WP-Safety

Weaver Show Posts Security & Risk Analysis

wordpress.org/plugins/show-posts

Show Posts in a Page via shortcode for any theme

5K active installs v2.0 PHP 7.2+ WP 6.6+ Updated Apr 10, 2026
shortcodesweaver-xtreme-themewidgets
76
B · Generally Safe
CVEs total2
Unpatched1
Last CVEMar 20, 2026
Plugin page Download
Safety Verdict

Is Weaver Show Posts Safe to Use in 2026?

Mostly Safe

Score 76/100

Weaver Show Posts is generally safe to use. 2 past CVEs were resolved.

2 known CVEs 1 unpatched Last CVE: Mar 20, 2026Updated 1mo ago
Risk Assessment

The "show-posts" v2.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices in several areas. Notably, 100% of its SQL queries are prepared, output escaping is nearly perfect at 99%, and it implements a good number of nonce and capability checks. The attack surface appears minimal with no unprotected entry points identified in the static analysis.

However, significant concerns arise from the presence of the `unserialize` function, a known vector for critical vulnerabilities if not handled with extreme care and proper input sanitization. While taint analysis did not reveal immediate unsanitized paths for this function, its mere existence is a red flag. Furthermore, the plugin has a history of two known CVEs, with one remaining unpatched. The common vulnerability type being Cross-site Scripting indicates a recurring pattern that, coupled with the `unserialize` function, suggests potential weaknesses in input validation or handling of serialized data.

In conclusion, while the plugin has strengths in areas like SQL and output escaping, the presence of `unserialize` and its past vulnerability history, particularly the unpatched medium severity CVE, introduce a notable risk. Developers should prioritize auditing the usage of `unserialize` and addressing the outstanding vulnerability.

Key Concerns

  • Unpatched CVE detected
  • Presence of dangerous unserialize function
  • History of XSS vulnerabilities
Vulnerabilities
2 published

Weaver Show Posts Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-2121medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting

Mar 20, 2026Unpatched
CVE-2023-1404medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Weaver Show Posts <= 1.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name

Apr 1, 2023 Patched in 1.7 (297d)
Version History

Weaver Show Posts Release Timeline

v2.0Current1 CVE
CVE-2026-2121
v1.8.11 CVE
CVE-2026-2121
v1.81 CVE
CVE-2026-2121
v1.71 CVE
CVE-2026-2121
v1.62 CVEs
CVE-2023-1404 CVE-2026-2121
v1.5.12 CVEs
CVE-2023-1404 CVE-2026-2121
v1.52 CVEs
CVE-2023-1404 CVE-2026-2121
v1.4.112 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.152 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.132 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.102 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.92 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.82 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.72 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.62 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.52 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.32 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.22 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.1.12 CVEs
CVE-2023-1404 CVE-2026-2121
v1.3.12 CVEs
CVE-2023-1404 CVE-2026-2121
Code Analysis
Analyzed Apr 16, 2026

Weaver Show Posts Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
1 prepared
Unescaped Output
3
280 escaped
Nonce Checks
2
Capability Checks
8
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$restore = unserialize($contents);includes/atw-admin-lib.php:120

SQL Query Safety

100% prepared1 total queries

Output Escaping

99% escaped283 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<downloader> (includes/downloader.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Weaver Show Posts Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[show_posts] atw-show-posts.php:259
WordPress Hooks 12
actionplugins_loadedatw-show-posts.php:40
actionmedia_buttonsatw-show-posts.php:48
actionadmin_menuatw-show-posts.php:49
actionwp_enqueue_scriptsatw-show-posts.php:50
actiontemplate_redirectatw-show-posts.php:51
actioninitatw-show-posts.php:52
actionadmin_footeratw-show-posts.php:67
actionadmin_footeratw-show-posts.php:72
actionwp_headatw-show-posts.php:235
filterwidget_textatw-show-posts.php:262
filterexcerpt_lengthincludes/atw-showposts-sc.php:165
actionwidgets_initincludes/posts-widgets.php:95
Maintenance & Trust

Weaver Show Posts Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 10, 2026
PHP min version7.2
Downloads212K

Community Trust

Rating100/100
Number of ratings7
Active installs5K
Alternatives

Weaver Show Posts Alternatives

Weaver Xtreme Theme Support

Weaver Xtreme Theme Support

weaverx-theme-support

A
89

A useful shortcode and widget collection for Weaver Xtreme

9K 3 CVEs
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Popularis Extra

Popularis Extra

popularis-extra

B
74

Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.

8K 1 unpatched
Series

Series

series

C
63

Plugin that allows you to collect posts in a series.

2K 1 unpatched
WordPress Widgets Shortcode

WordPress Widgets Shortcode

wp-widgets-shortcode

C
63

Embed any widget area/dynamic sidebar to your pages/posts using the shortcode [dynamic-sidebar id='Your Widget Area/Sidebar name']

500 1 unpatched
Developer Profile

Weaver Show Posts Developer Profile

wpweaver

7 plugins · 25K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
178 days
View full developer profile
Detection Fingerprints

How We Detect Weaver Show Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/show-posts/css/atw-posts-admin-style.css/wp-content/plugins/show-posts/js/yetii/yetii.js/wp-content/plugins/show-posts/js/atw-posts-admin.js/wp-content/plugins/show-posts/js/atw-posts-editor-buttons.js
Script Paths
/wp-content/plugins/show-posts/js/yetii/yetii.js/wp-content/plugins/show-posts/js/atw-posts-admin.js/wp-content/plugins/show-posts/js/atw-posts-editor-buttons.js
Version Parameters
show-posts/css/atw-posts-admin-style.css?ver=show-posts/js/yetii/yetii.js?ver=show-posts/js/atw-posts-admin.js?ver=show-posts/js/atw-posts-editor-buttons.js?ver=

HTML / DOM Fingerprints

CSS Classes
dashicons-admin-postdashicons-images-alt
Data Attributes
id="add_atw_posts_posts"id="add_atw_slider_slidrs"id="select-show-posts-dialog"id="atw-slider-post-select"id="select-atw-show-posts"id="cancel-insert-show-posts"+2 more
JS Globals
window.atwSelectShowPostswindow.atwCancelSelectShowPostswindow.atwSelectSliderswindow.atwCancelSelectSliders
Shortcode Output
[show_posts][show_slider]
FAQ

Frequently Asked Questions about Weaver Show Posts