Query Wrangler Security & Risk Analysis
wordpress.org/plugins/query-wranglerQuery Wrangler provides an intuitive interface for creating complex WP queries as shortcodes and widgets. UI based on Drupal Views.
Is Query Wrangler Safe to Use in 2026?
Generally Safe
Score 99/100Query Wrangler has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The plugin "query-wrangler" v1.5.57 exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries (97%) and has no currently unpatched known vulnerabilities, several areas raise significant concern. The presence of 3 unprotected AJAX handlers represents a substantial attack surface. Furthermore, the taint analysis reveals 6 high-severity flows with unsanitized paths, indicating a direct risk of input manipulation leading to security issues. The low percentage of properly escaped output (8%) is particularly worrying, suggesting a high likelihood of cross-site scripting vulnerabilities. The historical data shows past vulnerabilities related to CSRF and XSS, reinforcing the risks identified in the static analysis. The recent vulnerability in April 2025, even if patched, highlights a recurring pattern of exploitable input handling. Overall, the plugin has strengths in its SQL handling but weaknesses in input sanitization and output escaping, combined with a concerning number of unprotected entry points, necessitate careful attention to mitigate potential risks.
Key Concerns
- Unprotected AJAX handlers
- High severity unsanitized taint flows
- Low percentage of properly escaped output
- Past vulnerabilities (CSRF, XSS)
Query Wrangler Security Vulnerabilities
CVEs by Year
Severity Breakdown
2 total CVEs
Query Wrangler <= 1.5.54 - Cross-Site Request Forgery
Query Wrangler <= 1.5.51 - Reflected Cross-Site Scripting via page parameter
Query Wrangler Release Timeline
Query Wrangler Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
Query Wrangler Attack Surface
AJAX Handlers 3
Shortcodes 2
WordPress Hooks 84
Maintenance & Trust
Query Wrangler Maintenance & Trust
Maintenance Signals
Community Trust
Query Wrangler Alternatives
ILC Folding
ilc-folding
Creates a folding menu for WordPress built-in Pages Widget.
Widgets for Google Reviews
wp-reviews-plugin-for-google
Embed Google reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Google reviews.
Rich Showcase for Google Reviews
widget-google-reviews
Display up to 10 Google reviews in less than a minute. Continue collecting new reviews. No limits on connected places, widgets, shortcodes and blocks.
Display Posts – Easy lists, grids, navigation, and more
display-posts-shortcode
Add a listing of content on your website using a simple shortcode. Filter the results by category, author, and more.
Trustpilot Reviews
trustpilot-reviews
Generate reviews, add TrustBox for your Woocommerce site with Trustpilot reviews plugin
Query Wrangler Developer Profile
5 plugins · 11K total installs
How We Detect Query Wrangler
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/query-wrangler/admin/css/qw-admin.css/wp-content/plugins/query-wrangler/admin/js/qw-admin-list.js/wp-content/plugins/query-wrangler/admin/js/qw-admin-edit.js/wp-content/plugins/query-wrangler/css/query-wrangler.css/wp-content/plugins/query-wrangler/js/query-wrangler.js/wp-content/plugins/query-wrangler/js/qw-frontend.jsquery-wrangler/admin/js/qw-admin-list.jsquery-wrangler/admin/js/qw-admin-edit.jsquery-wrangler/js/qw-frontend.jsquery-wrangler/admin/css/qw-admin.css?ver=query-wrangler/admin/js/qw-admin-list.js?ver=query-wrangler/admin/js/qw-admin-edit.js?ver=query-wrangler/css/query-wrangler.css?ver=query-wrangler/js/query-wrangler.js?ver=query-wrangler/js/qw-frontend.js?ver=HTML / DOM Fingerprints
qw-query-option-wrapperdata-qw-query-idqw_admin_params[query-wrangler]