WP-Safety

Matcha Extra Security & Risk Analysis

wordpress.org/plugins/matcha-extra

Used for adding extra features to WP Matcha Themes.

0 active installs v1.0.3 PHP 7.4+ WP 5.0+ Updated Jan 9, 2026
companioncustom-post-typesshortcodesthemewidgets
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Matcha Extra Safe to Use in 2026?

Generally Safe

Score 100/100

Matcha Extra has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "matcha-extra" v1.0.3 plugin exhibits a generally good security posture with some notable exceptions. The plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for the vast majority of its SQL queries and properly escaping most of its output. The absence of file operations and external HTTP requests further reduces potential attack vectors. Furthermore, the plugin has no recorded vulnerability history, suggesting a history of responsible development and maintenance.

However, a significant concern arises from the presence of an unprotected AJAX handler. This creates a direct entry point for unauthenticated attackers to potentially interact with the plugin's functionality, which could lead to various security issues if not handled with extreme care. While the plugin has a nonce check, it's only present for one of the entry points, leaving the other susceptible. The lack of capability checks on any entry points further exacerbates this risk.

In conclusion, while "matcha-extra" v1.0.3 shows strengths in data handling and output sanitization, the unprotected AJAX handler represents a critical weakness. Addressing this vulnerability is paramount to improving the plugin's overall security. The plugin's clean vulnerability history is a positive indicator, but it does not negate the risks posed by actively exploitable code flaws.

Key Concerns

  • Unprotected AJAX handler
  • No capability checks on entry points
  • Only 1 nonce check for 2 AJAX handlers
Vulnerabilities
None known

Matcha Extra Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Matcha Extra Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
8 prepared
Unescaped Output
10
65 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

89% prepared9 total queries

Output Escaping

87% escaped75 total outputs
Attack Surface
1 unprotected

Matcha Extra Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_matcha_toggle_wishlistinc\pawfect\wishlist-functions.php:208
noprivwp_ajax_matcha_toggle_wishlistinc\pawfect\wishlist-functions.php:209

Shortcodes 1

[pawfect_wishlist] inc\pawfect\wishlist-shortcode.php:25
WordPress Hooks 9
actionafter_switch_themeinc\pawfect\customizer\matcha-extra-customizer-default.php:135
actionmatcha_extra_activatedinc\pawfect\customizer\matcha-extra-customizer-default.php:138
actioncustomize_registerinc\pawfect\customizer\matcha-extra-customizer-options.php:121
actionmatcha_extra_frontpageinc\pawfect\pawfect.php:54
actionwp_enqueue_scriptsinc\pawfect\pawfect.php:61
actioninitinc\pawfect\pawfect.php:66
actionadmin_noticesinc\pawfect\pawfect.php:100
actioninitinc\pawfect\wishlist-functions.php:42
actioninitmatcha-extra.php:51
Maintenance & Trust

Matcha Extra Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 9, 2026
PHP min version7.4
Downloads205

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Matcha Extra Alternatives

Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Weaver Xtreme Theme Support

Weaver Xtreme Theme Support

weaverx-theme-support

A
89

A useful shortcode and widget collection for Weaver Xtreme

9K 3 CVEs
Bonkers Addons

Bonkers Addons

bonkers-addons

A
85

This plugins adds several options in the customizer to use with your theme.

60 No CVEs
Steed Companion

Steed Companion

steed-companion

A
85

Enhances Steed’s themes with extra functionalities.

0 No CVEs
One Click Demo Import

One Click Demo Import

one-click-demo-import

A
97

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs
Developer Profile

Matcha Extra Developer Profile

wpmatcha

2 plugins · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Matcha Extra

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/matcha-extra/inc/pawfect/customizer/js/customizer.js/wp-content/plugins/matcha-extra/inc/pawfect/customizer/css/customizer.css
Script Paths
/wp-content/plugins/matcha-extra/inc/pawfect/customizer/js/customizer.js
Version Parameters
matcha-extra/inc/pawfect/customizer/js/customizer.js?ver=matcha-extra/inc/pawfect/customizer/css/customizer.css?ver=

HTML / DOM Fingerprints

CSS Classes
repeater-wrapperrepeater-itemsrepeater-itemrepeater-item-headerrepeater-item-titlerepeater-item-togglerepeater-item-removerepeater-item-content+6 more
Data Attributes
data-field
JS Globals
Matcha_Extra_Repeater_Control
FAQ

Frequently Asked Questions about Matcha Extra