WP-Safety

KontrolWP – Kontrol WordPress Developer Kit Security & Risk Analysis

wordpress.org/plugins/kontrolwp

KontrolWP is an advanced Wordpress plugin for developers. Easily create CMS sites using advanced custom fields, custom post types, SEO and more.

10 active installs v2.0.7 PHP + WP 3.5+ Updated Dec 13, 2016
advanced-custom-fieldscmscustom-fieldscustom-post-typescustom-taxonomies
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is KontrolWP – Kontrol WordPress Developer Kit Safe to Use in 2026?

Generally Safe

Score 85/100

KontrolWP – Kontrol WordPress Developer Kit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The plugin 'kontrolwp' v2.0.7 presents a mixed security posture. While it boasts a zero attack surface in terms of AJAX handlers, REST API routes, shortcodes, and cron events, and has no known vulnerabilities (CVEs) or recorded common vulnerability types, there are significant concerns within its code. The high number of dangerous functions, specifically `unserialize`, is a critical red flag. Coupled with a very low percentage of properly escaped output and the presence of unsanitized paths in taint analysis, this indicates a substantial risk of arbitrary code execution or data manipulation if an attacker can control the serialized data or input to these insecure functions.

The taint analysis, while not reporting critical or high severity flows directly, shows that all analyzed flows had unsanitized paths. This, combined with the high count of `unserialize` calls and the extremely poor output escaping rate (2%), suggests a high likelihood of latent vulnerabilities. The plugin's lack of a vulnerability history might be attributed to its limited attack surface or simply a lack of past discoveries, rather than inherent security. However, the code analysis itself reveals practices that are highly prone to security weaknesses.

In conclusion, 'kontrolwp' v2.0.7 demonstrates strength in its limited external attack surface and clean vulnerability history. However, this is overshadowed by serious internal code quality issues, particularly the heavy reliance on `unserialize` without apparent proper sanitization or input validation, and a severe lack of output escaping. This makes the plugin a significant risk, as attackers could potentially exploit these internal weaknesses to compromise a WordPress site.

Key Concerns

  • High count of dangerous functions (unserialize)
  • Very low output escaping rate (2%)
  • All analyzed taint flows have unsanitized paths
  • Low percentage of prepared SQL statements (54%)
  • Low count of nonce checks (1)
  • Low count of capability checks (2)
Vulnerabilities
None known

KontrolWP – Kontrol WordPress Developer Kit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

KontrolWP – Kontrol WordPress Developer Kit Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

KontrolWP – Kontrol WordPress Developer Kit Code Analysis

Dangerous Functions
23
Raw SQL Queries
17
20 prepared
Unescaped Output
1445
31 escaped
Nonce Checks
1
Capability Checks
2
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$group->options = unserialize($group->group_options);app\modules\app\custom_fields\custom_fields.php:95
unserialize$group->options = unserialize($group->options);app\modules\app\custom_fields\custom_fields.php:405
unserialize$field->validation = unserialize($field->validation);app\modules\app\custom_fields\custom_fields.php:476
unserialize$field->settings = unserialize($field->settings);app\modules\app\custom_fields\custom_fields.php:477
unserialize$options = unserialize($group->group_options);app\modules\app\custom_fields\custom_fields_hooks.php:167
unserialize$field->settings = unserialize($field->settings);app\modules\app\custom_fields\custom_fields_hooks.php:276
unserialize$field->validation = unserialize($field->validation);app\modules\app\custom_fields\custom_fields_hooks.php:277
unserialize$sub_field->settings = unserialize($sub_field->settings);app\modules\app\custom_fields\views\fields\meta\repeatable.php:24
unserialize$sub_field->validation = unserialize($sub_field->validation);app\modules\app\custom_fields\views\fields\meta\repeatable.php:25
unserialize$cpt->args = unserialize($cpt->arguments);app\modules\app\custom_post_types\custom_post_types.php:77
unserialize$cpt->columns = unserialize($cpt->columns);app\modules\app\custom_post_types\custom_post_types.php:78
unserialize$cpt->columns = unserialize($cpt->columns);app\modules\app\custom_post_types\custom_post_types.php:100
unserialize$cpt->args = unserialize($cpt->arguments);app\modules\app\custom_post_types\custom_post_types.php:177
unserialize$args = unserialize($cpt->arguments);app\modules\app\custom_post_types\custom_post_types_hooks.php:89
unserialize$cpt_columns = unserialize($cpt->columns);app\modules\app\custom_post_types\custom_post_types_hooks.php:145
unserialize$field->settings = unserialize($field->settings);app\modules\app\custom_post_types\custom_post_types_hooks.php:330
unserialize$options = unserialize($group->group_options);app\modules\app\custom_settings\custom_settings.php:158
unserialize$field->settings = unserialize($field->settings);app\modules\app\custom_settings\views\cs-settings.php:41
unserialize$field->validation = unserialize($field->validation);app\modules\app\custom_settings\views\cs-settings.php:42
unserialize$tax->args = unserialize($tax->arguments);app\modules\app\taxonomies\taxonomies.php:77
unserialize$tax->args = unserialize($tax->arguments);app\modules\app\taxonomies\taxonomies.php:96
unserialize$tax->args = unserialize($tax->arguments);app\modules\app\taxonomies\taxonomies.php:172
unserialize$args = unserialize($tax->arguments);app\modules\app\taxonomies\taxonomies_hooks.php:70

SQL Query Safety

54% prepared37 total queries

Output Escaping

2% escaped1476 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths
duplicatePostAction (app\controllers\clone_post.php:67)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

KontrolWP – Kontrol WordPress Developer Kit Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 20
actionadmin_print_stylesapp\classes\Admin.class.php:44
actionadmin_print_scriptsapp\classes\Admin.class.php:46
filterpost_row_actionsapp\controllers\clone_post.php:13
filterpage_row_actionsapp\controllers\clone_post.php:14
actionpost_submitbox_misc_actionsapp\controllers\clone_post.php:15
actionadmin_bar_menuapp\controllers\clone_post.php:16
actionadmin_action_kwpcloneapp\controllers\clone_post.php:18
actionadmin_action_kwpclonepublishapp\controllers\clone_post.php:19
actionwp_dashboard_setupapp\controllers\kwp_dashboard.php:13
actionwidgets_initapp\controllers\widget.php:12
actionadmin_print_stylesapp\modules\app\custom_fields\custom_fields_hooks.php:46
actionadmin_print_scriptsapp\modules\app\custom_fields\custom_fields_hooks.php:48
actionadd_meta_boxesapp\modules\app\custom_fields\custom_fields_hooks.php:50
actionsave_postapp\modules\app\custom_fields\custom_fields_hooks.php:52
actionadmin_menuapp\modules\app\custom_fields\custom_fields_hooks.php:58
actioninitapp\modules\app\custom_post_types\custom_post_types_hooks.php:39
actionadmin_print_stylesapp\modules\app\custom_post_types\custom_post_types_hooks.php:43
actioninitapp\modules\app\taxonomies\taxonomies_hooks.php:33
actionplugins_loadedindex.php:44
actionadmin_menuindex.php:73
Maintenance & Trust

KontrolWP – Kontrol WordPress Developer Kit Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedDec 13, 2016
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

KontrolWP – Kontrol WordPress Developer Kit Alternatives

Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 7 CVEs
Pods – Custom Content Types and Fields

Pods – Custom Content Types and Fields

pods

A
87

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs
CubeWP Framework

CubeWP Framework

cubewp-framework

C
52

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched
Custom post types, Custom Fields & more

Custom post types, Custom Fields & more

custom-post-types

A
99

Custom Post Types, Custom Fields, Custom Taxonomies, Custom Templates, Custom Admin Pages, Custom Admin Notices. Directly from the WP dashboard.

3K 3 CVEs
SuperCPT

SuperCPT

super-cpt

A
85

Insanely easy and attractive custom post types, custom post meta, and custom taxonomies

700 No CVEs
Developer Profile

KontrolWP – Kontrol WordPress Developer Kit Developer Profile

Techunits Research & Development Solutions

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect KontrolWP – Kontrol WordPress Developer Kit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/kontrolwp/css/admin.css/wp-content/plugins/kontrolwp/css/datepicker.css/wp-content/plugins/kontrolwp/css/moorainbow/mooRainbow.css/wp-content/plugins/kontrolwp/js/core/mootools-core-1.4.5.js/wp-content/plugins/kontrolwp/js/core/mootools-more-1.4.0.1-nc.js/wp-content/plugins/kontrolwp/js/i18n.js/wp-content/plugins/kontrolwp/js/fancyupload/source
Script Paths
https://cdnjs.cloudflare.com/ajax/libs/gsap/latest/TweenMax.min.js

HTML / DOM Fingerprints

Data Attributes
data-kontrolwp
JS Globals
kontrol_i18n_js
FAQ

Frequently Asked Questions about KontrolWP – Kontrol WordPress Developer Kit