WP-Safety

OTW TinyMCE Widget Security & Risk Analysis

wordpress.org/plugins/otw-tinymce-widget

A TinyMCE Widget. Use the TinyMCE editor in a widget so you can insert it in any sidebar you like.

90 active installs v1.7 PHP + WP 3.6+ Updated May 6, 2022
tinymcetinymce-editortinymce-in-sidebartinymce-widgetwidgets
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is OTW TinyMCE Widget Safe to Use in 2026?

Generally Safe

Score 85/100

OTW TinyMCE Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The otw-tinymce-widget plugin version 1.7 exhibits a significant security risk due to its unprotected AJAX handlers. All six identified AJAX entry points lack any form of authentication or capability checks. This creates a wide attack surface where any authenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure. The presence of the `unserialize` function is another concern, as it can be exploited for object injection if user-supplied data is passed to it without proper sanitization. While the plugin demonstrates good practices in using prepared statements for SQL queries and has no recorded historical vulnerabilities, the lack of basic security checks on its primary interaction points is a critical weakness. The limited scope of the taint analysis and the absence of nonce checks further exacerbate these concerns. Overall, the plugin's security posture is weak due to the high number of unprotected entry points and the risky use of `unserialize`.

Key Concerns

  • Unprotected AJAX handlers (6)
  • Dangerous function: unserialize
  • Missing nonce checks
  • Missing capability checks
  • Output escaping only 51% proper
Vulnerabilities
None known

OTW TinyMCE Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

OTW TinyMCE Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
21
22 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserialize$value = unserialize( urldecode( $value ) );include\otw_components\otw_functions\otw_functions.php:600

Bundled Libraries

Select2TinyMCE

Output Escaping

51% escaped43 total outputs
Attack Surface
6 unprotected

OTW TinyMCE Widget Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_otw_shortcode_editor_dialoginclude\otw_components\otw_shortcode\otw_shortcode.class.php:166
authwp_ajax_otw_shortcode_get_codeinclude\otw_components\otw_shortcode\otw_shortcode.class.php:167
authwp_ajax_otw_shortcode_live_previewinclude\otw_components\otw_shortcode\otw_shortcode.class.php:168
authwp_ajax_otw_shortcode_live_reloadinclude\otw_components\otw_shortcode\otw_shortcode.class.php:169
authwp_ajax_otw_shortcode_preview_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:170
authwp_ajax_otw_shortcode_preview_front_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:171
WordPress Hooks 13
actionwp_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:90
actionadmin_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:94
actionadmin_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:164
filtermce_external_pluginsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:175
filtermce_buttonsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:176
actionwp_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:185
actionadmin_footerinclude\otw_components\otw_shortcode\shortcodes\otw_shortcode_html_editor.class.php:13
actionwp_footerinclude\otw_components\otw_shortcode\shortcodes\otw_shortcode_html_editor.class.php:15
actionadmin_menuinclude\otw_mcsw_functions.php:41
actionadmin_print_stylesinclude\otw_mcsw_functions.php:43
actionadmin_enqueue_scriptsinclude\otw_mcsw_functions.php:45
actioninitotw_content_manager.php:65
actionwidgets_initotw_content_manager.php:66
Maintenance & Trust

OTW TinyMCE Widget Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMay 6, 2022
PHP min version
Downloads7K

Community Trust

Rating60/100
Number of ratings2
Active installs90
Alternatives

OTW TinyMCE Widget Alternatives

TinyMCE VisualBlocks

TinyMCE VisualBlocks

tinymce-visualblocks

A
85

View VisualBlocks in WordPress Visual Editor.

1K No CVEs
Comment Form Editor with TinyMCE

Comment Form Editor with TinyMCE

comments-tinymce

A
100

Users can easily add TinyMCE Editor in Comment Form in just one click.

100 No CVEs
TinyMce editor Font FIX

TinyMce editor Font FIX

tinymce-editor-font-fix

A
85

Built to run on EVERY install you have, TinyMce editor Font FIX changes unneeded css of the Tinymce editor.

100 No CVEs
Simple clean content

Simple clean content

simple-clean-content

A
85

Add a button on the tinyMCE editor toolbar, that by clicking it, removes all styling from the content of a post.

30 No CVEs
Plugin Name: Spotify Play Button for WordPress

Plugin Name: Spotify Play Button for WordPress

spotify-play-for-wordpress

A
85

Easily embed Spotify Tracks & Playslists using the Spotify Play System into your WordPress Blog

10 No CVEs
Developer Profile

OTW TinyMCE Widget Developer Profile

OTWthemes

12 plugins · 6K total installs

70
trust score
Avg Security Score
66/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect OTW TinyMCE Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/colorpicker.css/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/datetimepicker.css/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/otw_form_admin.css/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/select2.min.css/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/colorpicker.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/datetimepicker.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/otw_form_admin.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/select2.full.min.js
Script Paths
/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/colorpicker.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/select2.full.min.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/datetimepicker.js/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/otw_form_admin.js
Version Parameters
/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/colorpicker.js?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/select2.full.min.js?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/datetimepicker.js?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/js/otw_form_admin.js?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/colorpicker.css?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/select2.min.css?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/datetimepicker.css?ver=/wp-content/plugins/otw-tinymce-widget/include/otw_components/otw_form/css/otw_form_admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
otw-form-controlotw-dynamic-select-wrapperotw-form-hintotw-clear
Data Attributes
data-value
JS Globals
OTW_Form
FAQ

Frequently Asked Questions about OTW TinyMCE Widget