QR Code Widget Security & Risk Analysis

wordpress.org/plugins/qr-code-widget

QR Code generator for your webpages with multiwidget, shortcode support.

40 active installs v2.0.1 PHP + WP 3.0+ Updated Apr 8, 2011
mobileqr-codeshotcodewidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is QR Code Widget Safe to Use in 2026?

Generally Safe

Score 85/100

QR Code Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago
Risk Assessment

The qr-code-widget plugin v2.0.1 presents a mixed security posture. On the positive side, it boasts a very small attack surface with no detected AJAX handlers or REST API routes lacking permission callbacks, and all SQL queries utilize prepared statements. The absence of known CVEs and any recorded vulnerability history is a significant strength, suggesting a history of stable and likely secure code. However, significant concerns arise from the static analysis. The plugin exhibits a very low rate of proper output escaping (2%), leaving a substantial portion of its 57 output operations potentially vulnerable to cross-site scripting (XSS) attacks. Additionally, taint analysis revealed two flows with unsanitized paths, which, while not classified as critical or high severity in this report, warrant attention as they indicate potential avenues for input manipulation. The lack of nonce checks and capability checks, coupled with the presence of file operations without clear sanitization context from the provided data, also represent potential weaknesses.

Key Concerns

  • Low output escaping rate
  • Unsanitized paths in taint flows
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

QR Code Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

QR Code Widget Release Timeline

v3.0.beta2
v3.0.beta3
v3.0b1
v2.0.1Current
v1.1.1
v1.1.0
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0
Code Analysis
Analyzed Mar 16, 2026

QR Code Widget Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
56
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
9
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

2% escaped57 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
widget (qr_code_suite.php:16)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

QR Code Widget Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[qr_code_display] qr-code-widget.php:16
WordPress Hooks 5
actionwidgets_initqr-code-widget.php:15
actioninitqr-code-widget.php:17
actioninitqr-code-widget.php:18
actionadmin_initqr-code-widget.php:24
actionadmin_menuqr-code-widget.php:25
Maintenance & Trust

QR Code Widget Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4
Last updatedApr 8, 2011
PHP min version
Downloads14K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Developer Profile

QR Code Widget Developer Profile

kosh30

1 plugin · 40 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect QR Code Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/qr-code-widget/colorpicker/css/colorpicker.css/wp-content/plugins/qr-code-widget/colorpicker/js/colorpicker.js
Script Paths
/wp-content/plugins/qr-code-widget/colorpicker/js/colorpicker.js
Version Parameters
qr-code-widget/style.css?ver=qr-code-widget/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
qr_code_widget_preview
Data Attributes
data-qr-code-widget
JS Globals
qr_code_widget_params
Shortcode Output
[qr_code_display
FAQ

Frequently Asked Questions about QR Code Widget