Does Just Post Preview Widget have any unpatched vulnerabilities?

Yes — Just Post Preview Widget currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Just Post Preview Widget compatible with WordPress 4.8.28?

According to WordPress.org data, Just Post Preview Widget 1.1.1 has been tested up to WordPress 4.8.28. Check the plugin's changelog for the latest compatibility information.

How often is Just Post Preview Widget updated?

Just Post Preview Widget was last updated on Unknown. Frequent updates are generally a positive security signal.

What is Just Post Preview Widget's security score?

Just Post Preview Widget has a WP-Safety security score of 76/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Just Post Preview Widget Security & Risk Analysis

wordpress.org/plugins/just-post-preview

Widget to easy add any post content preview blocks with different layouts, specified in the theme.

10 active installs v1.1.1 PHP + WP 4.0+ Updated Unknown

developerlayoutspost-previewwidget

B · Generally Safe

CVEs total1

Unpatched1

Last CVEApr 4, 2025

Download

Safety Verdict

Is Just Post Preview Widget Safe to Use in 2026?

Mostly Safe

Score 76/100

Just Post Preview Widget is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Apr 4, 2025

Risk Assessment

The 'just-post-preview' plugin exhibits a concerning security posture, despite some positive code signals. While the static analysis found no direct evidence of dangerous functions or SQL injection vulnerabilities due to prepared statements, the plugin has a significant attack surface with an unprotected AJAX handler. This lack of authentication on an entry point is a major weakness. Furthermore, the output escaping is extremely poor, with only 12% of outputs being properly escaped, leaving the plugin highly susceptible to Cross-Site Scripting (XSS) attacks. The vulnerability history is also alarming; a high-severity Remote File Inclusion (RFI) vulnerability was discovered and remains unpatched, indicating a significant ongoing risk. The plugin's previous high-severity RFI vulnerability suggests a pattern of insecure coding practices related to file handling and input validation, which directly contributes to the current lack of proper output escaping and the unprotected AJAX handler.

Key Concerns

Unpatched high severity CVE
Unprotected AJAX handler
Low percentage of properly escaped output
Missing nonce checks on AJAX
Missing capability checks on AJAX

Vulnerabilities

Just Post Preview Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-32156high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Just Post Preview Widget <= 1.1.1 - Authenticated (Contributor+) Local File Inclusion

Apr 4, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Just Post Preview Widget Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

12% escaped49 total outputs

Attack Surface

1 unprotected

Just Post Preview Widget Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_jpp_widget_post_preview_autocompletejust-post-preview.php:29

WordPress Hooks 2

actionwidgets_initjust-post-preview.php:31

actionadmin_print_scriptsjust-post-preview.php:36

Maintenance & Trust

Just Post Preview Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28

Last updatedUnknown

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

Just Post Preview Widget Alternatives

SimpleTwit

simpletwit

Everything a developer or designer needs to pull in a Twitter feed. All in a slim package that won't get in the way of your creativity.

10 No CVEs

WP Dash Support

wp-dash-support

A plugin that adds a contact form on the dashboard for developers to use to give clients an easier way to contact them.

10 No CVEs

K-Dev Widget Shortcode

k-dev-widget-shortcode

You can use Shortcode In Widget and you can use [widget_shortcode_test] for test in this plugin.

0 No CVEs

Classic Widgets

classic-widgets

100

Enables the previous "classic" widgets settings screens in Appearance - Widgets and the Customizer. Disables the block editor from managing widgets.

2.0M No CVEs

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M 21 CVEs

Developer Profile

Just Post Preview Widget Developer Profile

Alex Prokopenko / JustCoded

5 plugins · 3K total installs

trust score

Avg Security Score

79/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Just Post Preview Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/just-post-preview/assets/post_preview_widget.css/wp-content/plugins/just-post-preview/assets/post_preview_widget.js

Script Paths

/wp-content/plugins/just-post-preview/assets/post_preview_widget.js

Version Parameters

just-post-preview/assets/post_preview_widget.css?ver=just-post-preview/assets/post_preview_widget.js?ver=

HTML / DOM Fingerprints

CSS Classes

jpp_widgetjpp_post_previewjpp_post_preview_{postid}jpp_layout_{layout}

Data Attributes

data-jpp_post_preview

JS Globals

jpp_post_preview_widget_params

REST Endpoints

/wp-json/jpp/v1/posts

FAQ