WP-Safety

Jock On Air Now (JOAN) Security & Risk Analysis

wordpress.org/plugins/joan

The ultimate radio station scheduling plugin. Manage DJs, display current shows, and engage your audience with real-time on-air information.

500 active installs v6.1.2 PHP 7.0+ WP 5.0+ Updated Oct 29, 2025
broadcasthostjockradioschedule
95
A · Safe
CVEs total4
Unpatched0
Last CVEOct 2, 2025
Plugin page Download
Safety Verdict

Is Jock On Air Now (JOAN) Safe to Use in 2026?

Generally Safe

Score 95/100

Jock On Air Now (JOAN) has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 2, 2025Updated 5mo ago
Risk Assessment

The "joan" plugin v6.1.2 presents a mixed security posture. While it demonstrates some good practices, such as a relatively low number of external HTTP requests and file operations, significant concerns arise from its attack surface and historical vulnerability patterns.

The static analysis reveals a substantial attack surface with 21 entry points, of which 8 lack authentication checks. This is a critical weakness, as it leaves these entry points open to unauthorized access and potential exploitation. Furthermore, 59% of SQL queries use prepared statements, which is a positive, but the remaining 41% do not, potentially exposing the database to SQL injection vulnerabilities. Similarly, only 63% of output is properly escaped, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history is particularly concerning, with a total of 4 known CVEs, including one high-severity vulnerability. The common vulnerability types (Missing Authorization, CSRF, XSS) align with the weaknesses identified in the static analysis, suggesting recurring issues. The fact that the last vulnerability was in October 2025 and there are no currently unpatched vulnerabilities is a positive sign, but the past record indicates a need for continuous vigilance and robust security practices. Overall, while the plugin has some strengths, the significant number of unprotected entry points and the historical vulnerability profile warrant caution.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries not using prepared statements
  • Improper output escaping
  • High historical vulnerability count
  • High severity historical vulnerability
Vulnerabilities
4

Jock On Air Now (JOAN) Security Vulnerabilities

CVEs by Year

3 CVEs in 2021
2021
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-58986medium · 4.3Missing Authorization

Jock On Air Now (JOAN) <= 6.0.4 - Missing Authorization

Oct 2, 2025 Patched in 6.0.5 (28d)
WF-898ba68f-2b0c-462a-87ee-272ee624396e-joanmedium · 6.5Cross-Site Request Forgery (CSRF)

Jock on air now <= 5.6.1 - Cross-Site Request Forgery to Settings Update

Aug 18, 2021 Patched in 5.6.2 (888d)
WF-9cf12dc1-7b66-4c6e-8c3e-5915e1032303-joanhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jock on air now <= 5.6.2 - Unauthenticated Stored Cross-Site Scripting

Aug 18, 2021 Patched in 5.6.3 (888d)
WF-a401db3e-2cf2-4283-bfbe-d4a9587966e1-joanmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jock on air now <= 5.6.1 - Reflected Cross-Site Scripting

Aug 18, 2021 Patched in 5.6.2 (888d)
Code Analysis
Analyzed Mar 16, 2026

Jock On Air Now (JOAN) Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
13 prepared
Unescaped Output
73
126 escaped
Nonce Checks
16
Capability Checks
19
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

59% prepared22 total queries

Output Escaping

63% escaped199 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths
joan_render_ads_tab (includes\admin-menu.php:671)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Jock On Air Now (JOAN) Attack Surface

Entry Points21
Unprotected8

AJAX Handlers 15

authwp_ajax_joan_dismiss_premium_adincludes\admin-menu.php:893
authwp_ajax_joan_schedule_readincludes\admin-menu.php:903
authwp_ajax_joan_schedule_createincludes\admin-menu.php:937
authwp_ajax_joan_schedule_updateincludes\admin-menu.php:972
authwp_ajax_joan_schedule_deleteincludes\admin-menu.php:1007
authwp_ajax_joan_schedule_save_allincludes\admin-menu.php:1027
authwp_ajax_joan_dismiss_integration_noticeincludes\compatibility-check.php:22
authwp_ajax_show_time_curdincludes\crud.php:10
noprivwp_ajax_show_time_curdincludes\crud.php:11
authwp_ajax_joan_track_ad_clickincludes\crud.php:462
authwp_ajax_joan_toggle_schedule_statusincludes\crud.php:485
authwp_ajax_joan_switch_languageincludes\language-switcher.php:22
noprivwp_ajax_joan_switch_languageincludes\language-switcher.php:23
authwp_ajax_joan_widget_refreshjoan.php:474
noprivwp_ajax_joan_widget_refreshjoan.php:475

Shortcodes 6

[joan_wpbakery_widget] includes\js-composer-widget.php:73
[joan_language_switcher] includes\language-switcher.php:24
[joan-now] includes\shortcodes.php:10
[joan-schedule] includes\shortcodes.php:42
[schedule-today] includes\shortcodes.php:168
[joan-upcoming] includes\shortcodes.php:283
WordPress Hooks 45
actionadmin_menuincludes\admin-menu.php:11
actionadmin_enqueue_scriptsincludes\admin-menu.php:39
actionwp_headincludes\admin-menu.php:878
actionelementor/initincludes\compatibility-check.php:13
actionvc_before_initincludes\compatibility-check.php:16
actionadmin_noticesincludes\compatibility-check.php:19
actionadmin_noticesincludes\crud.php:516
actionadmin_bar_menuincludes\crud.php:538
filterjoan_widget_classesincludes\crud.php:562
actionwp_enqueue_scriptsincludes\crud.php:573
filterbody_classincludes\crud.php:578
actionadmin_enqueue_scriptsincludes\crud.php:586
filteradmin_body_classincludes\crud.php:591
actionelementor/widgets/registerincludes\elementor-widget.php:34
actionelementor/widgets/widgets_registeredincludes\elementor-widget.php:38
actionadmin_initincludes\import-legacy.php:4
actionvc_before_initincludes\js-composer-widget.php:70
actioninitincludes\js-composer-widget.php:71
actionvc_frontend_editor_enqueue_js_cssincludes\js-composer-widget.php:112
actioninitincludes\js-composer-widget.php:118
actionwp_enqueue_scriptsincludes\language-switcher.php:20
actionadmin_enqueue_scriptsincludes\language-switcher.php:21
actionadmin_noticesincludes\language-switcher.php:25
filtergettextincludes\translation-overrides.php:20
filtergettext_with_contextincludes\translation-overrides.php:21
filterdate_i18nincludes\translation-overrides.php:84
filterwidget_textincludes\translation-overrides.php:130
filterwidget_titleincludes\translation-overrides.php:131
actioninitincludes\translation-overrides.php:185
actionadmin_menuincludes\translations.php:17
actionadmin_initincludes\translations.php:20
actionplugins_loadedincludes\translations.php:25
actionadmin_noticesincludes\translations.php:193
actionadmin_noticesincludes\translations.php:207
actionwidgets_initincludes\widget.php:11
filterlocalejoan.php:25
filterdetermine_localejoan.php:26
actionplugins_loadedjoan.php:58
actionplugins_loadedjoan.php:63
actioninitjoan.php:211
actionadmin_noticesjoan.php:237
actionadmin_initjoan.php:247
actionadmin_enqueue_scriptsjoan.php:340
actionwp_enqueue_scriptsjoan.php:428
actionadmin_initjoan.php:494
Maintenance & Trust

Jock On Air Now (JOAN) Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 29, 2025
PHP min version7.0
Downloads54K

Community Trust

Rating76/100
Number of ratings9
Active installs500
Alternatives

Jock On Air Now (JOAN) Alternatives

Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

radio-station

A
97

Radio Station lets you build and manage a Show Schedule for a radio station or Internet broadcaster's WordPress website.

1K 3 CVEs
Stream Player by netmix® – Streaming audio for WordPress!

Stream Player by netmix® – Streaming audio for WordPress!

stream-player

A
100

Free, open source streaming audio player plugin by netmix®. Works with Icecast, Shoutcast, and Live 365 streams. For additional features, upgrade to S &hellip;

50 No CVEs
ownRadio

ownRadio

com-netvoxlab-ownradio

A
85

Broadcast radio ownRadio. Listen to your favorite music only.

10 No CVEs
Tz Weekly Radio Schedule

Tz Weekly Radio Schedule

tz-wrs-core

A
85

The Weekly Radio Schedule provides an ajax-driven schedule page, creates Team roles, presents up-to-date schedule information, allows easy allocation &hellip;

0 No CVEs
Hostinger Tools

Hostinger Tools

hostinger

A
99

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE
Developer Profile

Jock On Air Now (JOAN) Developer Profile

ganddser

3 plugins · 540 total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
673 days
View full developer profile
Detection Fingerprints

How We Detect Jock On Air Now (JOAN)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/joan/assets/css/joan-styles.css/wp-content/plugins/joan/assets/js/joan-scripts.js
Script Paths
/wp-content/plugins/joan/assets/js/joan-scripts.js
Version Parameters
joan/assets/css/joan-styles.css?ver=joan/assets/js/joan-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
joan-schedule-wrap
Data Attributes
data-joan-language
JS Globals
JOAN_SCRIPT_PARAMS
Shortcode Output
[joan-schedule[joan-elementor-widget
FAQ

Frequently Asked Questions about Jock On Air Now (JOAN)