WP-Safety

oik Security & Risk Analysis

wordpress.org/plugins/oik

Over 80 advanced, powerful shortcodes, and 9 blocks for displaying the content of your WordPress website.

2K active installs v4.15.4 PHP + WP 5.5+ Updated Nov 25, 2025
advancedblocksshortcodeshortcodes
95
A · Safe
CVEs total7
Unpatched0
Last CVENov 26, 2025
Plugin page Download
Safety Verdict

Is oik Safe to Use in 2026?

Generally Safe

Score 95/100

oik has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Nov 26, 2025Updated 4mo ago
Risk Assessment

The oik plugin v4.15.4 presents a mixed security posture. While it demonstrates good practices such as 100% usage of prepared statements for SQL queries and a history of having all reported CVEs patched, there are significant concerns identified in the static analysis. Specifically, a substantial portion of the attack surface, comprising 3 out of 4 AJAX handlers, lacks proper authentication checks. This opens the door for unauthorized actions if these handlers can be triggered by unauthenticated users. Furthermore, the taint analysis reveals one high-severity flow with unsanitized input, indicating a potential for vulnerabilities even if not explicitly detailed in the CVE history. The plugin's history of 7 medium-severity CVEs, particularly those related to Cross-Site Request Forgery, Missing Authorization, and Cross-site Scripting, suggests a pattern of past weaknesses in input validation and authorization mechanisms. Although currently unpatched vulnerabilities are zero, the presence of unsanitized taint flows and unprotected entry points points to ongoing risks that require immediate attention. The plugin needs to address the unprotected AJAX endpoints and ensure all sensitive operations are adequately secured with robust authorization and input sanitization to improve its overall security.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow with unsanitized input
  • Taint flows with unsanitized paths
  • Missing nonce checks on entry points
  • Medium severity CVE history pattern
  • 55% of outputs properly escaped
Vulnerabilities
7

oik Security Vulnerabilities

CVEs by Year

3 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-67549medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

oik <= 4.15.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 26, 2025 Patched in 4.15.4 (15d)
CVE-2025-54670medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

oik <= 4.15.2 - Reflected Cross-Site Scripting

Aug 14, 2025 Patched in 4.15.3 (6d)
CVE-2025-54671medium · 4.3Cross-Site Request Forgery (CSRF)

oik <= 4.15.2 - Cross-Site Request Forgery

Jul 30, 2025 Patched in 4.15.3 (6d)
CVE-2025-49241medium · 4.3Missing Authorization

oik <= 4.15.1 - Missing Authorization

Jun 5, 2025 Patched in 4.15.2 (6d)
CVE-2024-43356medium · 4.3Cross-Site Request Forgery (CSRF)

oik <= 4.12.0 - Cross-Site Request Forgery

Aug 16, 2024 Patched in 4.12.1 (4d)
CVE-2024-6391medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

oik <= 4.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode

Jul 8, 2024 Patched in 4.12.0 (1d)
CVE-2024-2256medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

oik <= 4.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 14, 2024 Patched in 4.10.2 (1d)
Code Analysis
Analyzed Mar 16, 2026

oik Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
29
36 escaped
Nonce Checks
0
Capability Checks
2
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

55% escaped65 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
search_box (admin\class-bw-list-table.php:335)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

oik Attack Surface

Entry Points4
Unprotected3

AJAX Handlers 4

authwp_ajax_oik_ajax_list_shortcodesincludes\oik-ajax.php:97
authwp_ajax_oik_ajax_load_shortcode_syntaxincludes\oik-ajax.php:98
authwp_ajax_oik_ajax_load_shortcode_helpincludes\oik-ajax.php:99
authwp_ajax_do_shortcodeincludes\oik-ajax.php:100
WordPress Hooks 76
actionadmin_footeradmin\class-bw-list-table.php:148
actionpre_current_active_pluginsadmin\oik-admin.php:47
actionpre_current_active_pluginsadmin\oik-admin.php:48
actionpre_current_active_pluginsadmin\oik-admin.php:49
actionadd_meta_boxesincludes\bw_metadata.php:17
actionsave_postincludes\bw_metadata.php:19
actionshortcode_ui_before_do_shortcodeincludes\oik-ajax.php:88
actionshortcode_ui_after_do_shortcodeincludes\oik-ajax.php:89
filterbw_email_subjectincludes\oik-contact-form-email.php:40
filterbw_email_messageincludes\oik-contact-form-email.php:81
filterbw_email_headersincludes\oik-contact-form-email.php:101
actionbw_sc_helpincludes\oik-shortcodes.php:119
actionbw_sc_syntaxincludes\oik-shortcodes.php:120
actionbw_sc_exampleincludes\oik-shortcodes.php:121
actionbw_sc_snippetincludes\oik-shortcodes.php:122
filteroik_shortcode_resultincludes\oik-shortcodes.php:155
filteroik_shortcode_attsincludes\oik-shortcodes.php:156
filtermce_buttonsoik-button-shortcodes.php:11
filtermce_external_pluginsoik-button-shortcodes.php:12
filtermanage_posts_columnsoik-ids.php:173
actionmanage_posts_custom_columnoik-ids.php:174
filtermanage_pages_columnsoik-ids.php:175
actionmanage_pages_custom_columnoik-ids.php:176
filtermanage_edit-post_sortable_columnsoik-ids.php:181
filtermanage_edit-{$taxonomy}_sortable_columnsoik-ids.php:198
filtermanage_media_columnsoik-ids.php:208
actionmanage_media_custom_columnoik-ids.php:209
filtermanage_upload_sortable_columnsoik-ids.php:210
filtermanage_link-manager_columnsoik-ids.php:220
actionmanage_link_custom_columnoik-ids.php:221
filtermanage_link-manager_sortable_columnsoik-ids.php:222
actionmanage_users_columnsoik-ids.php:232
filtermanage_users_custom_columnoik-ids.php:233
filtermanage_users_sortable_columnsoik-ids.php:234
filtermce_buttonsoik-paypal-shortcodes.php:52
filtermce_external_pluginsoik-paypal-shortcodes.php:53
actionedit_form_advancedoik-quicktags.php:11
actionedit_page_formoik-quicktags.php:12
filtermce_buttonsoik-shortc-shortcodes.php:8
filtermce_external_pluginsoik-shortc-shortcodes.php:9
filterbw_sc_shortcake_compatibleoik-shortcake.php:68
actionadmin_enqueue_scriptsoik-shortcake.php:409
filteroik_query_libsoik.php:56
actionoik_lib_loadedoik.php:57
actionwp_enqueue_scriptsoik.php:69
actionadmin_enqueue_scriptsoik.php:70
actioninitoik.php:72
actioninitoik.php:73
actionrest_api_initoik.php:74
filterattachment_fields_to_editoik.php:76
filterattachment_fields_to_saveoik.php:77
filteroembed_remote_get_argsoik.php:78
actionadmin_menuoik.php:149
actionnetwork_admin_menuoik.php:150
actionnetwork_admin_noticesoik.php:151
actionadmin_bar_menuoik.php:152
actionlogin_headoik.php:153
actionadmin_noticesoik.php:154
actionoik_add_shortcodesoik.php:155
filter_sc__helpoik.php:157
actionenqueue_block_assetsoik.php:189
actionenqueue_block_editor_assetsoik.php:190
actionadmin_initoik.php:243
actionadmin_enqueue_scriptsoik.php:245
actionactivate_pluginoik.php:247
actionadmin_initoik.php:268
filterblock_type_metadataoik.php:633
filterload_script_textdomain_relative_pathoik.php:670
actionbw_sc_helpshortcodes\oik-codes.php:229
actionbw_sc_exampleshortcodes\oik-codes.php:230
actionbw_sc_syntaxshortcodes\oik-codes.php:231
filterbw_jquery_script_urlshortcodes\oik-jquery.php:15
filterlogin_headerurlshortcodes\oik-logo.php:62
filterlogin_headertextshortcodes\oik-logo.php:63
filterbw_navi_filter_textareashortcodes\oik-navi.php:435
filterbw_navi_filter_sctextareashortcodes\oik-navi.php:436
Maintenance & Trust

oik Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 25, 2025
PHP min version
Downloads229K

Community Trust

Rating74/100
Number of ratings3
Active installs2K
Alternatives

oik Alternatives

Uix Shortcodes

Uix Shortcodes

uix-shortcodes

A
94

Uix Shortcodes brings an amazing set of beautiful and useful elements to your site that lets you do nifty things with very little effort.

400 3 CVEs
Dev Content Blocks

Dev Content Blocks

dev-content-blocks

A
85

Content blocks for global content, with revisions. Use HTML without formatting being broken. Not only for devs.

300 No CVEs
Shortcodes – Advanced Shortcode Manager

Shortcodes – Advanced Shortcode Manager

advanced-shortcodes

A
100

Shortcodes - Advanced Shortcode Manager is a powerful and user-friendly WordPress plugin designed to help you manage shortcodes across your website.

10 No CVEs
oik-css

oik-css

oik-css

A
92

Allows internal CSS styling to be included in the content of the page.

10 No CVEs
MIR blocks and shortcodes

MIR blocks and shortcodes

mir-blocks-and-shortcodes

A
85

It's a block / shortcode toolbox which makes your wordpress live much easier.

0 No CVEs
Developer Profile

oik Developer Profile

bobbingwide

16 plugins · 7K total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
15 days
View full developer profile
Detection Fingerprints

How We Detect oik

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/oik/oik.css
Version Parameters
oik/oik.css?ver=

HTML / DOM Fingerprints

REST Endpoints
/wp-json/oik/v1
FAQ

Frequently Asked Questions about oik