WP-Safety

Multisite Widgets Security & Risk Analysis

wordpress.org/plugins/mu-widgets

Extends the standard WordPress widgets to be able to run on another blog on the site.

10 active installs v1.2.48f PHP + WP 3.0.0+ Updated Jun 4, 2012
blogsmumultisitesiteswidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Multisite Widgets Safe to Use in 2026?

Generally Safe

Score 85/100

Multisite Widgets has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The "mu-widgets" plugin, version 1.2.48f, exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs) and all detected SQL queries utilize prepared statements, which is a significant strength. The static analysis also shows a zero-tolerance for critical or high severity taint flows, indicating that potentially malicious data is not being processed in a high-risk manner concerning paths. The plugin also doesn't expose a large attack surface through typical WordPress entry points like AJAX handlers, REST API routes, or shortcodes, and there are no scheduled cron events. However, there are several concerning signals. The absence of nonce checks and capability checks across its code is a major security gap. This means that any function that could potentially be invoked, even if not directly exposed as an entry point, lacks crucial authentication and authorization controls, making it susceptible to CSRF attacks or unauthorized actions if discovered. Furthermore, the fact that 100% of the 12 output operations are not properly escaped presents a clear risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site's output. The use of dangerous functions like `unserialize` also raises concerns, as unserializing untrusted data can lead to object injection vulnerabilities. The presence of file operations and an external HTTP request, without any explicit security checks, also warrants further investigation.

Key Concerns

  • No nonce checks detected
  • No capability checks detected
  • 100% of outputs are unescaped
  • Dangerous function: unserialize
  • Dangerous function: set_time_limit
  • File operations present without context
  • External HTTP request present without context
  • Bundled library TinyMCE
Vulnerabilities
None known

Multisite Widgets Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Multisite Widgets Release Timeline

v1.2.48fCurrent
v1.2.47
v1.2.46
v1.2.45
v1.2.44
v1.2.43
v1.2.40
Code Analysis
Analyzed Apr 16, 2026

Multisite Widgets Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
1 prepared
Unescaped Output
12
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
6
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

set_time_limitset_time_limit ( 500 );library/base/data/table.php:419
unserialize$new_key = unserialize ( $key );library/base/data/xml.php:165
unserialize$data [$new_key] = unserialize ( $data [$new_key] );library/wordpress/data/legacy.php:122
unserialize$data = unserialize($value[0]);library/wordpress/data/meta.php:133

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped12 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
basic_auth (library/wordpress/action.php:306)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Multisite Widgets Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 2
actioninitlibrary/wordpress/application.php:54
actioninitlibrary/wordpress/data/meta.php:21
Maintenance & Trust

Multisite Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2
Last updatedJun 4, 2012
PHP min version
Downloads7K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Multisite Widgets Alternatives

Reorder My Sites

Reorder My Sites

reorder-my-sites

A
85

For WordPress Multisite. Reorders the My Sites dropdown menu in the Admin Bar alphabetically. It keeps the main blog at the top.

40 No CVEs
Multisite Blog Id's

Multisite Blog Id's

multisite-blog-ids

A
85

Easily find the Site Id for Multisite blogs.

10 No CVEs
BNS Corner Logo

BNS Corner Logo

bns-corner-logo

A
85

Widget to display a logo; or, used as a plugin displays image fixed in one of the four corners.

300 No CVEs
Counter Ecl

Counter Ecl

counter-ecl

A
85

Making WordPress web counter widget and cookie Law.

200 No CVEs
WP Over Network

WP Over Network

wp-over-network

A
85

Add ability to get posts from over your network sites. Supports widget, shortcode, and customizable original function.

90 No CVEs
Developer Profile

Multisite Widgets Developer Profile

DCoda

6 plugins · 60 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Multisite Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mu-widgets/library/base/public/css/images.css/wp-content/plugins/mu-widgets/library/base/public/css/admin.css/wp-content/plugins/mu-widgets/library/base/public/css/front.css/wp-content/plugins/mu-widgets/library/base/public/css/common.css/wp-content/plugins/mu-widgets/library/base/public/js/script.js
Script Paths
/wp-content/plugins/mu-widgets/library/base/public/js/script.js
Version Parameters
mu-widgets/library/base/public/css/images.css?ver=mu-widgets/library/base/public/css/admin.css?ver=mu-widgets/library/base/public/css/front.css?ver=mu-widgets/library/base/public/css/common.css?ver=mu-widgets/library/base/public/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
v48fv_16x16_info
HTML Comments
??document??Default actions of all typesRoutines used by the default actionsdefault sub menu items
Data Attributes
data-tinymcedata-plugin-name
JS Globals
v48fv_data
FAQ

Frequently Asked Questions about Multisite Widgets