WP-Safety

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Security & Risk Analysis

wordpress.org/plugins/rafflepress

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K active installs v1.12.21 PHP 5.3.3+ WP 4.8+ Updated Nov 18, 2025
competitioncontestsgiveawaysloyaltysweepstakes
88
A · Safe
CVEs total11
Unpatched0
Last CVENov 21, 2025
Plugin page Download
Safety Verdict

Is Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Safe to Use in 2026?

Generally Safe

Score 88/100

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Nov 21, 2025Updated 4mo ago
Risk Assessment

The RafflePress plugin v1.12.21 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and generally implementing a substantial number of nonce and capability checks. However, a significant concern arises from the vast attack surface, with 55 out of 59 entry points lacking authentication checks. This wide exposure significantly increases the plugin's susceptibility to unauthorized actions if vulnerabilities are present within these unprotected handlers.

The static analysis reveals critical issues within the taint analysis, with 7 high-severity flows identified that involve unsanitized paths. This indicates a direct risk of potentially exploitable vulnerabilities, such as arbitrary file read or write operations, or command injection, if these unsanitized paths can be manipulated by an attacker. The limited number of output escaping issues (41% not properly escaped) is a weakness but is overshadowed by the taint analysis findings and the unprotected entry points.

The plugin's vulnerability history is concerning, with 11 known CVEs, including 3 high and 8 medium severity vulnerabilities. While there are currently no unpatched vulnerabilities, the sheer number and severity of past issues suggest a pattern of security oversights. The common vulnerability types like CSRF, Missing Authorization, and XSS further reinforce the idea that input validation and access control have been areas of weakness in previous development cycles. The last vulnerability being in late 2025 is irrelevant for this analysis and likely a data anomaly. The combination of a large unprotected attack surface and a history of significant vulnerabilities points to a plugin that requires careful monitoring and prompt updates.

Key Concerns

  • Large attack surface with unprotected AJAX handlers
  • High severity unsanitized path taint flows
  • Significant number of past high severity CVEs
  • Significant number of past medium severity CVEs
  • Nearly half of outputs are not properly escaped
Vulnerabilities
11

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
5 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
8

11 total CVEs

CVE-2025-66064medium · 4.3Cross-Site Request Forgery (CSRF)

Giveaways and Contests by RafflePress <= 1.12.20 - Cross-Site Request Forgery

Nov 21, 2025 Patched in 1.12.21 (5d)
CVE-2025-12484high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting

Nov 18, 2025 Patched in 1.12.21 (1d)
CVE-2025-49997medium · 5.3Missing Authorization

Giveaways and Contests by RafflePress <= 1.12.18 - Missing Authorization

Jun 19, 2025 Patched in 1.12.19 (223d)
CVE-2024-10107medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress <= 1.12.16 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 11, 2025 Patched in 1.12.17 (36d)
CVE-2024-6887medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress <= 1.12.16 - Authenticated (Editor+) Stored Cross-Site Scripting

Aug 22, 2024 Patched in 1.12.17 (36d)
CVE-2024-3963medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.13 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 22, 2024 Patched in 1.12.14 (49d)
CVE-2024-4745medium · 4.3Missing Authorization

Giveaways and Contests by RafflePress <= 1.12.4 - Missing Authorization

May 10, 2024 Patched in 1.12.5 (6d)
CVE-2024-32827medium · 5.3Use of Less Trusted Source

Giveaways and Contests by RafflePress <= 1.12.7 - Unauthenticated IP Spoofing

Apr 22, 2024 Patched in 1.12.11 (8d)
CVE-2024-1935high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting

Feb 29, 2024 Patched in 1.12.7 (93d)
CVE-2023-5049medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress <= 1.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Oct 29, 2023 Patched in 1.12.2 (86d)
CVE-2023-0176high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Giveaways and Contests by RafflePress <= 1.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 1.11.3 (650d)
Code Analysis
Analyzed Mar 16, 2026

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
165 prepared
Unescaped Output
134
192 escaped
Nonce Checks
41
Capability Checks
27
File Operations
4
External Requests
6
Bundled Libraries
0

SQL Query Safety

100% prepared165 total queries

Output Escaping

59% escaped326 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

25 flows7 with unsanitized paths
rafflepress_lite_contestants_datatable (app\contestant.php:6)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
55 unprotected

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Attack Surface

Entry Points59
Unprotected55

AJAX Handlers 56

authwp_ajax_rafflepress_upgrade_licenseapp\includes\upgrade.php:83
authwp_ajax_rafflepress_lite_notification_dismissapp\notifications.php:72
authwp_ajax_rafflepress_review_dismissapp\review.php:20
authwp_ajax_rafflepress_lite_create_giveawayapp\routes.php:329
authwp_ajax_rafflepress_lite_dismiss_settings_lite_ctaapp\routes.php:418
authwp_ajax_rafflepress_lite_save_settingsapp\routes.php:419
authwp_ajax_rafflepress_lite_save_api_keyapp\routes.php:420
authwp_ajax_rafflepress_lite_save_templateapp\routes.php:421
authwp_ajax_rafflepress_lite_save_giveawayapp\routes.php:422
authwp_ajax_rafflepress_lite_create_giveawayapp\routes.php:423
authwp_ajax_rafflepress_lite_save_slugapp\routes.php:424
authwp_ajax_rafflepress_lite_get_utc_offsetapp\routes.php:425
authwp_ajax_rafflepress_lite_save_publishapp\routes.php:426
authwp_ajax_rafflepress_lite_giveaway_datatableapp\routes.php:427
authwp_ajax_rafflepress_lite_duplicate_giveawayapp\routes.php:428
authwp_ajax_rafflepress_lite_get_giveaway_listapp\routes.php:429
authwp_ajax_rafflepress_lite_archive_selected_giveawaysapp\routes.php:430
authwp_ajax_rafflepress_lite_unarchive_selected_giveawaysapp\routes.php:431
authwp_ajax_rafflepress_lite_delete_archived_giveawaysapp\routes.php:432
authwp_ajax_rafflepress_lite_end_giveawayapp\routes.php:433
authwp_ajax_rafflepress_lite_start_giveawayapp\routes.php:434
authwp_ajax_rafflepress_lite_enable_disable_giveawayapp\routes.php:435
authwp_ajax_rafflepress_lite_get_automation_tool_listapp\routes.php:437
authwp_ajax_rafflepress_lite_entries_report_datatableapp\routes.php:439
authwp_ajax_rafflepress_lite_ps_results_datatableapp\routes.php:440
authwp_ajax_rafflepress_lite_entries_datatableapp\routes.php:441
authwp_ajax_rafflepress_lite_valid_selected_entriesapp\routes.php:442
authwp_ajax_rafflepress_lite_invalid_selected_entriesapp\routes.php:443
authwp_ajax_rafflepress_lite_delete_invalid_entriesapp\routes.php:444
authwp_ajax_rafflepress_lite_pick_winnersapp\routes.php:445
authwp_ajax_rafflepress_lite_contestants_resend_emailapp\routes.php:448
authwp_ajax_rafflepress_lite_contestants_datatableapp\routes.php:449
authwp_ajax_rafflepress_lite_confirm_selected_contestantsapp\routes.php:450
authwp_ajax_rafflepress_lite_unconfirm_selected_contestantsapp\routes.php:451
authwp_ajax_rafflepress_lite_invalid_selected_contestantsapp\routes.php:452
authwp_ajax_rafflepress_lite_delete_invalid_contestantsapp\routes.php:453
authwp_ajax_rafflepress_lite_get_fontapp\routes.php:455
authwp_ajax_rafflepress_lite_get_plugins_listapp\routes.php:456
authwp_ajax_rafflepress_lite_install_addonapp\routes.php:458
authwp_ajax_rafflepress_lite_activate_addonapp\routes.php:459
authwp_ajax_rafflepress_lite_deactivate_addonapp\routes.php:460
authwp_ajax_rafflepress_lite_install_automationapp\routes.php:462
authwp_ajax_rafflepress_lite_activate_automationapp\routes.php:463
authwp_ajax_rafflepress_lite_deactivate_automationapp\routes.php:464
authwp_ajax_rafflepress_lite_install_addonapp\routes.php:466
authwp_ajax_rafflepress_lite_deactivate_addonapp\routes.php:467
authwp_ajax_rafflepress_lite_activate_addonapp\routes.php:468
authwp_ajax_rafflepress_lite_plugin_nonceapp\routes.php:469
authwp_ajax_rafflepress_lite_action_tokenapp\routes.php:471
noprivwp_ajax_rafflepress_lite_action_tokenapp\routes.php:472
authwp_ajax_rafflepress_lite_giveaway_apiapp\routes.php:474
noprivwp_ajax_rafflepress_lite_giveaway_apiapp\routes.php:475
authwp_ajax_rafflepress_lite_giveaway_commentapp\routes.php:477
noprivwp_ajax_rafflepress_lite_giveaway_commentapp\routes.php:478
noprivwp_ajax_rafflepress_lite_run_one_click_upgradeapp\routes.php:480
authwp_ajax_rafflepress_lite_upgrade_licenseapp\routes.php:481

Shortcodes 3

[rafflepress] app\rafflepress.php:843
[rafflepress_latest_giveaway] app\rafflepress.php:980
[rafflepress_gutenberg] app\rafflepress.php:997
WordPress Hooks 36
actionadmin_enqueue_scriptsapp\bootstrap.php:99
filterlearn-press/admin-default-scriptsapp\bootstrap.php:101
actioninitapp\bootstrap.php:155
filterscript_loader_tagapp\bootstrap.php:173
actioninitapp\bootstrap.php:193
actionadmin_initapp\bootstrap.php:198
actionadmin_enqueue_scriptsapp\bootstrap.php:293
filteradmin_body_classapp\bootstrap.php:317
actionadmin_footer_textapp\bootstrap.php:330
filterplugin_action_linksapp\bootstrap.php:346
actionmedia_buttonsapp\classic-editor.php:4
actionadmin_footerapp\classic-editor.php:30
actionrafflepress_lite_fetch_help_docsapp\functions-inline-help.php:16
actionadmin_print_scriptsapp\functions-utils.php:704
actioninitapp\functions-utils.php:981
actioninitapp\gblock.php:3
actionenqueue_block_editor_assetsapp\gblock.php:4
actionadmin_initapp\license.php:7
actionplugins_loadedapp\load_controller.php:12
actionrafflepress_notifications_remoteapp\notifications.php:413
filterupload_dirapp\rafflepress.php:740
filtersmush_skip_iframe_from_lazy_loadapp\rafflepress.php:829
actionadmin_noticesapp\review.php:19
actioninitapp\routes.php:15
filterquery_varsapp\routes.php:43
actiontemplate_redirectapp\routes.php:51
actionadmin_menuapp\routes.php:84
actionadmin_footerapp\routes.php:169
actionadmin_headapp\routes.php:195
actionadmin_footerapp\routes.php:203
actionadmin_post_rafflepress_create_giveawayapp\routes.php:328
actionadmin_initapp\routes.php:334
actionadmin_initapp\routes.php:352
actiontemplate_redirectapp\standalone.php:45
actionrafflepress_giveaway_webhooksapp\webhook-functions.php:2
actionplugins_loadedrafflepress.php:45

Scheduled Events 3

rafflepress_notifications_remote
rafflepress_lite_fetch_help_docs
rafflepress_lite_fetch_help_docs
Maintenance & Trust

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 18, 2025
PHP min version5.3.3
Downloads581K

Community Trust

Rating78/100
Number of ratings42
Active installs30K
Alternatives

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Alternatives

Woobox

Woobox

woobox

A
98

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs
Run Contests, Raffles, and Giveaways with ContestsWP

Run Contests, Raffles, and Giveaways with ContestsWP

contest-code-checker

B
74

An easy to use WordPress plugin to do giveaways.

100 1 unpatched
Contests & Giveaways – WordPress Contest Plugin

Contests & Giveaways – WordPress Contest Plugin

giveaways-contests

A
85

Contest Cat Lets You Create Incredible Contests, Giveaways & Sweepstakes With Ease.

100 No CVEs
Contests by Rewards Fuel

Contests by Rewards Fuel

contests-from-rewards-fuel

A
90

Contests by Rewards Fuel encourages your audience to take actions that build your business; it's a win-win for you and your customers!

60 3 CVEs
Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce

A
100

Loyalty + Referral + Rewards + Birthdays and Anniversaries + Giveaways + Contests + Competitions + Sweepstakes. Selling on ETSY? Reward points for yo &hellip;

700 1 CVE
Developer Profile

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/rafflepress/public/css/admin-style.min.css/wp-content/plugins/rafflepress/public/fontawesome/css/all.min.css/wp-content/plugins/rafflepress/public/js/iframeResizer.min.js/wp-content/plugins/rafflepress/public/lite/vue-backend/css/chunk-vendors.css/wp-content/plugins/rafflepress/public/lite/vue-backend/css/admin.css/wp-content/plugins/rafflepress/public/lite/vue-backend/js/index.js/wp-content/plugins/rafflepress/public/lite/vue-backend/js/chunk-vendors.js/wp-content/plugins/rafflepress/public/lite/vue-backend/js/admin.js
Script Paths
/wp-content/plugins/rafflepress/public/js/iframeResizer.min.js/wp-content/plugins/rafflepress/public/lite/vue-backend/js/index.js/wp-content/plugins/rafflepress/public/lite/vue-backend/js/chunk-vendors.js/wp-content/plugins/rafflepress/public/lite/vue-backend/js/admin.js/wp-content/plugins/rafflepress/public/js/iframeResizer.contentWindow.min.js
Version Parameters
rafflepress/public/css/admin-style.min.css?ver=rafflepress/public/fontawesome/css/all.min.css?ver=rafflepress/public/js/iframeResizer.min.js?ver=rafflepress/public/lite/vue-backend/css/chunk-vendors.css?ver=rafflepress/public/lite/vue-backend/css/admin.css?ver=rafflepress/public/lite/vue-backend/js/index.js?ver=rafflepress/public/lite/vue-backend/js/chunk-vendors.js?ver=rafflepress/public/lite/vue-backend/js/admin.js?ver=rafflepress/public/js/iframeResizer.contentWindow.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
rafflepress-iconrafflepress-modal-contentrafflepress-giveaway-formrafflepress-submit-button
HTML Comments
<!-- RafflePress --><!-- RafflePress Giveaway Start --><!-- RafflePress Giveaway End -->
Data Attributes
data-rafflepress-iddata-rafflepress-url
JS Globals
RafflePressrafflepress_vars
REST Endpoints
/wp-json/rafflepress/v1/giveaway
Shortcode Output
[rafflepress id="[rafflepress_winners id="
FAQ

Frequently Asked Questions about Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers