WP-Safety

Scripts n Styles Security & Risk Analysis

wordpress.org/plugins/scripts-n-styles

This plugin allows Admin users to individually add HTML, custom CSS, Classes and JavaScript directly to Post, Pages or any other custom post types.

30K active installs v3.5.8 PHP 7.4+ WP 5.0+ Updated Jun 6, 2023
admincodecsscustomjavascript
85
A · Safe
CVEs total1
Unpatched0
Last CVEMay 18, 2023
Plugin page Download
Safety Verdict

Is Scripts n Styles Safe to Use in 2026?

Generally Safe

Score 85/100

Scripts n Styles has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 18, 2023Updated 2yr ago
Risk Assessment

The 'scripts-n-styles' plugin v3.5.8 exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a significant number of nonce and capability checks. There are no critical or high-severity vulnerabilities identified in past CVEs, and no critical or high-severity taint flows were found in the static analysis. The absence of external HTTP requests and dangerous functions further bolsters its security.

However, several areas raise concerns. The plugin has a substantial attack surface with 18 entry points, and critically, 4 of these (AJAX handlers) lack authentication checks. While the number of unescaped outputs is moderate (48% properly escaped), this still represents a significant risk of Cross-Site Scripting (XSS) vulnerabilities, especially considering the plugin's past vulnerability history which includes an XSS issue. The presence of a past medium-severity CVE indicates that the plugin has had exploitable flaws, and the fact that it was addressed suggests a willingness to fix issues, but the initial occurrence is a warning sign.

In conclusion, while the plugin has strengths in its handling of database interactions and input validation via nonces and capabilities, the unprotected AJAX endpoints and the potential for XSS due to incomplete output escaping present the most immediate and concerning risks. The historical medium-severity XSS vulnerability underscores the need for vigilance regarding output sanitization.

Key Concerns

  • Unprotected AJAX handlers
  • Moderate percentage of unescaped output
  • Past medium severity CVE
Vulnerabilities
1

Scripts n Styles Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-31236medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Scripts n Styles <= 3.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 18, 2023 Patched in 3.5.4 (250d)
Code Analysis
Analyzed Mar 16, 2026

Scripts n Styles Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
66
60 escaped
Nonce Checks
12
Capability Checks
26
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

Output Escaping

48% escaped126 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
shortcodes (includes\class-sns-ajax.php:332)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Scripts n Styles Attack Surface

Entry Points18
Unprotected4

AJAX Handlers 14

authwp_ajax_sns_update_tabincludes\class-sns-ajax.php:6
authwp_ajax_sns_tinymce_stylesincludes\class-sns-ajax.php:8
noprivwp_ajax_sns_tinymce_stylesincludes\class-sns-ajax.php:9
authwp_ajax_sns_classesincludes\class-sns-ajax.php:12
authwp_ajax_sns_scriptsincludes\class-sns-ajax.php:13
authwp_ajax_sns_stylesincludes\class-sns-ajax.php:14
authwp_ajax_sns_htmlincludes\class-sns-ajax.php:15
authwp_ajax_sns_dropdownincludes\class-sns-ajax.php:16
authwp_ajax_sns_delete_classincludes\class-sns-ajax.php:17
authwp_ajax_sns_shortcodesincludes\class-sns-ajax.php:18
authwp_ajax_sns_open_theme_panelsincludes\class-sns-ajax.php:19
authwp_ajax_sns_plugin_editorincludes\class-sns-ajax.php:20
authwp_ajax_sns_theme_cssscripts-n-styles.php:140
noprivwp_ajax_sns_theme_cssscripts-n-styles.php:141

Shortcodes 4

[sns_shortcode] scripts-n-styles.php:170
[hoops] scripts-n-styles.php:171
[sns_shortcode] scripts-n-styles.php:504
[hoops] scripts-n-styles.php:505
WordPress Hooks 38
actionadmin_menuincludes\class-sns-admin.php:35
actionadmin_menuincludes\class-sns-admin.php:39
actionadmin_initincludes\class-sns-admin.php:41
actionadmin_initincludes\class-sns-admin.php:42
filtereditable_extensionsincludes\class-sns-ajax.php:59
filtersns_options_pre_update_optionincludes\class-sns-global-page.php:175
filterparent_fileincludes\class-sns-hoops-page.php:32
filtersns_options_pre_update_optionincludes\class-sns-hoops-page.php:57
actioncurrent_screenincludes\class-sns-meta-box.php:23
actionsave_postincludes\class-sns-meta-box.php:24
filterdefault_hidden_meta_boxesincludes\class-sns-meta-box.php:96
actionadmin_print_stylesincludes\class-sns-meta-box.php:97
actionadmin_print_scriptsincludes\class-sns-meta-box.php:98
filtercontextual_helpincludes\class-sns-meta-box.php:99
filtermce_buttons_2includes\class-sns-meta-box.php:100
filtertiny_mce_before_initincludes\class-sns-meta-box.php:101
filterreplace_editorincludes\class-sns-meta-box.php:102
filterparent_fileincludes\class-sns-settings-page.php:32
filterparent_fileincludes\class-sns-theme-page.php:37
filtersns_show_submit_buttonincludes\class-sns-theme-page.php:62
filterparent_fileincludes\class-sns-usage-page.php:31
filterset-screen-optionincludes\class-sns-usage-page.php:51
filterpre_update_option_SnS_optionsscripts-n-styles.php:99
filterupdate_post_metadatascripts-n-styles.php:107
actionplugins_loadedscripts-n-styles.php:121
filterbody_classscripts-n-styles.php:123
filterpost_classscripts-n-styles.php:124
actionwp_headscripts-n-styles.php:126
actionwp_enqueue_scriptsscripts-n-styles.php:127
actionwp_headscripts-n-styles.php:128
actionwp_footerscripts-n-styles.php:129
actionwp_headscripts-n-styles.php:130
actionwp_footerscripts-n-styles.php:131
actionplugins_loadedscripts-n-styles.php:133
actionwidgets_initscripts-n-styles.php:134
actionwp_enqueue_scriptsscripts-n-styles.php:136
actionadmin_enqueue_scriptsscripts-n-styles.php:137
actionwp_print_stylesscripts-n-styles.php:139
Maintenance & Trust

Scripts n Styles Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedJun 6, 2023
PHP min version7.4
Downloads379K

Community Trust

Rating88/100
Number of ratings30
Active installs30K
Alternatives

Scripts n Styles Alternatives

CustomEasy

CustomEasy

customeasy

A
92

Gives you a quick and superlight way to inject codes in your website's HEAD or FOOTER

10 No CVEs
Nuno Sarmento Custom CSS – JS

Nuno Sarmento Custom CSS – JS

nuno-sarmento-custom-css-js

A
85

Custom CSS & JavaScripts functions.

10 No CVEs
CMC Hook

CMC Hook

cmc-hook

A
85

Register php functions to hooks(action and filter), run php codes safely, create and test plugins all from dashboard tools

0 No CVEs
Simple Custom CSS Plugin

Simple Custom CSS Plugin

simple-custom-css

A
92

Add Custom CSS to your WordPress site without any hassles.

100K No CVEs
Admin CSS MU

Admin CSS MU

admin-css-mu

A
92

Add custom CSS to style the WordPress Admin. Works with Multisites.

10K No CVEs
Developer Profile

Scripts n Styles Developer Profile

WraithKenny

1 plugin · 30K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
250 days
View full developer profile
Detection Fingerprints

How We Detect Scripts n Styles

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/scripts-n-styles/sns-core/sns-core.js/wp-content/plugins/scripts-n-styles/sns-core/sns-core.css
Script Paths
/wp-content/plugins/scripts-n-styles/sns-core/sns-core.js
Version Parameters
scripts-n-styles/sns-core/sns-core.js?ver=scripts-n-styles/sns-core/sns-core.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-sns-id
JS Globals
SnS_Settings
Shortcode Output
[sns_shortcode][hoops]
FAQ

Frequently Asked Questions about Scripts n Styles