WP-Safety

PHP Code Widget Security & Risk Analysis

wordpress.org/plugins/php-code-widget

Like the Text widget, but also allows working PHP code to be inserted.

90K active installs v2.4 PHP + WP 2.8+ Updated Mar 30, 2022
execphpphpwidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is PHP Code Widget Safe to Use in 2026?

Generally Safe

Score 85/100

PHP Code Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "php-code-widget" plugin v2.4 exhibits a generally strong security posture based on the provided static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits its attack surface. Furthermore, the analysis indicates a clean code base with no dangerous functions, no direct external HTTP requests, and the proper use of prepared statements for SQL queries. The presence of a capability check is also a positive sign. However, a significant concern arises from the output escaping, where only 14% of outputs are properly escaped. This could leave the plugin vulnerable to Cross-Site Scripting (XSS) attacks if user-supplied data is not sufficiently sanitized before being displayed.

Key Concerns

  • Low output escaping percentage
Vulnerabilities
None known

PHP Code Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

PHP Code Widget Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
12
2 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

14% escaped14 total outputs
Attack Surface

PHP Code Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 1
actionwidgets_initexecphp.php:62
Maintenance & Trust

PHP Code Widget Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMar 30, 2022
PHP min version
Downloads994K

Community Trust

Rating94/100
Number of ratings61
Active installs90K
Alternatives

PHP Code Widget Alternatives

Error Log Monitor

Error Log Monitor

error-log-monitor

A
99

Adds a Dashboard widget that displays the latest messages from your PHP error log. It can also send logged errors to email.

20K 1 CVE
Code Widget

Code Widget

code-widget

A
85

Code widget help to add Short Code, PHP Code, HTML, and Simple Text in widget.

4K No CVEs
Widget Entries

Widget Entries

widget-entries

A
85

Widget Entries plugin creates the Widget post-type in the administration area to make easier the edition of the text widgets, and it also register a n …

400 No CVEs
Dashboard Server Specs

Dashboard Server Specs

dashboard-server-specs

A
85

Adds a dashboard widget displaying server specs like current PHP version.

90 No CVEs
GPP Base Hook Widgets

GPP Base Hook Widgets

gpp-base-hook-widgets

A
85

Adds 12 new widget areas to the Base WordPress theme framework using its action hooks.

90 No CVEs
Developer Profile

PHP Code Widget Developer Profile

Samuel Wood (Otto)

9 plugins · 167K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
3759 days
View full developer profile
Detection Fingerprints

How We Detect PHP Code Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
execphpwidget
FAQ

Frequently Asked Questions about PHP Code Widget