Does OnionBuzz have any unpatched vulnerabilities?

Yes — OnionBuzz currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is OnionBuzz compatible with WordPress 4.8.28?

According to WordPress.org data, OnionBuzz 1.0.7 has been tested up to WordPress 4.8.28. Check the plugin's changelog for the latest compatibility information.

How often is OnionBuzz updated?

OnionBuzz was last updated on Jan 8, 2018. Frequent updates are generally a positive security signal.

What is OnionBuzz's security score?

OnionBuzz has a WP-Safety security score of 47/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

OnionBuzz Security Review — Score 47/100 (high risk)

Safety Verdict

Is OnionBuzz Safe to Use in 2026?

High Risk

Score 47/100

OnionBuzz carries significant security risk with 3 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 1 unpatched Last CVE: Jun 27, 2025Updated 8yr ago

Risk Assessment

The "onionbuzz-viral-quiz" plugin exhibits a concerning security posture, primarily due to a vast attack surface with no authentication checks on any of its entry points. All 29 AJAX handlers are unprotected, creating a significant risk for unauthorized actions. This is further exacerbated by the fact that 100% of analyzed taint flows have unsanitized paths, although no critical or high severity issues were found in this specific analysis. The plugin's vulnerability history is a major red flag, with three known CVEs, including two critical and one medium, and importantly, one critical vulnerability remains unpatched. This historical pattern of critical SQL injection and CSRF vulnerabilities, coupled with the current lack of proper sanitization and authentication, suggests a recurring inability to address severe security flaws. While the plugin doesn't appear to use dangerous functions or perform file operations, the absence of nonce and capability checks, combined with a low percentage of properly escaped output, points to several potential weaknesses that could be exploited.

Key Concerns

29 AJAX handlers without auth checks
17 flows with unsanitized paths
0 Nonce checks
0 Capability checks
1 unpatched critical CVE
2 critical CVEs in history
16% properly escaped output
Bundled outdated jQuery v3.1.1

Vulnerabilities

3

OnionBuzz Security Vulnerabilities

CVEs by Year

2 CVEs in 2019

2019

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

2

Medium

1

3 total CVEs

CVE-2025-53312medium · 4.3Cross-Site Request Forgery (CSRF)

OnionBuzz <= 1.0.7 - Cross-Site Request Forgery

Jun 27, 2025Unpatched

CVE-2019-14230critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

OnionBuzz Plugin < 1.2.7 - SQL Injection

Jul 20, 2019 Patched in 1.2.7 (1648d)

CVE-2019-14231critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Viral Quiz Maker - OnionBuzz < 1.2.2 - SQL Injection

Jul 20, 2019 Patched in 1.2.2 (1648d)

Code Analysis

Analyzed Mar 16, 2026

OnionBuzz Code Analysis

Dangerous Functions

0

Raw SQL Queries

17

13 prepared

Unescaped Output

403

76 escaped

Nonce Checks

0

Capability Checks

0

File Operations

0

External Requests

0

Bundled Libraries

1

Bundled Libraries

jQuery3.1.1

SQL Query Safety

43% prepared30 total queries

Output Escaping

16% escaped479 total outputs

Data Flows

17 unsanitized

Data Flow Analysis

17 flows17 with unsanitized paths

ob_question_votes_callback (src\Admin\OBVQ_Admin.php:556)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

29 unprotected

OnionBuzz Attack Surface

Entry Points29

Unprotected29

AJAX Handlers 29

authwp_ajax_ob_get_resultssrc\Admin\OBVQ_Admin.php:138

noprivwp_ajax_ob_get_resultssrc\Admin\OBVQ_Admin.php:139

authwp_ajax_ob_question_votessrc\Admin\OBVQ_Admin.php:141

noprivwp_ajax_ob_question_votessrc\Admin\OBVQ_Admin.php:142

authwp_ajax_ob_save_emailsrc\Admin\OBVQ_Admin.php:144

noprivwp_ajax_ob_save_emailsrc\Admin\OBVQ_Admin.php:145

authwp_ajax_ob_lock_share_clickedsrc\Admin\OBVQ_Admin.php:147

noprivwp_ajax_ob_lock_share_clickedsrc\Admin\OBVQ_Admin.php:148

authwp_ajax_ob_settingssrc\Admin\OBVQ_Admin.php:150

authwp_ajax_ob_feedssrc\Admin\OBVQ_Admin.php:152

authwp_ajax_ob_feedsrc\Admin\OBVQ_Admin.php:153

authwp_ajax_ob_feed_quizzessrc\Admin\OBVQ_Admin.php:154

authwp_ajax_ob_quizzessrc\Admin\OBVQ_Admin.php:156

authwp_ajax_ob_quizsrc\Admin\OBVQ_Admin.php:157

authwp_ajax_ob_quiz_resultssrc\Admin\OBVQ_Admin.php:159

authwp_ajax_ob_quiz_resultsrc\Admin\OBVQ_Admin.php:160

authwp_ajax_ob_quiz_results_conditionssrc\Admin\OBVQ_Admin.php:161

authwp_ajax_ob_quiz_questionssrc\Admin\OBVQ_Admin.php:163

authwp_ajax_ob_quiz_questionsrc\Admin\OBVQ_Admin.php:164

authwp_ajax_ob_questions_resortsrc\Admin\OBVQ_Admin.php:165

authwp_ajax_ob_quiz_question_answerssrc\Admin\OBVQ_Admin.php:167

authwp_ajax_ob_quiz_question_answersrc\Admin\OBVQ_Admin.php:168

authwp_ajax_ob_quiz_settingssrc\Admin\OBVQ_Admin.php:170

authwp_ajax_ob_quiz_statssrc\Admin\OBVQ_Admin.php:172

authwp_ajax_ob_stats_erasesrc\Admin\OBVQ_Admin.php:174

noprivwp_ajax_ob_get_resultssrc\Frontend\OBVQ_Frontend.php:73

noprivwp_ajax_ob_save_emailsrc\Frontend\OBVQ_Frontend.php:74

noprivwp_ajax_ob_question_votessrc\Frontend\OBVQ_Frontend.php:75

noprivwp_ajax_ob_lock_share_clickedsrc\Frontend\OBVQ_Frontend.php:76

WordPress Hooks 17

actionadmin_menusrc\Admin\OBVQ_Admin.php:136

actioninitsrc\Admin\OBVQ_Admin.php:176

actioninitsrc\Admin\OBVQ_Admin.php:177

actionwidgets_initsrc\Admin\OBVQ_Admin.php:179

actionplugins_loadedsrc\Admin\OBVQ_Admin.php:181

actioninitsrc\Frontend\OBVQ_Frontend.php:54

actioninitsrc\Frontend\OBVQ_Frontend.php:55

actioninitsrc\Frontend\OBVQ_Frontend.php:57

actionwp_headsrc\Frontend\OBVQ_Frontend.php:59

actionwp_headsrc\Frontend\OBVQ_Frontend.php:60

filterarchive_templatesrc\Frontend\OBVQ_Frontend.php:66

filterthe_contentsrc\Frontend\OBVQ_Frontend.php:67

actionpre_get_postssrc\Frontend\OBVQ_Frontend.php:70

actionpre_get_postssrc\Frontend\OBVQ_Frontend.php:71

actionwidgets_initsrc\Frontend\OBVQ_Frontend.php:78

actionwp_enqueue_scriptssrc\Frontend\OBVQ_Frontend.php:79

filterthe_postssrc\Frontend\OBVQ_Frontend.php:204

Maintenance & Trust

OnionBuzz Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28

Last updatedJan 8, 2018

PHP min version

Downloads8K

Community Trust

Rating80/100

Number of ratings3

Active installs100

Alternatives

OnionBuzz Alternatives

ARI Stream Quiz – WordPress Quizzes Builder

ari-stream-quiz

A

98

Easy to use WordPress Viral Quiz Plugin. Create Trivia and Personality quizzes in BuzzFeed style and collect unlimited leads.

2K 7 CVEs

Quiz Cat – WordPress Quiz Plugin

quiz-cat

A

99

Quiz Cat Lets You Create Beautiful Viral BuzzFeed-style Quizzes That Drive Social Shares & User Engagement. Set It Up In 2 Minutes.

5K 1 CVE

Shortcake Bakery

shortcake-bakery

A

85

A fine selection of Shortcake-powered shortcodes.

40 No CVEs

WP Quizr

wp-quizr

A

100

Create Buzzfeed-style quizzes and share results on social media.

20 No CVEs

WP Capitalized Titles

capitalized-wp-titles

A

85

WP Capitalized Titles by http://www.easyguidetowp.com/

10 No CVEs

Developer Profile

OnionBuzz Developer Profile

Looks Awesome

3 plugins · 230 total installs

59

trust score

Avg Security Score

72/100

Avg Patch Time

1648 days

View full developer profile

Detection Fingerprints

How We Detect OnionBuzz

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/onionbuzz-viral-quiz/vendors/pnotify/pnotify.min.js/wp-content/plugins/onionbuzz-viral-quiz/vendors/sharer/sharer.js/wp-content/plugins/onionbuzz-viral-quiz/frontend/js/frontend.js/wp-content/plugins/onionbuzz-viral-quiz/frontend/css/frontend.css/wp-content/plugins/onionbuzz-viral-quiz/vendors/animations/animations.css

Script Paths

vendors/pnotify/pnotify.min.jsvendors/sharer/sharer.jsfrontend/js/frontend.jsfrontend/css/frontend.cssvendors/animations/animations.css

Version Parameters

onionbuzz-viral-quiz/vendors/pnotify/pnotify.min.js?ver=onionbuzz-viral-quiz/vendors/sharer/sharer.js?ver=onionbuzz-viral-quiz/frontend/js/frontend.js?ver=onionbuzz-viral-quiz/frontend/css/frontend.css?ver=onionbuzz-viral-quiz/vendors/animations/animations.css?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

data-obvq

JS Globals

onionbuzz_paramsonionbuzz_lng

REST Endpoints

/wp-json/onionbuzz-viral-quiz/v1/getquiz/wp-json/onionbuzz-viral-quiz/v1/getquizdata

Shortcode Output

[onionbuzz_quiz[quiz_display

FAQ

OnionBuzz Security & Risk Analysis

Is OnionBuzz Safe to Use in 2026?

High Risk

Key Concerns

OnionBuzz Security Vulnerabilities

CVEs by Year

Severity Breakdown

OnionBuzz Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

OnionBuzz Attack Surface

AJAX Handlers 29

OnionBuzz Maintenance & Trust

Maintenance Signals

Community Trust

OnionBuzz Alternatives

ARI Stream Quiz – WordPress Quizzes Builder

Quiz Cat – WordPress Quiz Plugin

Shortcake Bakery

WP Quizr

WP Capitalized Titles

OnionBuzz Developer Profile

How We Detect OnionBuzz

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about OnionBuzz