Does Recently have any unpatched vulnerabilities?

No. All known vulnerabilities in Recently have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Recently compatible with WordPress 6.8.5?

According to WordPress.org data, Recently 4.2.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Recently compatible with PHP 7.2+?

Recently requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Recently updated?

Recently was last updated on Jun 2, 2025. Frequent updates are generally a positive security signal.

What is Recently's security score?

Recently has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Recently Security & Risk Analysis

wordpress.org/plugins/recently

A highly customizable, feature-packed Recent Posts widget!

300 active installs v4.2.0 PHP 7.2+ WP 5.7+ Updated Jun 2, 2025

postsrecentrecentlywidget

A · Safe

CVEs total2

Unpatched0

Last CVEJun 7, 2021

Plugin page Download

Safety Verdict

Is Recently Safe to Use in 2026?

Generally Safe

Score 99/100

Recently has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 7, 2021Updated 10mo ago

Risk Assessment

The 'recently' plugin v4.2.0 presents a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with only one AJAX handler, and importantly, no unprotected entry points. The taint analysis also shows no critical or high-severity flows with unsanitized paths, which is a strong indicator of secure input handling for common web vulnerabilities. However, the plugin's vulnerability history is a significant concern, with two known CVEs, including a high and a medium severity vulnerability. The common vulnerability types (XSS and unrestricted uploads) suggest a pattern of input validation and sanitization issues in past versions. While there are currently no unpatched CVEs, this history implies a recurring weakness that could resurface.

The code signals indicate areas for improvement. While a good portion of SQL queries use prepared statements (44%), the remaining 56% do not, posing a risk of SQL injection. Similarly, only 42% of outputs are properly escaped, leaving a significant portion vulnerable to Cross-Site Scripting (XSS). The presence of file operations (8) and external HTTP requests (1) also warrants careful review to ensure these are handled securely. The nonce checks and capability checks are present, which is good, but their distribution and effectiveness would require deeper code inspection.

Key Concerns

Known CVEs exist, including high and medium severity
Significant portion of SQL queries un-prepared
Low percentage of properly escaped output
Vulnerability history indicates recurring input issues

Vulnerabilities

Recently Security Vulnerabilities

CVEs by Year

2 CVEs in 2021

2021

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

WF-198e8f56-5354-4e5d-af51-54e95d34e25c-recentlymedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Recently <= 3.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 7, 2021 Patched in 3.0.5 (960d)

CVE-2021-4382high · 8.8Unrestricted Upload of File with Dangerous Type

Recently <= 3.0.4 - Arbitrary File Upload to Remote Code Exectution

Jun 7, 2021 Patched in 3.0.5 (960d)

Code Analysis

Analyzed Mar 16, 2026

Recently Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

131

96 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

44% prepared9 total queries

Output Escaping

42% escaped227 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<admin-page> (src\Admin\admin-page.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Recently Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_recently_clear_thumbnailsrc\Admin\Admin.php:76

WordPress Hooks 29

actioninitsrc\Admin\Admin.php:64

actionwpmu_new_blogsrc\Admin\Admin.php:66

actionadmin_enqueue_scriptssrc\Admin\Admin.php:68

actionadmin_menusrc\Admin\Admin.php:70

actionadmin_headsrc\Admin\Admin.php:72

filterplugin_action_linkssrc\Admin\Admin.php:74

actionupdated_post_metasrc\Admin\Admin.php:78

actiondeleted_post_metasrc\Admin\Admin.php:79

actioninitsrc\Block\Block.php:17

actionplugins_loadedsrc\Bootstrap.php:19

filterautoptimize_filter_js_excludesrc\Compatibility\Autoptimize\Autoptimize.php:25

filterlitespeed_optimize_js_excludessrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:25

filterlitespeed_optm_js_defer_excsrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:26

filterlitespeed_optm_js_delay_incsrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:27

actioninitsrc\Compatibility\Polylang\Polylang.php:41

filtersgo_javascript_combine_exclude_idssrc\Compatibility\SiteGroundOptimizer\SiteGroundOptimizer.php:23

filterw3tc_minify_js_script_tagssrc\Compatibility\W3TotalCache\W3TotalCache.php:25

filterrocket_exclude_jssrc\Compatibility\WPRocket\WPRocket.php:25

filterrocket_exclude_defer_jssrc\Compatibility\WPRocket\WPRocket.php:26

filterrocket_delay_js_exclusionssrc\Compatibility\WPRocket\WPRocket.php:27

filterrocket_cdn_reject_filessrc\Compatibility\WPRocket\WPRocket.php:28

actionwp_enqueue_scriptssrc\Front\Front.php:66

actionwp_headsrc\Front\Front.php:67

actionwp_headsrc\Front\Front.php:68

actionrest_api_initsrc\REST\Controller.php:68

filterrecently_is_singlesrc\REST\WidgetEndpoint.php:196

actionafter_setup_themesrc\Themer.php:49

actionwidgets_initsrc\Widget\Widget.php:99

filterwidget_types_to_hide_from_legacy_widget_blocksrc\Widget\Widget.php:101

Maintenance & Trust

Recently Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 2, 2025

PHP min version7.2

Downloads12K

Community Trust

Rating100/100

Number of ratings9

Active installs300

Alternatives

Recently Alternatives

Social LikeBox & Feed

facebook-by-weblizar

Display your FaceBook Feed and Like box on your website with this outstanding plugin. It is completely customizable, responsive and the code is search …

10K 1 CVE

Ultimate Posts Widget

ultimate-posts-widget

The ultimate widget for displaying posts, custom post types or sticky posts with an array of options.

10K 1 CVE

WP Latest Posts

wp-latest-posts

Load your content from posts, page, tags or custom post type and display it anywhere in WordPress including in Gutenberg editor

10K 2 CVEs

WP Tab Widget

wp-tab-widget

WP Tab Widget is the AJAXified plugin which loads content by demand, and thus it makes the plugin incredibly lightweight.

10K No CVEs

Developer Profile

Recently Developer Profile

Hector Cabrera

2 plugins · 100K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

635 days

View full developer profile

Detection Fingerprints

How We Detect Recently

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/recently/assets/admin/css/admin.css/wp-content/plugins/recently/assets/admin/js/admin.js/wp-content/plugins/recently/assets/admin/js/widget-admin.js

Script Paths

/wp-content/plugins/recently/assets/admin/js/admin.js/wp-content/plugins/recently/assets/admin/js/widget-admin.js

Version Parameters

recently-admin-styles?ver=recently-admin-script?ver=recently-admin-widget-script?ver=

HTML / DOM Fingerprints

JS Globals

recently_admin_params

FAQ