WP-Safety

Popularity Posts Widget Security & Risk Analysis

wordpress.org/plugins/popularity-posts-widget

With help of this plugin you can display the most popular posts on your blog.

300 active installs v1.13 PHP + WP 3.2+ Updated Mar 24, 2013
blogpostpostswidgetwidgets
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Popularity Posts Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Popularity Posts Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The "popularity-posts-widget" v1.13 plugin exhibits a mixed security posture. On the positive side, there are no known vulnerabilities (CVEs) in its history, and the static analysis reveals a limited attack surface with no unprotected entry points. The absence of external HTTP requests is also a good practice. However, significant concerns arise from the code signals. The presence of four instances of the `create_function` is a major red flag, as it's a deprecated and inherently insecure PHP function that can lead to serious vulnerabilities if not handled with extreme care. Furthermore, the plugin demonstrates poor practices regarding SQL query preparedness, with only 15% using prepared statements, increasing the risk of SQL injection. The output escaping is also alarmingly low at 7%, suggesting a high likelihood of cross-site scripting (XSS) vulnerabilities. The taint analysis indicating unsanitized paths, although not reaching critical or high severity in this analysis, directly correlates with the poor output escaping and raw SQL queries, highlighting potential injection vectors.

Key Concerns

  • Dangerous functions (create_function)
  • Low percentage of prepared SQL statements
  • Very low percentage of properly escaped output
  • Unsanitized paths in taint analysis
  • No nonce checks
  • No capability checks
Vulnerabilities
None known

Popularity Posts Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Popularity Posts Widget Code Analysis

Dangerous Functions
4
Raw SQL Queries
22
4 prepared
Unescaped Output
65
5 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('admin_notices', create_function('','echo "<div id=\"message\" class=\"updated\"><p>Кэш <kama_thumbnail.php:247
create_functionadd_action('admin_notices', create_function('','echo "<div id=\"message\" class=\"updated\"><p>Все пkama_thumbnail.php:255
create_functionadd_action('admin_notices', create_function('','echo "<div id=\"message\" class=\"updated\"><p>Не удkama_thumbnail.php:257
create_functionadd_action('widgets_init', create_function('',popularity-posts-widget.php:33

SQL Query Safety

15% prepared26 total queries

Output Escaping

7% escaped70 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
clear (kama_thumbnail.php:218)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Popularity Posts Widget Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[ppw] class_popularity-posts-widget.php:9
[PPW] class_popularity-posts-widget.php:10
WordPress Hooks 12
actionadmin_noticeskama_thumbnail.php:247
actionadmin_noticeskama_thumbnail.php:255
actionadmin_noticeskama_thumbnail.php:257
filterthe_contentkama_thumbnail.php:333
filterthe_content_rsskama_thumbnail.php:334
filterthe_excerptkama_thumbnail.php:335
filterthe_excerpt_rsskama_thumbnail.php:336
filtersave_postkama_thumbnail.php:341
actionwp_headpopularity-posts-widget.php:31
actionwidgets_initpopularity-posts-widget.php:33
actioninitpopularity-posts-widget.php:36
actionppw_cache_eventpopularity-posts-widget.php:40

Scheduled Events 1

ppw_cache_event
Maintenance & Trust

Popularity Posts Widget Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedMar 24, 2013
PHP min version
Downloads43K

Community Trust

Rating86/100
Number of ratings7
Active installs300
Alternatives

Popularity Posts Widget Alternatives

Advanced Random Posts Widget

Advanced Random Posts Widget

advanced-random-posts-widget

A
85

Provides flexible and advanced random posts. Display it via shortcode or widget with thumbnails, post excerpt, and much more!

10K No CVEs
Essential Widgets

Essential Widgets

essential-widgets

A
98

Essential Widgets is a WordPress plugin for widgets that allows you to create and add amazing widgets with high customization option

10K 2 CVEs
RaraTheme Companion

RaraTheme Companion

raratheme-companion

A
100

23 extremely useful custom widgets to create an engaging website.

10K No CVEs
Flexible Posts Widget

Flexible Posts Widget

flexible-posts-widget

A
85

An advanced posts display widget with many options. Display posts in your sidebars any way you'd like!

8K No CVEs
Expand Divi

Expand Divi

expand-divi

A
85

Adds more functionlity to the Divi theme.

1K No CVEs
Developer Profile

Popularity Posts Widget Developer Profile

ILLID

4 plugins · 81K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
367 days
View full developer profile
Detection Fingerprints

How We Detect Popularity Posts Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popularity-posts-widget/ppw.css/wp-content/plugins/popularity-posts-widget/kama_thumbnail.php/wp-content/plugins/popularity-posts-widget/style/style-one.php

HTML / DOM Fingerprints

CSS Classes
ppw-post-titleppw-viewsppw-commentsppw-datewpp-thumbnailpopularitypostswidget
HTML Comments
Copyright 2013This program is free software; you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation; either version 2 of the License, or+8 more
Data Attributes
rel="nofollow"
Shortcode Output
[ppw[PPW
FAQ

Frequently Asked Questions about Popularity Posts Widget