
Shaun's WP Query Shortcode Security & Risk Analysis
wordpress.org/plugins/shauns-wp-query-shortcodeThis extensible plugin allows you to run a custom WP_Query using a simple shortcode, then display the results using compatible nested shortcodes.
Is Shaun's WP Query Shortcode Safe to Use in 2026?
Generally Safe
Score 85/100Shaun's WP Query Shortcode has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The security posture of the 'shauns-wp-query-shortcode' plugin v1.2 appears to be a mixed bag, showing some good practices alongside significant areas of concern. The plugin does not utilize dangerous functions, performs all its SQL queries using prepared statements, and has no recorded history of vulnerabilities. This suggests a developer who is aware of fundamental security best practices regarding database interactions and known exploits. However, the complete lack of output escaping for its single identified output is a major red flag. This means any data rendered to the user through this output is potentially vulnerable to cross-site scripting (XSS) attacks if it originates from an untrusted source.
The static analysis revealed two shortcodes as the primary entry points, with none of them having explicit authentication or capability checks. While the total entry points are low, the absence of capability checks on shortcodes, especially if they can process user-supplied data or interact with sensitive parts of WordPress, is a concern. The taint analysis yielded no specific flows, which is positive but could also indicate that the analysis itself was limited or that the plugin's interactions with potentially tainted data are not being thoroughly tracked in this specific report.
Given the lack of vulnerability history, it's difficult to draw definitive conclusions about past security practices beyond the current analysis. However, the current version demonstrates a clear weakness in output sanitization and a potential for privilege escalation or unauthorized actions via the shortcodes if they handle user input without proper validation or authorization. The developer has a strong foundation with SQL and avoids dangerous functions, but the output escaping and capability checks on shortcodes require immediate attention to improve the overall security.
Key Concerns
- Unescaped output
- Shortcodes without capability checks
Shaun's WP Query Shortcode Security Vulnerabilities
Shaun's WP Query Shortcode Release Timeline
Shaun's WP Query Shortcode Code Analysis
Output Escaping
Shaun's WP Query Shortcode Attack Surface
Shortcodes 2
Maintenance & Trust
Shaun's WP Query Shortcode Maintenance & Trust
Maintenance Signals
Community Trust
Shaun's WP Query Shortcode Alternatives
Apollo13 Framework Extensions
apollo13-framework-extensions
Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.
No Page Comment
no-page-comment
An admin interface to control the default comment and trackback settings on new posts, pages and custom post types.
Posts in Page
posts-in-page
Easily add one or more posts to any page using simple shortcodes.
Real Custom Post Order: Create a custom order for your content
real-custom-post-order
Custom post order for posts, pages, WooCommerce products and custom post types using drag and drop. Simple and intuitive sorting of your content!
WP Blog and Widgets
wp-blog-and-widgets
A quick, easy way to add a Blog custom post type, Blog widget to WordPress. Also, work with the Gutenberg shortcode block.
Shaun's WP Query Shortcode Developer Profile
4 plugins · 130 total installs
How We Detect Shaun's WP Query Shortcode
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
HTML / DOM Fingerprints
related-pagesshauns_wp_query<ul class="related-pages"><li><a href=""></a></li></ul>