Plugin Cards Security & Risk Analysis

wordpress.org/plugins/plugin-cards

Display plugin cards that match the style introduced in WordPress 4.0. Uses the wordpress.org API and supports custom queries.

10 active installs v1.2.2 PHP + WP 4.0+ Updated Dec 7, 2015
cardcardsreposearch
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Plugin Cards Safe to Use in 2026?

Generally Safe

Score 85/100

Plugin Cards has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The plugin "plugin-cards" v1.2.2 exhibits a generally strong security posture based on the provided static analysis. The absence of dangerous functions, raw SQL queries, file operations, and external HTTP requests is commendable. Furthermore, the high percentage of properly escaped output indicates good practices for preventing cross-site scripting vulnerabilities. The vulnerability history being clear of any known CVEs also suggests a well-maintained and potentially secure codebase.

However, the analysis does highlight a few areas for improvement and potential concern. The most significant observation is the complete absence of nonce checks and capability checks across all entry points, including the single shortcode. While the static analysis reported zero unprotected entry points, the lack of these fundamental security mechanisms on any user-facing feature presents a risk. If the shortcode performs any action that modifies data or has side effects, it could be vulnerable to cross-site request forgery (CSRF) attacks, especially if user interaction is involved. The lack of taint analysis results also makes it impossible to definitively rule out more complex, context-dependent vulnerabilities.

In conclusion, "plugin-cards" v1.2.2 is built on a solid foundation with good output sanitization and the avoidance of common risky coding patterns. Its vulnerability history is also a positive indicator. The primary weakness lies in the fundamental security checks missing for its shortcode functionality. Addressing the lack of nonce and capability checks would significantly enhance its overall security and mitigate potential CSRF risks.

Key Concerns

  • Missing nonce checks on shortcode
  • Missing capability checks on shortcode
  • No taint analysis performed
Vulnerabilities
None known

Plugin Cards Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Plugin Cards Release Timeline

v1.2.2Current
v1.2.1
v1.2.0
v1.1.0
v1.0.0
Code Analysis
Analyzed Mar 16, 2026

Plugin Cards Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
38 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

88% escaped43 total outputs
Attack Surface

Plugin Cards Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[plugin_cards] plugin-cards.php:64
WordPress Hooks 2
actioninitplugin-cards.php:41
actionwp_enqueue_scriptsplugin-cards.php:50
Maintenance & Trust

Plugin Cards Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedDec 7, 2015
PHP min version
Downloads3K

Community Trust

Rating90/100
Number of ratings8
Active installs10
Developer Profile

Plugin Cards Developer Profile

Braad

6 plugins · 2K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Plugin Cards

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/plugin-cards/css/plugin-cards.css/wp-content/plugins/plugin-cards/js/plugin-cards.js
Script Paths
/wp-content/plugins/plugin-cards/js/plugin-cards.js
Version Parameters
plugin-cards/css/plugin-cards.css?ver=plugin-cards/js/plugin-cards.js?ver=

HTML / DOM Fingerprints

CSS Classes
plugin-cardsmultiple-pluginssingle-pluginplugin-card
Data Attributes
data-slugdata-plugin-card-wrapper
Shortcode Output
<div class="plugin-card plugin-card-
FAQ

Frequently Asked Questions about Plugin Cards