Mutual Funds Data Security & Risk Analysis

wordpress.org/plugins/mutual-funds-data

Show latest data about Indian Mutual Funds on your website, e.g. 1 yr, 3 yr, 5 yr returns, risk, category etc.

30 active installs v1.2.1 PHP + WP 3.0.1+ Updated Dec 18, 2018
investingmutual-fundsstock-market
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 26, 2026
Safety Verdict

Is Mutual Funds Data Safe to Use in 2026?

Use With Caution

Score 63/100

Mutual Funds Data has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 26, 2026Updated 7yr ago
Risk Assessment

The "mutual-funds-data" v1.2.1 plugin presents a mixed security posture. While it demonstrates good practices such as the absence of dangerous functions and 100% usage of prepared statements for SQL queries, significant concerns emerge from its handling of entry points and output sanitization. The presence of an unprotected AJAX handler creates a direct avenue for potential abuse without proper authentication or authorization checks. Furthermore, all output, as indicated by the static analysis, is not properly escaped, posing a substantial risk of Cross-Site Scripting (XSS) vulnerabilities when user-supplied data is displayed. The taint analysis, while showing no critical or high severity unsanitized paths, still reveals two flows with unsanitized paths, which warrants attention in conjunction with the unescaped output. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive indicator of its past security, but it does not mitigate the immediate risks identified in the current code analysis. The overall security is hampered by the lack of robust input validation and output escaping, coupled with an exposed entry point.

Key Concerns

  • AJAX handler without auth checks
  • 0% output properly escaped
  • 2 flows with unsanitized paths
  • No nonce checks
  • No capability checks
Vulnerabilities
1 published

Mutual Funds Data Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8869medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

May 26, 2026Unpatched
Version History

Mutual Funds Data Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

Mutual Funds Data Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
3
Bundled Libraries
1

Bundled Libraries

TinyMCE

Output Escaping

0% escaped1 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
mfd_search_by_name (mutual-funds-data.php:284)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Mutual Funds Data Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_mfd_search_by_namemutual-funds-data.php:55

Shortcodes 1

[mfd] mutual-funds-data.php:70
WordPress Hooks 8
actioninitmutual-funds-data.php:39
actioninitmutual-funds-data.php:43
actionwp_enqueue_scriptsmutual-funds-data.php:47
actionadmin_enqueue_scriptsmutual-funds-data.php:51
actionadmin_menumutual-funds-data.php:59
actionadmin_initmutual-funds-data.php:63
filtermce_external_pluginsmutual-funds-data.php:215
filtermce_buttonsmutual-funds-data.php:216
Maintenance & Trust

Mutual Funds Data Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedDec 18, 2018
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs30
Developer Profile

Mutual Funds Data Developer Profile

Mutual Funds Data

1 plugin · 30 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Mutual Funds Data

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mutual-funds-data/css/frontend.css/wp-content/plugins/mutual-funds-data/css/responsive-table.css/wp-content/plugins/mutual-funds-data/js/frontend.js/wp-content/plugins/mutual-funds-data/js/script.js
Script Paths
/wp-content/plugins/mutual-funds-data/js/frontend.js/wp-content/plugins/mutual-funds-data/js/script.js
Version Parameters
mutual-funds-data/css/frontend.css?ver=mutual-funds-data/css/responsive-table.css?ver=mutual-funds-data/js/frontend.js?ver=mutual-funds-data/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
mfd-containermfd-responsive-table
Data Attributes
data-titledata-type
REST Endpoints
/wp-json/mutual-funds-data/v1/settings
Shortcode Output
<table class="mfd-responsive-table"><th scope="col">Fund Name</th><td data-title="1Y" data-type="currency"><td data-title="3Y" data-type="currency">
FAQ

Frequently Asked Questions about Mutual Funds Data