WP-Safety

JC Submenu Security & Risk Analysis

wordpress.org/plugins/jc-submenu

JC Submenu plugin allows you to automatically populate your navigation menus with custom post_types, taxonomies, or child pages.

4K active installs v0.9.1 PHP + WP 3.0.1+ Updated Aug 17, 2020
custom-post-typedynamicmenusubmenutaxonomy
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is JC Submenu Safe to Use in 2026?

Generally Safe

Score 85/100

JC Submenu has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "jc-submenu" v0.9.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding database interactions, using prepared statements for all SQL queries and avoiding dangerous functions or external HTTP requests. The absence of any recorded vulnerabilities in its history is also a positive indicator of past security focus. However, significant concerns arise from the static analysis. The presence of an unprotected AJAX handler represents a direct entry point that could be exploited without authentication. Furthermore, the taint analysis reveals flows with unsanitized paths, which, while not classified as critical or high severity in this analysis, still represent a potential risk if they were to be exploited with malicious input. The low percentage of properly escaped output (25%) is a notable weakness, indicating a high likelihood of cross-site scripting (XSS) vulnerabilities.

While the plugin has no known CVEs, the identified unprotected AJAX handler and the findings from taint analysis, coupled with the low output escaping rate, suggest that the plugin is not as secure as its vulnerability history might imply. The critical weakness here is the unprotected AJAX handler, which is a significant security oversight. The low output escaping percentage also points to a substantial risk of XSS. Therefore, despite its clean vulnerability history, "jc-submenu" v0.9.1 requires immediate attention to address these specific security flaws to improve its overall security posture.

Key Concerns

  • AJAX handler without authentication check
  • Low output escaping percentage
  • Taint flows with unsanitized paths
  • No nonce checks
Vulnerabilities
None known

JC Submenu Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

JC Submenu Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
191
63 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

25% escaped254 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
start_el (walkers\AdminMenuWalker.php:30)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

JC Submenu Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 1

authwp_ajax_jcs_get_menu_itemSubmenuAdmin.php:48

Shortcodes 2

[jcs_split_menu] submenu.php:45
[jcs_menu_section] submenu.php:46
WordPress Hooks 15
actionjcs/menu_sectionsubmenu.php:41
actionjcs/split_menusubmenu.php:42
actioninitsubmenu.php:49
filterwp_nav_menu_objectssubmenu.php:61
filterwp_nav_menu_argssubmenu.php:63
actionadmin_enqueue_scriptsSubmenuAdmin.php:27
actionwp_update_nav_menu_itemSubmenuAdmin.php:30
actionadmin_noticesSubmenuAdmin.php:32
actionadmin_initSubmenuAdmin.php:33
actionadmin_initSubmenuAdmin.php:36
actionadmin_menuSubmenuAdmin.php:39
filterwp_edit_nav_menu_walkerSubmenuAdmin.php:46
filterjcs/split_widget_titlewalkers\SubmenuWalker.php:281
actionwidgets_initwidgets\SectionMenuWidget.php:219
actionwidgets_initwidgets\SplitMenuWidget.php:192
Maintenance & Trust

JC Submenu Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21
Last updatedAug 17, 2020
PHP min version
Downloads60K

Community Trust

Rating92/100
Number of ratings49
Active installs4K
Alternatives

JC Submenu Alternatives

Category Posts in Custom Menu

Category Posts in Custom Menu

category-posts-in-custom-menu

A
100

Dynamic menus: List all posts from a category in your menu. Also works for tags, custom taxonomies as well as pages and custom post types.

2K No CVEs
Dynamic Taxonomy Menu Items

Dynamic Taxonomy Menu Items

dynamic-taxonomy-menu-items

A
85

Add a dynamic taxonomy list to your WordPress menus.

10 No CVEs
Dynamic Menu Items

Dynamic Menu Items

dynamic-menu-items

A
100

Add posts, media, pages, or custom post types specific to a category, tag, or taxonomy.

0 No CVEs
Custom Post Type UI

Custom Post Type UI

custom-post-type-ui

A
93

Admin UI for creating custom content types like post types and taxonomies

1.0M 4 CVEs
Essential Content Types

Essential Content Types

essential-content-types

A
100

Essential Content Types allows you to feature the impressive content through different content/post types on your website just the way you want it.

20K No CVEs
Developer Profile

JC Submenu Developer Profile

jcollings

2 plugins · 9K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
137 days
View full developer profile
Detection Fingerprints

How We Detect JC Submenu

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jc-submenu/css/main.css/wp-content/plugins/jc-submenu/js/main.js
Script Paths
/wp-content/plugins/jc-submenu/js/main.js
Version Parameters
jc-submenu/css/main.css?ver=jc-submenu/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
jc-submenu-split-menu-wrapperjc-submenu-menu-section-wrapper
Data Attributes
data-jc-submenu-depthdata-jc-submenu-show-parent
JS Globals
JCSubmenu
Shortcode Output
[jcs_split_menu[jcs_menu_section
FAQ

Frequently Asked Questions about JC Submenu