WP-Safety

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Security & Risk Analysis

wordpress.org/plugins/scratch-win-giveaways-for-website-facebook

Display a Scratch Card on your website to offer visitors a chance to win prizes. A fun incentive to boost conversions!

200 active installs v3.0.0 PHP + WP 3.0.1+ Updated Feb 2, 2026
black-fridaycontestgamesgiveawaypromotion
98
A · Safe
CVEs total3
Unpatched0
Last CVEFeb 17, 2025
Plugin page Download
Safety Verdict

Is Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Safe to Use in 2026?

Generally Safe

Score 98/100

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Feb 17, 2025Updated 2mo ago
Risk Assessment

This plugin exhibits a mixed security posture. While it demonstrates strong practices in SQL query handling and output escaping, significant vulnerabilities lie in its attack surface and lack of authorization checks. The static analysis reveals a substantial number of unprotected AJAX handlers and REST API routes, presenting a broad avenue for potential exploits. The taint analysis further highlights a high-severity flow with unsanitized paths, indicating a direct risk of vulnerabilities like cross-site scripting or directory traversal if exploited. The plugin's history of known CVEs, particularly those involving missing authorization, CSRF, and XSS, strongly correlates with the current findings, suggesting recurring security weaknesses that have not been fully addressed.

Despite the strengths in secure coding for SQL and output, the sheer number of unprotected entry points and the identified taint flow are major concerns. The historical pattern of medium-severity vulnerabilities like Missing Authorization, CSRF, and XSS, even though currently unpatched, points to an ongoing struggle with securing user input and controlling access. This plugin should be treated with caution, and immediate attention should be paid to implementing proper authorization checks and sanitizing all user-supplied data, especially within the identified unprotected AJAX and REST API endpoints.

Key Concerns

  • Unprotected AJAX handlers
  • REST API routes without permission callbacks
  • High severity taint flow with unsanitized paths
  • Missing nonce checks on AJAX
  • Vulnerability history (3 medium CVEs)
  • Vulnerability history pattern (Missing Auth, CSRF, XSS)
Vulnerabilities
3

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2024-13316medium · 5.3Missing Authorization

Scratch & Win – Giveaways and Contests <= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation

Feb 17, 2025 Patched in 2.9.0 (1d)
CVE-2024-12545medium · 5.4Cross-Site Request Forgery (CSRF)

Scratch & Win – Giveaways and Contests <= 2.7.1 - Cross-Site Request Forgery via reset_installation Function

Jan 3, 2025 Patched in 2.8.0 (1d)
CVE-2024-11898medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Scratch & Win – Giveaways and Contests <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 2, 2024 Patched in 2.7.0 (1d)
Code Analysis
Analyzed Mar 16, 2026

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
2
89 escaped
Nonce Checks
1
Capability Checks
5
File Operations
0
External Requests
7
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

98% escaped91 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
<swin-api> (includes\swin-api.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Attack Surface

Entry Points17
Unprotected12

AJAX Handlers 4

authwp_ajax_apmswncreate_accountsocialscratchwin.php:118
authwp_ajax_apmswncheck_settingssocialscratchwin.php:119
authwp_ajax_apmswncheck_loginsocialscratchwin.php:120
authwp_ajax_apmswncheck_autologinsocialscratchwin.php:121

REST API Routes 11

GET/wp-json/swinwoo/v1/getPageincludes\swin-api.php:10
GET/wp-json/swinwoo/v1/addPageincludes\swin-api.php:18
GET/wp-json/swinwoo/v1/editPageincludes\swin-api.php:26
GET/wp-json/swinwoo/v1/deletePageincludes\swin-api.php:34
POST/wp-json/swinwoo/v1/getversionincludes\swin-api.php:43
GET/wp-json/swinwoo/v1/resetInstallationincludes\swin-api.php:49
GET/wp-json/swinwoo/v1/createCouponSWINincludes\swin-api.php:57
GET/wp-json/swinwoo/v1/verifyCouponCodeincludes\swin-api.php:65
GET/wp-json/swinwoo/v1/deleteCouponCodeincludes\swin-api.php:74
POST/wp-json/swinwoo/v1/createcustomerincludes\swin-api.php:83
POST/wp-json/swinwoo/v1/verifyUserincludes\swin-api.php:89

Shortcodes 2

[social-appsmavscratchwin-show] socialscratchwin.php:814
[swin-campaign] socialscratchwin.php:815
WordPress Hooks 8
actionadmin_initsocialscratchwin.php:55
actionadmin_menusocialscratchwin.php:56
actionwp_footersocialscratchwin.php:57
actionadmin_enqueue_scriptssocialscratchwin.php:58
actionrest_api_initsocialscratchwin.php:60
actionsave_postsocialscratchwin.php:63
actiondelete_postsocialscratchwin.php:64
actionupgrader_process_completesocialscratchwin.php:66
Maintenance & Trust

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version
Downloads33K

Community Trust

Rating94/100
Number of ratings30
Active installs200
Alternatives

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Alternatives

Social Boost: Giveaways, Instant win and Contests. Grow followers, shares, subscribers, traffic, referrals, sales and more

Social Boost: Giveaways, Instant win and Contests. Grow followers, shares, subscribers, traffic, referrals, sales and more

social-boost

A
100

Run viral giveaways, contests, competitions, sweepstakes, purchase for chance to win, instant wins, refer-a-friend, and boost subscribers, followers, &hellip;

100 No CVEs
Woobox

Woobox

woobox

A
98

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs
Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce

A
100

Loyalty + Referral + Rewards + Birthdays and Anniversaries + Giveaways + Contests + Competitions + Sweepstakes. Selling on ETSY? Reward points for yo &hellip;

700 1 CVE
Gratisfaction- Contests Giveaways Referral Loyalty Rewards and Birthdays Program

Gratisfaction- Contests Giveaways Referral Loyalty Rewards and Birthdays Program

gratisfaction-social-contests-referral-loyalty-rewards-program-by-appsmav

A
100

All-in-One Loyalty + Giveaways + Contests + Competitions + Referral + Birthdays + Anniversaries App. No Coding. Easy DIY Setup.

50 No CVEs
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

A
88

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs
Developer Profile

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more Developer Profile

Apps Mav

4 plugins · 1K total installs

100
trust score
Avg Security Score
100/100
Avg Patch Time
3 days
View full developer profile
Detection Fingerprints

How We Detect Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/scratch-win-giveaways-for-website-facebook/assets/css/appsmav-scratchwin.css/wp-content/plugins/scratch-win-giveaways-for-website-facebook/assets/js/appsmav-scratchwin-admin.js/wp-content/plugins/scratch-win-giveaways-for-website-facebook/assets/js/appsmav-scratchwin-public.js
Script Paths
//cdn.appsmav.com/win/assets/js/swin-widget-sdk.jshttps://appsmav.com/script.js
Version Parameters
scratch-win-giveaways-for-website-facebook/assets/css/appsmav-scratchwin.css?ver=scratch-win-giveaways-for-website-facebook/assets/js/appsmav-scratchwin-admin.js?ver=scratch-win-giveaways-for-website-facebook/assets/js/appsmav-scratchwin-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
swin-widget
Data Attributes
data-appsmav-scratchwin-id
JS Globals
AMSWINConfigappsmav_scratchwin_admin_ajax_object
REST Endpoints
/wp-json/appsmav_scratchwin/v1/save_settings/wp-json/appsmav_scratchwin/v1/register_account/wp-json/appsmav_scratchwin/v1/check_login/wp-json/appsmav_scratchwin/v1/check_autologin/wp-json/appsmav_scratchwin/v1/check_settings
Shortcode Output
<a class="swin-widget" href="
FAQ

Frequently Asked Questions about Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more