, 2024 Patched in 1.3.7 (2d)
CVE-2024-0658medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Insert PHP Code Snippet <= 1.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 9, 2024 Patched in 1.3.5 (172d)
Code Analysis
Analyzed Mar 16, 2026

Insert PHP Code Snippet Code Analysis

Dangerous Functions
0
Raw SQL Queries
11
41 prepared
Unescaped Output
145
96 escaped
Nonce Checks
13
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

79% prepared52 total queries

Output Escaping

40% escaped241 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

11 flows2 with unsanitized paths
<header> (admin\header.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Insert PHP Code Snippet Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 3

authwp_ajax_ips_backlinkajax-handler.php:5
authwp_ajax_xyz_ips_execute_shortcodeajax-handler.php:6
authwp_ajax_xyz_ips_sync_usageajax-handler.php:81

Shortcodes 1

[xyz-ips] shortcode-handler.php:5
WordPress Hooks 22
actionadmin_initadd_shortcode_tynimce.php:5
filtermce_buttonsadd_shortcode_tynimce.php:12
filtermce_external_pluginsadd_shortcode_tynimce.php:13
actionadmin_noticesadmin\admin-notices.php:74
actionadmin_menuadmin\menu.php:12
actionadmin_enqueue_scriptsadmin\menu.php:89
filterquery_varsdirect_call.php:9
actionparse_requestdirect_call.php:20
actionwp_footerinsert-php-code-snippet.php:62
actionadmin_initinsert-php-code-snippet.php:69
actionadmin_enqueue_scriptsinsert-php-code-snippet.php:93
actionadmin_footerinsert-php-code-snippet.php:97
actionsave_postinsert-php-code-snippet.php:117
actionbefore_delete_postinsert-php-code-snippet.php:132
actionadmin_headshortcode-handler.php:20
actionadmin_footershortcode-handler.php:28
actionwp_headshortcode-handler.php:39
actionwp_footershortcode-handler.php:50
filterwidget_textshortcode-handler.php:291
actionwidgets_initwidget.php:149
filterplugin_row_metaxyz-functions.php:110
filterthe_contentxyz-functions.php:162
Maintenance & Trust

Insert PHP Code Snippet Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 23, 2025
PHP min version
Downloads1.5M

Community Trust

Rating98/100
Number of ratings697
Active installs100K
Alternatives

Insert PHP Code Snippet Alternatives

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

A
91

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 7 CVEs
Append extensions on Pages

Append extensions on Pages

append-extensions-on-pages

C
63

This plugin helps to appends .html or .asp or .htm etc on the wordpress pages when used with permalink.

900 1 unpatched
Developer Profile

Insert PHP Code Snippet Developer Profile

f1logic

15 plugins · 142K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
352 days
View full developer profile
Detection Fingerprints

How We Detect Insert PHP Code Snippet

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/insert-php-code-snippet/admin/css/admin-style.css/wp-content/plugins/insert-php-code-snippet/admin/js/admin-script.js/wp-content/plugins/insert-php-code-snippet/assets/css/codemirror.css/wp-content/plugins/insert-php-code-snippet/assets/js/codemirror.js/wp-content/plugins/insert-php-code-snippet/assets/js/codemirror-modes.js/wp-content/plugins/insert-php-code-snippet/assets/js/modal.js
Script Paths
/wp-content/plugins/insert-php-code-snippet/admin/js/admin-script.js/wp-content/plugins/insert-php-code-snippet/assets/js/codemirror.js/wp-content/plugins/insert-php-code-snippet/assets/js/codemirror-modes.js/wp-content/plugins/insert-php-code-snippet/assets/js/modal.js
Version Parameters
insert-php-code-snippet/admin/css/admin-style.css?ver=insert-php-code-snippet/admin/js/admin-script.js?ver=insert-php-code-snippet/assets/css/codemirror.css?ver=insert-php-code-snippet/assets/js/codemirror.js?ver=insert-php-code-snippet/assets/js/codemirror-modes.js?ver=insert-php-code-snippet/assets/js/modal.js?ver=

HTML / DOM Fingerprints

CSS Classes
xyz-ips-modal-overlayxyz-ips-modal-boxxyz-ips-modal-buttonsxyz-ips-proceed-deactivatexyz-ips-cancel-deactivatexyz-ips-deactivate-link
Data Attributes
data-xyz-ips-modal-open
JS Globals
xyz_ips_modalxyz_ips_deactivate_modal
Shortcode Output
<div style="width:100%;text-align:center; font-size:11px; clear:both"><a target="_blank" title="Insert PHP Snippet Wordpress Plugin" href="http://xyzscripts.com/wordpress-plugins/insert-php-code-snippet/">PHP Code Snippets</a> Powered By : <a target="_blank" title="PHP Scripts & Wordpress Plugins" href="http://www.xyzscripts.com" >XYZScripts.com</a></div>
FAQ

Frequently Asked Questions about Insert PHP Code Snippet