WP-Safety

LuckyWP Scripts Control Security & Risk Analysis

wordpress.org/plugins/luckywp-scripts-control

A great way to insert and manage custom code (CSS, JS, meta tags, etc.) into website before </head>, after <body> or before </body>.

4K active installs v1.2.5 PHP 5.6.20+ WP 4.7+ Updated Jun 9, 2025
csscustom-codeinsertjsscript
99
A · Safe
CVEs total2
Unpatched0
Last CVENov 14, 2023
Plugin page Download
Safety Verdict

Is LuckyWP Scripts Control Safe to Use in 2026?

Generally Safe

Score 99/100

LuckyWP Scripts Control has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Nov 14, 2023Updated 11mo ago
Risk Assessment

The luckywp-scripts-control plugin v1.2.5 presents a significant security risk due to a large attack surface consisting of 10 AJAX handlers, all of which lack proper authorization checks. While the code shows good practices in handling SQL queries with prepared statements and has no critical or high severity vulnerabilities in its history, the absence of authentication on numerous entry points is a major concern. The 14% proper output escaping is also concerning, suggesting potential for cross-site scripting (XSS) vulnerabilities, though the taint analysis did not flag critical or high severity flows. The plugin's vulnerability history indicates past issues with Missing Authorization and CSRF, further reinforcing the need for robust authentication and input validation on its AJAX endpoints. Overall, the plugin has some strengths like secure SQL handling, but the unprotected AJAX endpoints and past vulnerability types create a weak security posture that requires immediate attention.

Key Concerns

  • AJAX handlers without authorization checks
  • Low percentage of properly escaped output
  • Known medium severity vulnerabilities
  • Missing nonce checks on AJAX handlers
Vulnerabilities
2 published

LuckyWP Scripts Control Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-47778medium · 4.3Missing Authorization

LuckyWP Scripts Control <= 1.2.1 - Missing Authorization

Nov 14, 2023 Patched in 1.2.2 (340d)
CVE-2023-29239medium · 5.4Cross-Site Request Forgery (CSRF)

LuckyWP Scripts Control <= 1.2.1 - Cross-Site Request Forgery

Aug 28, 2023 Patched in 1.2.2 (418d)
Version History

LuckyWP Scripts Control Release Timeline

v1.2.5Current
v1.2.4
v1.2.3
v1.2.2
v1.2.12 CVEs
CVE-2023-29239 CVE-2023-47778
v1.22 CVEs
CVE-2023-29239 CVE-2023-47778
v1.12 CVEs
CVE-2023-29239 CVE-2023-47778
v1.0.12 CVEs
CVE-2023-29239 CVE-2023-47778
v1.0.02 CVEs
CVE-2023-29239 CVE-2023-47778
Code Analysis
Analyzed Mar 16, 2026

LuckyWP Scripts Control Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
74
12 escaped
Nonce Checks
1
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

14% escaped86 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
showTabs (core\wp\Settings.php:392)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

LuckyWP Scripts Control Attack Surface

Entry Points10
Unprotected10

AJAX Handlers 10

authwp_ajax_lwpsc_add_itemadmin\controllers\ItemController.php:28
authwp_ajax_lwpsc_edit_itemadmin\controllers\ItemController.php:29
authwp_ajax_lwpsc_disable_itemadmin\controllers\ItemController.php:30
authwp_ajax_lwpsc_enable_itemadmin\controllers\ItemController.php:31
authwp_ajax_lwpsc_delete_itemadmin\controllers\ItemController.php:32
authwp_ajax_lwpsc_sortadmin\controllers\ItemController.php:33
authwp_ajax_lwpsc_rateadmin\controllers\RateController.php:18
authwp_ajax_lwpsc_show_lateradmin\controllers\RateController.php:19
authwp_ajax_lwpsc_already_rateadmin\controllers\RateController.php:20
authwp_ajax_lwpsc_welcome_hidemodules\welcome\controllers\MainController.php:13
WordPress Hooks 17
actionadmin_menuadmin\Admin.php:25
actionadmin_enqueue_scriptsadmin\Admin.php:26
actionplugins_loadedadmin\controllers\ItemController.php:22
actioninitadmin\controllers\RateController.php:13
actionadmin_noticesadmin\controllers\RateController.php:15
filterinstall_plugins_nonmenu_tabsadmin\controllers\ScriptsController.php:33
filterinstall_plugins_table_api_args_luckywpadmin\controllers\ScriptsController.php:37
actionwp_loadedcore\admin\AdminController.php:21
actionafter_setup_themecore\base\BasePlugin.php:62
actionadmin_initcore\wp\Settings.php:90
actioninitfront\Front.php:14
actionwp_headfront\Front.php:18
actionwp_body_openfront\Front.php:26
actiontemplate_includefront\Front.php:30
actionwp_footerfront\Front.php:40
actionadmin_initmodules\welcome\Welcome.php:15
actionadmin_noticesmodules\welcome\Welcome.php:17
Maintenance & Trust

LuckyWP Scripts Control Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 9, 2025
PHP min version5.6.20
Downloads35K

Community Trust

Rating96/100
Number of ratings39
Active installs4K
Alternatives

LuckyWP Scripts Control Alternatives

Insert Code by Angie Makes

Insert Code by Angie Makes

wpc-insert-code

A
85

Easily insert HTML, Javascript, CSS, into the head and footer areas of your site.

900 No CVEs
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

B
82

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 8 CVEs
Better WordPress Minify

Better WordPress Minify

bwp-minify

A
85

Allows you to combine and minify your CSS and JS files to improve page load time.

8K No CVEs
CM Header and Footer – Add custom scripts and styles to your header and footer with ease

CM Header and Footer – Add custom scripts and styles to your header and footer with ease

cm-header-footer-script-loader

A
99

Add custom CSS and JavaScript to headers and footers on your site with the header and footer plugin for enhanced control and design.

1K 1 CVE
Custom CSS

Custom CSS

custom-css-editor

C
63

Add custom CSS, JS, PHP, tracking code. Very easy to use!

1K 1 unpatched
Developer Profile

LuckyWP Scripts Control Developer Profile

LuckyWP

5 plugins · 119K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
174 days
View full developer profile
Detection Fingerprints

How We Detect LuckyWP Scripts Control

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/luckywp-scripts-control/admin/assets/main.min.css/wp-content/plugins/luckywp-scripts-control/admin/assets/main.min.js
Version Parameters
luckywp-scripts-control/admin/assets/main.min.css?ver=luckywp-scripts-control/admin/assets/main.min.js?ver=

HTML / DOM Fingerprints

JS Globals
lwpscMain
FAQ

Frequently Asked Questions about LuckyWP Scripts Control