Does Scratch and Win have any unpatched vulnerabilities?

No. All known vulnerabilities in Scratch and Win have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Scratch and Win compatible with WordPress 6.8.5?

According to WordPress.org data, Scratch and Win 1.1.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Scratch and Win compatible with PHP 8.0+?

Scratch and Win requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Scratch and Win updated?

Scratch and Win was last updated on May 22, 2025. Frequent updates are generally a positive security signal.

What is Scratch and Win's security score?

Scratch and Win has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Scratch and Win Security & Risk Analysis

wordpress.org/plugins/scratch-and-win

Inserts Scratch and Win cards in pages/articles for discount coupons, giveaways, gifts, etc. Games are configurable.

100 active installs v1.1.3 PHP 8.0+ WP 5.9+ Updated May 22, 2025

loyaltyscratchscratch-winscratch-and-winwin

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Scratch and Win Safe to Use in 2026?

Generally Safe

Score 100/100

Scratch and Win has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10mo ago

Risk Assessment

The "scratch-and-win" v1.1.3 plugin exhibits a generally strong security posture based on the provided static analysis. A notable strength is the absence of any identified vulnerabilities in its history and a low attack surface with no detected unprotected entry points. The code also demonstrates good practices with a high percentage of SQL queries using prepared statements and a reasonable level of output escaping. However, there are areas for improvement. The limited number of capability and nonce checks, combined with file operations and an external HTTP request, could present potential risks if not handled with extreme care, especially if future updates introduce new functionalities or unintended interactions. While no taint flows were identified, the absence of taint analysis itself is a concern, as it means potential data flow vulnerabilities might have been missed. Overall, the plugin appears to be built with security in mind, but the limited security checks and the lack of comprehensive taint analysis suggest that continued vigilance and rigorous testing are advisable.

Key Concerns

Low capability checks (1)
Low nonce checks (3)
Unescaped output (24%)
File operations (6)
External HTTP requests (1)
No Taint Analysis performed

Vulnerabilities

None known

Scratch and Win Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Scratch and Win Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

150 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

94% prepared16 total queries

Output Escaping

76% escaped198 total outputs

Attack Surface

Scratch and Win Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 26

actionwp_dashboard_setupsos\wp\dashboardwidget.php:20

actioncurrent_screensos\wp\data\form.php:46

actionthe_postsos\wp\data\form.php:48

actionplugins_loadedsos\wp\data\wpdatabase.php:84

actionsave_postsos\wp\metabox.php:67

actionadmin_noticessos\wp\metabox.php:76

actioninitsos\wp\plugin.php:336

actionplugins_loadedsos\wp\plugin.php:389

actionplugin_loadedsos\wp\plugin.php:397

actionplugins_loadedsos\wp\plugin.php:400

actionenqueue_block_editor_assetssos\wp\plugin.php:408

actionelementor/widgets/widgets_registeredsos\wp\plugin.php:487

filterquery_varssos\wp\plugin.php:533

actionrest_api_initsos\wp\plugin.php:546

actionadmin_initsos\wp\plugin.php:554

actionadd_meta_boxessos\wp\plugin.php:557

actionedit_form_after_titlesos\wp\plugin.php:563

filterplugin_row_metasos\wp\plugin.php:587

actionadmin_menusos\wp\plugin.php:600

actionadmin_menusos\wp\plugin.php:603

actionthe_postssos\wp\plugin.php:609

actionplugins_loadedsos\wp\plugin.php:615

actionwp_enqueue_scriptssos\wp\tasset.php:44

actionadmin_enqueue_scriptssos\wp\tasset.php:56

actionadmin_enqueue_scriptssos\wp\tasset.php:77

actionplugins_loadedsos\wp\ttranslation.php:69

Maintenance & Trust

Scratch and Win Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 22, 2025

PHP min version8.0

Downloads5K

Community Trust

Rating90/100

Number of ratings4

Active installs100

Alternatives

Scratch and Win Alternatives

External Links – nofollow, noopener & new window

wp-external-links

Internal links & external links manager: open in new window or tab, control nofollow, ugc, sponsored & noopener. SEO friendly.

90K 3 CVEs

External Links in New Window / New Tab

open-external-links-in-a-new-window

Open external links in a new window or new tab. SEO optimized and XHTML Strict compliant.

30K 2 CVEs

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs

Modal Window – create popup modal window

modal-window

WordPress popup plugin for easily creating a popup and modal window with any kind of content and settings.

10K 7 CVEs

Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred

mycred

A WordPress gamification plugin is also a points management system. Award ranks, loyalty points and rewards or WooCommerce rewards to your users.

10K 1 unpatched

Developer Profile

Scratch and Win Developer Profile

sosidee

5 plugins · 6K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Scratch and Win

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/scratch-and-win/admin/css/admin.css/wp-content/plugins/scratch-and-win/admin/js/admin.js/wp-content/plugins/scratch-and-win/frontend/css/scratch.css/wp-content/plugins/scratch-and-win/frontend/js/scratch.min.js

Script Paths

/wp-content/plugins/scratch-and-win/admin/js/admin.js/wp-content/plugins/scratch-and-win/frontend/js/scratch.min.js

Version Parameters

scratch-and-win/admin/css/admin.css?ver=scratch-and-win/admin/js/admin.js?ver=scratch-and-win/frontend/css/scratch.css?ver=scratch-and-win/frontend/js/scratch.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

sos_saw_messagesos_saw_keysos_saw_containersos_saw_cardsos_saw_msg

HTML Comments

scratch-win: INVALID or MISSING QUERY STRING IN THE URL

Data Attributes

id="sos_saw_key_id="sos_saw_container_id="sos_saw_card_id="sos_saw_msg_

JS Globals

createScratchCard

Shortcode Output

[scratch-winsos_saw_key_sos_saw_container_sos_saw_card_

FAQ