WP-Safety

Sitekit Security & Risk Analysis

wordpress.org/plugins/sitekit

Widgets: search, archives and categories. Shortcodes: archives, bloginfo, iframe and categories.

3K active installs v2.0 PHP + WP 4.0+ Updated Jun 15, 2025
archivearchivessearchwidgetwidgets
74
B · Generally Safe
CVEs total6
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Sitekit Safe to Use in 2026?

Mostly Safe

Score 74/100

Sitekit is generally safe to use. 6 past CVEs were resolved. Keep it updated.

6 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 9mo ago
Risk Assessment

The "sitekit" plugin v2.0 exhibits a mixed security posture. On the positive side, the static analysis reveals no dangerous functions, all SQL queries use prepared statements, and there are no file operations or external HTTP requests, which are excellent security practices. However, a significant concern is the output escaping, with only 57% of outputs being properly escaped. This leaves a substantial portion of the output vulnerable to Cross-Site Scripting (XSS) attacks if user-supplied data is not sufficiently sanitized before rendering. The lack of taint analysis results is also a neutral factor, meaning potential data flow vulnerabilities were not detected or analyzed in this instance.

The plugin's vulnerability history is a major red flag. With a total of 6 known CVEs, and one currently unpatched, this indicates a recurring pattern of security weaknesses. The historical focus on 'Improper Neutralization of Input During Web Page Generation' (XSS) directly correlates with the static analysis finding of poor output escaping. The fact that the last vulnerability was very recent (2025-09-22) and is still unpatched highlights an immediate and pressing risk. While the unpatched CVE is currently categorized as medium severity, multiple medium vulnerabilities can collectively pose a significant threat. The presence of bundled libraries like TinyMCE, while not inherently a vulnerability, can introduce risks if not maintained and updated diligently by the plugin developer.

In conclusion, while "sitekit" v2.0 demonstrates good practices in areas like database interaction and avoiding risky functions, the high number of historical vulnerabilities, particularly XSS, and the current unpatched medium vulnerability, alongside a concerning rate of unescaped output, present a substantial risk. The plugin developer needs to address these recurring security flaws promptly and thoroughly, especially the output escaping issues and the unpatched CVE.

Key Concerns

  • Unpatched CVE
  • Low output escaping rate
  • 6 total known CVEs
  • Bundled library (TinyMCE)
Vulnerabilities
6

Sitekit Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2024
2024
3 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2025-58229medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched
CVE-2025-50047medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2025 Patched in 2.0 (7d)
CVE-2025-30776medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 1.9 (7d)
CVE-2024-29111medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 16, 2024 Patched in 1.7 (5d)
CVE-2023-5071medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sitekit_iframe' shortcode

Aug 28, 2023 Patched in 1.5 (148d)
CVE-2023-27628medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sitekit <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sitekit_iframe ' shortcode

Aug 28, 2023 Patched in 1.4 (148d)
Code Analysis
Analyzed Mar 16, 2026

Sitekit Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
58
78 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

Output Escaping

57% escaped136 total outputs
Attack Surface

Sitekit Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[sitekit_archives] inc\sitekit-shortcode-archives.php:84
[sitekit_bloginfo] inc\sitekit-shortcode-bloginfo.php:9
[sitekit_categories] inc\sitekit-shortcode-categories.php:29
[sitekit_iframe] inc\sitekit-shortcode-iframe.php:44
[sitekit_menu] inc\sitekit-shortcode-menu.php:61
[sitekit_posts] inc\sitekit-shortcode-posts.php:63
WordPress Hooks 13
actionadmin_menuinc\sitekit-settings.php:16
actionadmin_initinc\sitekit-settings.php:31
actionadmin_initinc\sitekit-settings.php:39
actionwidgets_initinc\sitekit-widget-archives.php:213
actionwidgets_initinc\sitekit-widget-categories.php:212
actionwidgets_initinc\sitekit-widget-posts.php:271
actionwidgets_initinc\sitekit-widget-search.php:115
actionwp_headsitekit.php:78
actionwp_footersitekit.php:95
filtermce_external_pluginssitekit.php:108
filtermce_buttonssitekit.php:109
actionadmin_headsitekit.php:112
filterplugin_row_metasitekit.php:137
Maintenance & Trust

Sitekit Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 15, 2025
PHP min version
Downloads55K

Community Trust

Rating100/100
Number of ratings1
Active installs3K
Alternatives

Sitekit Alternatives

Collapsing Archives

Collapsing Archives

collapsing-archives

A
99

This plugin uses Javascript to dynamically expand or collapse the set of months for each year and posts for each month in the archive listing of your &hellip;

3K 1 CVE
Compact Archives

Compact Archives

compact-archives

B
78

Displays a smart monthly archive of posts in a more compact form rather than the default long archive widget.

2K 1 unpatched
Expanding Archives

Expanding Archives

expanding-archives

A
85

This plugin adds a new widget where you can view your old posts by expanding certain years and months.

2K No CVEs
Elemendas Addons

Elemendas Addons

elemendas-addons

A
100

This addon for Elementor allows you to display the number of results of the search query, as well as to highlight the searched string in the results.

60 No CVEs
Results count

Results count

results-count

A
85

When you search in Google, it tells you at the start how many results you have & what page you are on in the results. The Results Count plugin giv &hellip;

40 No CVEs
Developer Profile

Sitekit Developer Profile

webvitaly

14 plugins · 128K total installs

66
trust score
Avg Security Score
81/100
Avg Patch Time
396 days
View full developer profile
Detection Fingerprints

How We Detect Sitekit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sitekit/css/sitekit.css
Script Paths
/wp-content/plugins/sitekit/js/tinymce.js
Version Parameters
sitekit/style.css?ver=sitekit.css?ver=

HTML / DOM Fingerprints

CSS Classes
sitekit-archives
HTML Comments
<!-- Powered by Sitekit v.2.0 https://wordpress.org/plugins/sitekit/ --><!-- Sitekit head code --><!-- End of Sitekit head code --><!-- Sitekit Google Analytics code -->+4 more
Data Attributes
data-id
JS Globals
dataLayergtag
Shortcode Output
<p class="sitekit-archives"><select name="archive-dropdown" onchange='document.location.href=this.options[this.selectedIndex].value;'><option value="">
FAQ

Frequently Asked Questions about Sitekit