Does RSS Feed Widget have any unpatched vulnerabilities?

No. All known vulnerabilities in RSS Feed Widget have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is RSS Feed Widget compatible with WordPress 6.9.4?

According to WordPress.org data, RSS Feed Widget 3.0.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is RSS Feed Widget compatible with PHP 7.0+?

RSS Feed Widget requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is RSS Feed Widget updated?

RSS Feed Widget was last updated on Dec 19, 2025. Frequent updates are generally a positive security signal.

What is RSS Feed Widget's security score?

RSS Feed Widget has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

RSS Feed Widget Security & Risk Analysis

wordpress.org/plugins/rss-feed-widget

RSS Feed Widget with customizable slider. Feed title, description, image, censorship and a few other features which you can use.

2K active installs v3.0.3 PHP 7.0+ WP 3.0+ Updated Dec 19, 2025

chameleoncustom-feedfeed-widgetrsssocial-feed

A · Safe

CVEs total6

Unpatched0

Last CVEJan 7, 2026

Plugin page Download

Safety Verdict

Is RSS Feed Widget Safe to Use in 2026?

Generally Safe

Score 95/100

RSS Feed Widget has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jan 7, 2026Updated 3mo ago

Risk Assessment

The "rss-feed-widget" plugin version 3.0.3 presents a mixed security posture. On the positive side, it demonstrates good practices by employing prepared statements for all SQL queries, a high percentage of properly escaped output, and a robust number of nonce and capability checks. The static analysis also indicates a contained attack surface with no identified unprotected entry points. However, the presence of four dangerous "unserialize" function calls is a significant concern, as improper handling of unserialized data can lead to various vulnerabilities, including remote code execution. While taint analysis did not reveal critical or high severity flows, the potential for issues with unserialized data remains.

The plugin's vulnerability history is also a point of concern, with a history of six known medium severity CVEs, primarily related to missing authorization and cross-site scripting. Although none are currently unpatched, the recurring nature of these vulnerability types suggests a potential for insecure handling of user-supplied data in certain contexts. The last recorded vulnerability date of January 7, 2026, is in the future, which may be an anomaly in the data, but it doesn't diminish the concern over the historical patterns.

In conclusion, while the plugin has strengths in its handling of SQL and output escaping, the reliance on "unserialize" and the past history of medium severity vulnerabilities warrant careful consideration. Users should ensure they are on the latest available version and remain vigilant for any future security advisories.

Key Concerns

Dangerous function: unserialize calls detected
Total known CVEs: 6 (all medium)
Common vulnerability types: Missing Authorization, XSS

Vulnerabilities

RSS Feed Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

4 CVEs in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

6 total CVEs

CVE-2025-69349medium · 4.3Missing Authorization

RSS Feed Widget <= 3.0.2 - Missing Authorization

Jan 7, 2026 Patched in 3.0.3 (8d)

CVE-2024-9835medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RSS Feed Widget <= 3.0.0 - Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI']

Oct 22, 2024 Patched in 3.0.1 (52d)

CVE-2024-9836medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RSS Feed Widget <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 22, 2024 Patched in 3.0.0 (52d)

CVE-2024-10057medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RSS Feed Widget <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode

Oct 17, 2024 Patched in 3.0.0 (1d)

CVE-2024-32690medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RSS Feed Widget <= 2.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 19, 2024 Patched in 2.9.8 (6d)

CVE-2020-24314medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RSS Feed Widget <= 2.8.0 - Reflected Cross-Site Scripting

Aug 10, 2020 Patched in 2.8.1 (1261d)

Code Analysis

Analyzed Mar 16, 2026

RSS Feed Widget Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

201 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$rss_links = (is_array(maybe_unserialize($instance['rss_url']))?unserialize($instance['rss_url']):$rinc\functions.php:165

unserialize$rss_links = (isset($instance['rss_url'])?(is_array(@unserialize($instance['rss_url']))?@unserializeinc\functions.php:238

unserialize$rss_url = isset($instance['rss_url'])?(is_array(maybe_unserialize($instance['rss_url']))?unserializinc\functions.php:1002

Output Escaping

96% escaped210 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths

rfw_styles_selection (inc\functions.php:1223)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

RSS Feed Widget Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 3

authwp_ajax_rsfw_update_optioninc\functions.php:1564

authwp_ajax_rfw_shortcode_form_saveinc\functions.php:1613

authwp_ajax_rfw_delete_short_codeinc\functions.php:1614

Shortcodes 1

[rfw-youtube-videos] inc\functions.php:1435

WordPress Hooks 10

actionwp_feed_optionsinc\functions.php:30

filterwp_feed_cache_transient_lifetimeinc\functions.php:543

actionadmin_initinc\functions.php:1343

actionwp_enqueue_scriptsindex.php:143

actionadmin_enqueue_scriptsindex.php:144

actionwidgets_initindex.php:145

actionadmin_menuindex.php:148

actionadmin_initindex.php:149

filterthe_excerpt_rssindex.php:153

filterthe_content_feedindex.php:154

Maintenance & Trust

RSS Feed Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 19, 2025

PHP min version7.0

Downloads240K

Community Trust

Rating78/100

Number of ratings26

Active installs2K

Alternatives

RSS Feed Widget Alternatives

Custom Simple Rss

custom-simple-rss

A plugin to create your own Custom Simple RSS Feed according to parameters you choose

2K 1 CVE

Chameleon

chameleon

100

A great WordPress plugin which helps you to choose a unique style for your favorite plugins and themes.

200 1 CVE

Skip RSS

skip-rss

100

Skip post from appearing in RSS feed.

40 No CVEs

Custom Categories RSS

custom-categories-rss

Grab RSS only from specific categories.

10 No CVEs

EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more

embedpress

EmbedPress lets you embed videos, pages, social feeds, embed PDF 3D flipbooks & other content on WordPress without coding & enhance storytelling.

100K 27 CVEs

Developer Profile

RSS Feed Widget Developer Profile

Fahad Mahmood

40 plugins · 33K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

237 days

View full developer profile

Detection Fingerprints

How We Detect RSS Feed Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/rss-feed-widget/css/style.css/wp-content/plugins/rss-feed-widget/js/functions.js/wp-content/plugins/rss-feed-widget/js/jquery.fitvids.js/wp-content/plugins/rss-feed-widget/css/bootstrap.min.css/wp-content/plugins/rss-feed-widget/js/jquery.form.min.js/wp-content/plugins/rss-feed-widget/js/bootstrap.min.js/wp-content/plugins/rss-feed-widget/css/admin-styles.css/wp-content/plugins/rss-feed-widget/js/admin-scripts.js

Script Paths

/wp-content/plugins/rss-feed-widget/js/functions.js/wp-content/plugins/rss-feed-widget/js/jquery.fitvids.js/wp-content/plugins/rss-feed-widget/js/jquery.form.min.js/wp-content/plugins/rss-feed-widget/js/bootstrap.min.js/wp-content/plugins/rss-feed-widget/js/admin-scripts.js

Version Parameters

rss-feed-widget/style.css?ver=rss-feed-widget/functions.js?ver=rss-feed-widget/jquery.fitvids.js?ver=rss-feed-widget/bootstrap.min.css?ver=rss-feed-widget/jquery.form.min.js?ver=rss-feed-widget/bootstrap.min.js?ver=rss-feed-widget/admin-styles.css?ver=rss-feed-widget/admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

rfw-widget-title

Data Attributes

data-rfw-title

JS Globals

rfwrfw_obj

FAQ