WP-Safety

JVM Rich Text Icons Security & Risk Analysis

wordpress.org/plugins/jvm-rich-text-icons

Insert icons anywhere in your content — inline in text, headings, buttons, or as a standalone block.

3K active installs v1.6.6 PHP + WP 5.4+ Updated Feb 23, 2026
font-awesomegutenbergiconicon-blocksvg
98
A · Safe
CVEs total2
Unpatched0
Last CVEDec 27, 2023
Download
Safety Verdict

Is JVM Rich Text Icons Safe to Use in 2026?

Generally Safe

Score 98/100

JVM Rich Text Icons has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Dec 27, 2023Updated 2mo ago
Risk Assessment

The jvm-rich-text-icons v1.6.6 plugin exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for a majority of its SQL queries, performing a reasonable number of capability checks, and having no critical or high severity taint flows, there are significant areas of concern. The presence of two AJAX handlers without authentication checks represents a notable attack vector that could be exploited by unauthenticated users. Furthermore, the plugin's history of high-severity vulnerabilities, specifically Path Traversal and Unrestricted File Upload, is a strong indicator of past code quality issues that require careful monitoring. Although there are currently no unpatched CVEs, the recurrence of these vulnerability types suggests a potential for future exploitable flaws if coding practices do not consistently prioritize secure development. The plugin's moderate output escaping percentage also warrants attention, as it could lead to cross-site scripting vulnerabilities if user-supplied data is not properly sanitized before display.

Key Concerns

  • AJAX handlers without authentication checks
  • Moderate output escaping percentage
  • History of high severity vulnerabilities (2 CVEs)
Vulnerabilities
2 published

JVM Rich Text Icons Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
2

2 total CVEs

CVE-2023-51418high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

JVM rich text icons <= 1.2.6 - Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion

Dec 27, 2023 Patched in 1.2.7 (27d)
CVE-2023-51417high · 8.8Unrestricted Upload of File with Dangerous Type

JVM rich text icons <= 1.2.3 - Authenticated(Subscriber+) Arbitrary File Upload

Dec 27, 2023 Patched in 1.2.4 (27d)
Version History

JVM Rich Text Icons Release Timeline

v1.6.6Current
v1.6.5
v1.6.4
v1.6.3
v1.6.2
Code Analysis
Analyzed Mar 16, 2026

JVM Rich Text Icons Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
4 prepared
Unescaped Output
14
11 escaped
Nonce Checks
2
Capability Checks
5
File Operations
11
External Requests
0
Bundled Libraries
0

SQL Query Safety

80% prepared5 total queries

Output Escaping

44% escaped25 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
ajax_upload_icon (src\settings.php:132)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

JVM Rich Text Icons Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 4

authwp_ajax_acf/fields/jvm-richtext-insert-icons/querysrc\acf_plugin_jvm_rich_text_icons.php:42
authwp_ajax_jvm_richtext_dismiss_reviewsrc\init.php:34
authwp_ajax_jvm-rich-text-icons-delete-iconsrc\settings.php:36
authwp_ajax_jvm-rich-text-icons-upload-iconsrc\settings.php:37
WordPress Hooks 18
actionacf/include_field_typessrc\acf_plugin_jvm_rich_text_icons.php:39
actionadmin_initsrc\acf_plugin_jvm_rich_text_icons.php:41
actionacf/input/admin_footersrc\acf_plugin_jvm_rich_text_icons.php:43
filterblock_editor_settings_allsrc\init.php:26
actioninitsrc\init.php:27
actionenqueue_block_assetssrc\init.php:28
actionadmin_enqueue_scriptssrc\init.php:29
filterplugin_action_linkssrc\init.php:30
filterplugin_row_metasrc\init.php:31
actiontemplate_redirectsrc\init.php:32
actionadmin_noticessrc\init.php:33
actionafter_setup_themesrc\settings.php:15
filterjvm_richtext_icons_process_uploaded_svgsrc\settings.php:16
actionadmin_menusrc\settings.php:29
actionadmin_initsrc\settings.php:30
actionadmin_initsrc\settings.php:31
actionadmin_enqueue_scriptssrc\settings.php:32
actionadmin_noticessrc\settings.php:41
Maintenance & Trust

JVM Rich Text Icons Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version
Downloads42K

Community Trust

Rating100/100
Number of ratings10
Active installs3K
Alternatives

JVM Rich Text Icons Alternatives

Omni Icon – Modern SVG icon library for WordPress

Omni Icon – Modern SVG icon library for WordPress

omni-icon

A
100

A modern SVG icon library for WordPress with support for custom uploads and 200,000+ Iconify icons across block editor, page builders, and themes.

100 No CVEs
The Icon Block

The Icon Block

icon-block

A
100

Easily add SVG icons and graphics to the WordPress block editor.

30K No CVEs
Spectre Icons

Spectre Icons

spectre-icons

A
100

Curated SVG icon libraries for Elementor with fast manifests, inline rendering, and color controls.

100 No CVEs
RIACO Icon Block

RIACO Icon Block

riaco-icon-block

A
100

RIACO Icon Block add SVG icons as WordPress block with full control over icon selection and style.

50 No CVEs
SVG Heroicons Block

SVG Heroicons Block

svg-heroicons-block

A
85

A Gutenberg block for Heroicons, an open source set of SVG icons at https://heroicons.com. ⚠️ Note: This is not an offical plugin from Tailwind Labs &hellip;

50 No CVEs
Developer Profile

JVM Rich Text Icons Developer Profile

Joris van Montfort

5 plugins · 4K total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
27 days
View full developer profile
Detection Fingerprints

How We Detect JVM Rich Text Icons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jvm-rich-text-icons/dist/acf.js/wp-content/plugins/jvm-rich-text-icons/css/frontend.css/wp-content/plugins/jvm-rich-text-icons/css/editor.css
Script Paths
/wp-content/plugins/jvm-rich-text-icons/dist/acf.js
Version Parameters
jvm-rich-text-icons/css/frontend.css?ver=jvm-rich-text-icons/css/editor.css?ver=

HTML / DOM Fingerprints

CSS Classes
jvm-rich-text-iconjvm-rich-text-icons-select2
HTML Comments
<!-- WordPress core is in control of block settings. We override this by setting inline CSS. --><!-- Filter hook for inline SVG output --><!-- Review notice timing --><!-- Enable ACF fields -->
Data Attributes
data-acf-field-id
JS Globals
window.acf
REST Endpoints
/wp-json/acf/v1/fields/jvm_rich_text_icons
Shortcode Output
<i class="jvm-rich-text-icon<span class="jvm-rich-text-icons-select2">
FAQ

Frequently Asked Questions about JVM Rich Text Icons