WP-Safety

OS HTML5 Shortcodes Security & Risk Analysis

wordpress.org/plugins/os-html5-shortcodes

Using shortcodes you can easily add HTML codes such as ad codes, javascript, video embedding, etc in your pages, posts or custom posts.

10 active installs v1.3 PHP + WP 4.3+ Updated Apr 24, 2017
etc-to-your-pagesinclude-html-codes-uch-as-ad-codesjavascriptposts-or-custom-post-type-easily-using-shortcodesvideo-embedding
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is OS HTML5 Shortcodes Safe to Use in 2026?

Generally Safe

Score 85/100

OS HTML5 Shortcodes has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The 'os-html5-shortcodes' plugin v1.3 presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and appears to have a contained attack surface with no AJAX handlers or REST API routes directly exposed without authentication. The absence of recorded CVEs and a clean vulnerability history is also a strong indicator of past security diligence.

However, there are notable concerns. The use of `create_function` is a significant security risk, as it allows for the dynamic creation of functions, which can be exploited to inject and execute arbitrary PHP code if not handled with extreme care. Furthermore, a substantial portion of output (61%) is not properly escaped. This lack of output escaping leaves the plugin vulnerable to Cross-Site Scripting (XSS) attacks, where malicious scripts could be injected and executed in the user's browser.

In conclusion, while the plugin benefits from a clean vulnerability history and secure SQL practices, the presence of `create_function` and insufficient output escaping represent critical security weaknesses. These issues could be exploited to gain code execution or perform XSS attacks, despite the limited apparent attack surface and lack of auth checks on entry points. Future development should prioritize addressing these specific code-level vulnerabilities.

Key Concerns

  • Use of dangerous function create_function
  • Insufficient output escaping (39% proper)
  • No nonce checks on entry points
Vulnerabilities
None known

OS HTML5 Shortcodes Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

OS HTML5 Shortcodes Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
2 prepared
Unescaped Output
17
11 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget( "osHtml5Widget" );' ) );includes\admin\oshtml5-widget.php:91

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared2 total queries

Output Escaping

39% escaped28 total outputs
Attack Surface

OS HTML5 Shortcodes Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[oshtml5] os-html5-shortcodes.php:152
WordPress Hooks 14
actionadd_meta_boxes_os-html5includes\admin\meta-boxes\class.oshtml5.shortcode.php:27
actionadmin_menuincludes\admin\oshtml5-about.php:27
actioninitincludes\admin\oshtml5-post-types.php:27
filtermanage_edit-os-html5_columnsincludes\admin\oshtml5-post-types.php:28
actionmanage_os-html5_posts_custom_columnincludes\admin\oshtml5-post-types.php:29
filtermce_external_pluginsincludes\admin\oshtml5-tinymce.php:15
filtermce_buttonsincludes\admin\oshtml5-tinymce.php:16
actionadmin_headincludes\admin\oshtml5-tinymce.php:41
actionwidgets_initincludes\admin\oshtml5-widget.php:91
actioninitos-html5-shortcodes.php:143
actionadmin_initos-html5-shortcodes.php:144
actionparse_requestos-html5-shortcodes.php:145
filterquery_varsos-html5-shortcodes.php:148
filterwidget_textos-html5-shortcodes.php:149
Maintenance & Trust

OS HTML5 Shortcodes Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedApr 24, 2017
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

OS HTML5 Shortcodes Alternatives

Shortcoder — Create Shortcodes for Anything

Shortcoder — Create Shortcodes for Anything

shortcoder

A
98

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K 2 CVEs
Asset CleanUp: Page Speed Booster

Asset CleanUp: Page Speed Booster

wp-asset-clean-up

A
89

Make your website load FASTER by stopping specific styles (.CSS) & scripts (.JS) from loading. It works best with a page caching plugin / service.

100K 6 CVEs
Enable jQuery Migrate Helper

Enable jQuery Migrate Helper

enable-jquery-migrate-helper

B
71

Get information about calls to deprecated jQuery features in plugins or themes.

90K 1 unpatched
Async JavaScript

Async JavaScript

async-javascript

B
84

Async Javascript lets you add 'async' or 'defer' attribute to scripts to exclude to help increase the performance of your WordPres …

80K 2 CVEs
Speculative Loading

Speculative Loading

speculation-rules

A
100

Enables browsers to speculatively prerender or prefetch pages to achieve near-instant loads based on user interaction.

70K No CVEs
Developer Profile

OS HTML5 Shortcodes Developer Profile

Offshorent Solutions Pvt Ltd

7 plugins · 90 total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect OS HTML5 Shortcodes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/os-html5-shortcodes/css/admin/style-min.css

HTML / DOM Fingerprints

Shortcode Output
return apply_filters( 'the_content', $html5_content->post_content );
FAQ

Frequently Asked Questions about OS HTML5 Shortcodes