WP-Safety

Showdown Security & Risk Analysis

wordpress.org/plugins/showdown

Showdown popularity contests on your site!

10 active installs v1.2.1 PHP + WP 4.0+ Updated May 22, 2016
contestshot-or-notpollspopularityrating
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Showdown Safe to Use in 2026?

Generally Safe

Score 85/100

Showdown has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The "showdown" v1.2.1 plugin exhibits a generally good security posture with a limited attack surface and a commendable reliance on prepared statements for SQL queries. The presence of nonce and capability checks on all identified entry points (shortcodes) is also a positive indicator. However, the analysis reveals a significant concern regarding output escaping, with only 5% of outputs being properly handled. This, combined with the use of the `create_function` PHP function, presents a potential avenue for cross-site scripting (XSS) vulnerabilities if user-supplied data is directly rendered without proper sanitization, despite the absence of identified taint flows. The lack of any recorded vulnerabilities in its history is a strong positive, suggesting a history of stable and secure development.

Key Concerns

  • Low percentage of properly escaped output
  • Use of dangerous function: create_function
Vulnerabilities
None known

Showdown Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Showdown Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
127
6 escaped
Nonce Checks
1
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function('', 'return register_widget("Top10Widget");') );?>php\showdown_widgets.php:120

Output Escaping

5% escaped133 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
printAdminPage (showdown.php:183)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Showdown Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[wphotornot] php\showdown_engine.php:7
[wphotornotstats] php\showdown_engine.php:8
WordPress Hooks 18
actionadmin_initphp\competitor_class.php:69
actionwp_insert_postphp\competitor_class.php:70
filtermanage_posts_custom_columnphp\competitor_class.php:73
actionmanage_edit-competitor_columnsphp\competitor_class.php:74
filterthe_contentphp\competitor_class.php:77
actioninitphp\competitor_class.php:341
actionadmin_initphp\post_enhancer.php:9
actionadd_meta_boxesphp\post_enhancer.php:10
filtermce_buttonsphp\post_enhancer.php:51
filtermce_external_pluginsphp\post_enhancer.php:52
filterwidget_textphp\showdown_engine.php:11
actioninitphp\showdown_engine.php:295
actionwidgets_initphp\showdown_widgets.php:120
actionwp_headshowdown.php:525
actionactivate_wpshowdown/wpshowdown.phpshowdown.php:526
actionadmin_menushowdown.php:527
actionadmin_print_scriptsshowdown.php:528
actionadmin_print_stylesshowdown.php:529
Maintenance & Trust

Showdown Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedMay 22, 2016
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Showdown Alternatives

Crowdsignal Dashboard – Polls, Surveys & more

Crowdsignal Dashboard – Polls, Surveys & more

polldaddy

A
96

Manage your Crowdsignal polls, surveys, quizzes, and ratings directly from the WordPress dashboard.

100K 9 CVEs
Pics Mash

Pics Mash

pics-mash

A
85

Pics Mash creates "Facemash" like hot or not image rating contests on your WordPress website.

10 No CVEs
Crowdsignal Forms

Crowdsignal Forms

crowdsignal-forms

B
78

The Crowdsignal Forms plugin allows you to create and manage polls right from within the block editor.

100K 1 unpatched
WP Popular Posts

WP Popular Posts

wordpress-popular-posts

A
94

A highly customizable, easy-to-use popular posts plugin!

100K 7 CVEs
Strong Testimonials

Strong Testimonials

strong-testimonials

A
92

An easy-to-use testimonial plugin to collect and show customer feedback in WordPress

90K 14 CVEs
Developer Profile

Showdown Developer Profile

Weborithm

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Showdown

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/showdown/css/style.css/wp-content/plugins/showdown/js/showdown.js/wp-content/plugins/showdown/js/jquery-effect.js/wp-content/plugins/showdown/js/jquery.animate-colors.js/wp-content/plugins/showdown/js/jquery.countdown.js/wp-content/plugins/showdown/js/jquery.dataTables.js/wp-content/plugins/showdown/js/jquery.easing.js/wp-content/plugins/showdown/js/jquery.flexslider.js+14 more
Script Paths
/wp-content/plugins/showdown/js/showdown.js/wp-content/plugins/showdown/js/jquery-effect.js/wp-content/plugins/showdown/js/jquery.animate-colors.js/wp-content/plugins/showdown/js/jquery.countdown.js/wp-content/plugins/showdown/js/jquery.dataTables.js/wp-content/plugins/showdown/js/jquery.easing.js+14 more
Version Parameters
ver=1.2.1

HTML / DOM Fingerprints

CSS Classes
showdownpluginshowdownpluginhomeinnershowdownnucompetitorsthecompetitorsbuyshowdownshowdownrssthefeedtitle
Data Attributes
data-colordata-bgcolordata-image
JS Globals
showdownLadda
FAQ

Frequently Asked Questions about Showdown