WP-Safety

Novelist Security & Risk Analysis

wordpress.org/plugins/novelist

Easily organize and display your portfolio of books.

1K active installs v1.3.0 PHP 7.4+ WP 5.0+ Updated Aug 2, 2025
authorsbooksgoodreadspublishingwriting
98
A · Safe
CVEs total3
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is Novelist Safe to Use in 2026?

Generally Safe

Score 98/100

Novelist has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Mar 27, 2025Updated 9mo ago
Risk Assessment

The novelist plugin v1.3.0 presents a mixed security posture. On the positive side, the static analysis indicates a reasonable level of effort in implementing security controls, with a significant number of capability checks and nonce checks present. The absence of critical or high severity taint flows and dangerous functions is also encouraging. However, several areas warrant concern. The fact that 100% of SQL queries are not using prepared statements is a significant risk, potentially exposing the site to SQL injection vulnerabilities. While the total number of SQL queries is low, the lack of proper sanitization for all of them is a critical oversight.

The vulnerability history reveals a pattern of medium severity issues, specifically Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Although there are currently no unpatched vulnerabilities, the presence of 3 historical medium CVEs suggests a recurring tendency to introduce such flaws. The last reported vulnerability was in March 2025, which is in the future, indicating a potential data anomaly or an assumption about future vulnerability discovery.

In conclusion, while novelist v1.3.0 demonstrates some good security practices in its implementation, the lack of prepared statements for all SQL queries is a critical weakness. The historical vulnerability trend also indicates a need for more rigorous code review and security testing to prevent recurring XSS and CSRF issues. The plugin has a moderate risk profile, primarily due to the SQL query handling and past vulnerability types.

Key Concerns

  • All SQL queries lack prepared statements
  • 3 historical medium severity CVEs
  • 2 unsanitized path taint flows
  • 33% of output not properly escaped
Vulnerabilities
3 published

Novelist Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-30847medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Novelist <= 1.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 1.2.4 (7d)
CVE-2024-32093medium · 4.3Cross-Site Request Forgery (CSRF)

Novelist <= 1.2.2 - Cross-Site Request Forgery

Apr 11, 2024 Patched in 1.2.3 (7d)
CVE-2023-32958medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Novelist <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields

May 22, 2023 Patched in 1.2.1 (246d)
Version History

Novelist Release Timeline

v1.3.0Current
v1.3.0-beta1
v1.2.4
v1.2.31 CVE
CVE-2025-30847
v1.2.22 CVEs
CVE-2024-32093 CVE-2025-30847
v1.2.12 CVEs
CVE-2024-32093 CVE-2025-30847
v1.1.113 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.103 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.93 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.83 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.73 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.63 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.53 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.43 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.33 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.23 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.13 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.1.03 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.0.53 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
v1.0.43 CVEs
CVE-2024-32093 CVE-2025-30847 CVE-2023-32958
Code Analysis
Analyzed Mar 16, 2026

Novelist Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
0 prepared
Unescaped Output
176
348 escaped
Nonce Checks
6
Capability Checks
14
File Operations
4
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared3 total queries

Output Escaping

66% escaped524 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths
getCsvAsArray (src\CsvImport\ImportHandler.php:79)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Novelist Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 2

authwp_ajax_novelist_import_demo_bookincludes\admin\books\demo-book.php:59
authwp_ajax_novelist_restore_default_settingsincludes\admin\settings\register-settings.php:514

Shortcodes 4

[novelist-books] includes\class-novelist-shortcodes.php:21
[books-in] includes\class-novelist-shortcodes.php:22
[novelist-series-grid] includes\class-novelist-shortcodes.php:23
[show-book] includes\class-novelist-shortcodes.php:24
WordPress Hooks 81
actionadmin_initincludes\admin\admin-actions.php:32
actionadmin_menuincludes\admin\admin-pages.php:29
actionadmin_enqueue_scriptsincludes\admin\admin-pages.php:139
actionadmin_enqueue_scriptsincludes\admin\admin-pages.php:164
filtermanage_edit-book_columnsincludes\admin\books\dashboard-columns.php:40
filterpage_row_actionsincludes\admin\books\dashboard-columns.php:60
actionmanage_book_posts_custom_columnincludes\admin\books\dashboard-columns.php:92
actionadd_meta_boxesincludes\admin\books\meta-box.php:30
actionsave_postincludes\admin\books\meta-box.php:131
actionnovelist/meta-box/book-informationincludes\admin\books\meta-box.php:386
actionnovelist/meta-box/book-informationincludes\admin\books\meta-box.php:414
actionnovelist/meta-box/series-numberincludes\admin\books\meta-box.php:435
filternovelist/book/meta-box/sanitize/novelist_titleincludes\admin\books\sanitize-meta-fields.php:20
filternovelist/book/meta-box/sanitize/novelist_seriesincludes\admin\books\sanitize-meta-fields.php:21
filternovelist/book/meta-box/sanitize/novelist_publisherincludes\admin\books\sanitize-meta-fields.php:22
filternovelist/book/meta-box/sanitize/novelist_pub_dateincludes\admin\books\sanitize-meta-fields.php:23
filternovelist/book/meta-box/sanitize/novelist_contributorsincludes\admin\books\sanitize-meta-fields.php:24
filternovelist/book/meta-box/sanitize/novelist_pagesincludes\admin\books\sanitize-meta-fields.php:25
filternovelist/book/meta-box/sanitize/novelist_isbnincludes\admin\books\sanitize-meta-fields.php:26
filternovelist/book/meta-box/sanitize/novelist_asinincludes\admin\books\sanitize-meta-fields.php:27
filternovelist/book/meta-box/sanitize/novelist_goodreadsincludes\admin\books\sanitize-meta-fields.php:28
filternovelist/book/meta-box/sanitize/novelist_pagesincludes\admin\books\sanitize-meta-fields.php:33
filternovelist/book/meta-box/sanitize/novelist_coverincludes\admin\books\sanitize-meta-fields.php:34
filternovelist/book/meta-box/sanitize/novelist_goodreadsincludes\admin\books\sanitize-meta-fields.php:39
filternovelist/book/meta-box/sanitize/novelist_synopsisincludes\admin\books\sanitize-meta-fields.php:87
filternovelist/book/meta-box/sanitize/novelist_excerptincludes\admin\books\sanitize-meta-fields.php:88
filternovelist/book/meta-box/sanitize/novelist_extraincludes\admin\books\sanitize-meta-fields.php:89
filternovelist/book/meta-box/sanitize/novelist_purchase_linksincludes\admin\books\sanitize-meta-fields.php:103
filternovelist/book/meta-box/sanitize/novelist_hideincludes\admin\books\sanitize-meta-fields.php:117
actionadmin_noticesincludes\admin\class-novelist-notices.php:31
actionnovelist/dismiss/noticesincludes\admin\class-novelist-notices.php:32
actionadmin_menuincludes\admin\class-welcome.php:33
actionadmin_headincludes\admin\class-welcome.php:34
actionadmin_initincludes\admin\class-welcome.php:35
actionadmin_initincludes\admin\settings\register-settings.php:206
actionadmin_initincludes\admin\settings\register-settings.php:443
filternovelist/settings/sanitize/textincludes\admin\settings\register-settings.php:528
filternovelist/settings/sanitize/numberincludes\admin\settings\register-settings.php:542
filternovelist/settings/sanitize/dimensionsincludes\admin\settings\register-settings.php:580
filternovelist/settings/sanitize/selectincludes\admin\settings\register-settings.php:594
filternovelist/settings/sanitize/colorincludes\admin\settings\register-settings.php:614
filternovelist/settings/sanitize/checkboxincludes\admin\settings\register-settings.php:630
filternovelist/settings/sanitize/imageincludes\admin\settings\register-settings.php:646
filternovelist/settings/sanitize/book_layoutincludes\admin\settings\register-settings.php:688
filternovelist/settings/sanitize/purchase_linksincludes\admin\settings\register-settings.php:724
actionadmin_enqueue_scriptsincludes\admin\thickbox.php:41
actionmedia_buttonsincludes\admin\thickbox.php:87
actionadmin_footerincludes\admin\thickbox.php:381
actionnovelist/tools/tab/import_exportincludes\admin\tools.php:123
actionnovelist/export-settingsincludes\admin\tools.php:164
actionnovelist/import-settingsincludes\admin\tools.php:211
actionnovelist/tools/tab/system_infoincludes\admin\tools.php:239
actionnovelist/download-system-infoincludes\admin\tools.php:464
actionadmin_initincludes\admin\upgrades\upgrade-functions.php:41
filternovelist/book/pre-render/titleincludes\book-filters.php:15
filternovelist/book/pre-render/pagesincludes\book-filters.php:16
filternovelist/book/pre-render/publisherincludes\book-filters.php:17
filternovelist/book/pre-render/isbn13includes\book-filters.php:18
filternovelist/book/pre-render/asinincludes\book-filters.php:19
filternovelist/book/pre-render/titleincludes\book-filters.php:43
filternovelist/book/pre-render/pagesincludes\book-filters.php:67
filternovelist/book/render/extra_textincludes\book-filters.php:89
filternovelist/book/render/extra_textincludes\book-filters.php:107
filternovelist/book/render/synopsisincludes\book-filters.php:108
filternovelist/book/render/excerptincludes\book-filters.php:109
actionnovelist/meta-box/save-bookincludes\book-functions.php:413
actionwpmu_new_blogincludes\install.php:127
actionwp_enqueue_scriptsincludes\load-assets.php:65
actioninitincludes\post-types.php:75
filterenter_title_hereincludes\post-types.php:136
actioninitincludes\post-types.php:215
filterthe_contentincludes\template-functions.php:186
filterthe_excerptincludes\template-functions.php:214
actionnovelist/book/after-contentincludes\template-functions.php:231
actionnovelist/book/excerptincludes\template-functions.php:248
actionpre_get_postsincludes\template-functions.php:293
filterbody_classincludes\template-functions.php:316
actionwidgets_initincludes\widgets\widget-book.php:340
actionwidgets_initincludes\widgets\widget-books-by-series.php:226
actionwidgets_initincludes\widgets\widget-word-count.php:203
actionplugins_loadednovelist.php:102
Maintenance & Trust

Novelist Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 2, 2025
PHP min version7.4
Downloads31K

Community Trust

Rating100/100
Number of ratings9
Active installs1K
Alternatives

Novelist Alternatives

Osom Author Pro

Osom Author Pro

genesis-author-pro

A
100

The Osom Author Pro plugin creates a library which allows you to add books to any WordPress theme.

1K No CVEs
Just Writing Statistics

Just Writing Statistics

just-writing-statistics

A
90

Calculate your writing statistics on your WordPress site.

1K 3 CVEs
Web3Press – Migrating to 3ook.com Decentralized Bookstore

Web3Press – Migrating to 3ook.com Decentralized Bookstore

likecoin

A
99

FINAL LEGACY VERSION: Read-only maintenance version before 3ook.com transition. No new publishing features.

400 1 CVE
Good Reads Books

Good Reads Books

display-good-reads-books

A
85

Showcase currently reading and recently read Goodreads books on your website.

100 No CVEs
WriteShare Writing Community Platform

WriteShare Writing Community Platform

writeshare

A
85

WriteShare will turn WordPress into a full featured writing community, not just a blogging community. Site members can post books with chapters.

90 No CVEs
Developer Profile

Novelist Developer Profile

Ashley

3 plugins · 3K total installs

80
trust score
Avg Security Score
89/100
Avg Patch Time
87 days
View full developer profile
Detection Fingerprints

How We Detect Novelist

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/novelist/assets/css/novelist-admin.css/wp-content/plugins/novelist/assets/css/novelist.css/wp-content/plugins/novelist/assets/js/novelist-admin.js/wp-content/plugins/novelist/assets/js/novelist.js
Script Paths
/wp-content/plugins/novelist/assets/js/novelist-admin.js/wp-content/plugins/novelist/assets/js/novelist.js
Version Parameters
novelist/assets/css/novelist-admin.css?ver=novelist/assets/css/novelist.css?ver=novelist/assets/js/novelist-admin.js?ver=novelist/assets/js/novelist.js?ver=

HTML / DOM Fingerprints

CSS Classes
novelist-book-titlenovelist-book-authornovelist-book-genrenovelist-book-publishernovelist-book-publication-datenovelist-book-isbnnovelist-book-cover-imagenovelist-book-description
Data Attributes
data-novelist-book-id
JS Globals
novelist_params
REST Endpoints
/wp-json/novelist/v1/books
Shortcode Output
[novelist_books][novelist_book_details]
FAQ

Frequently Asked Questions about Novelist