Does Slope Widgets have any unpatched vulnerabilities?

No. All known vulnerabilities in Slope Widgets have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Slope Widgets compatible with WordPress 6.9.4?

According to WordPress.org data, Slope Widgets 4.3.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Slope Widgets compatible with PHP 7.0+?

Slope Widgets requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Slope Widgets updated?

Slope Widgets was last updated on Dec 9, 2025. Frequent updates are generally a positive security signal.

What is Slope Widgets's security score?

Slope Widgets has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Slope Widgets Security & Risk Analysis

wordpress.org/plugins/slope-widgets

Aggiungi i widget di Slope al sito web della tua struttura! Questo plugin mostra la barra delle prenotazioni, i pacchetti e le promozioni.

500 active installs v4.3.4 PHP 7.0+ WP 5.6+ Updated Dec 9, 2025

booking-enginecrmgestionalehotelslope

A · Safe

CVEs total1

Unpatched0

Last CVEDec 16, 2024

Download

Safety Verdict

Is Slope Widgets Safe to Use in 2026?

Generally Safe

Score 99/100

Slope Widgets has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 16, 2024Updated 3mo ago

Risk Assessment

The slope-widgets plugin v4.3.4 exhibits a generally good security posture, with no critical or high-severity vulnerabilities identified in its code analysis or taint flows. The plugin effectively utilizes prepared statements for SQL queries and generally implements proper output escaping, with 83% of outputs being well-handled. It also includes a nonce check, which is a positive security measure. However, the absence of capability checks on any of its entry points is a significant concern, as this leaves potential for unauthorized actions if any of the entry points were to be exploited.

The vulnerability history, while showing only one medium-severity CVE, is still noteworthy. The fact that this vulnerability was a Cross-site Scripting (XSS) issue, and occurred relatively recently, suggests a potential ongoing struggle with input sanitization or output encoding in certain contexts. While the current version may have patched this specific issue, the pattern is a warning sign. The plugin has strengths in its use of prepared statements and decent output escaping, but weaknesses in its lack of capability checks and a history of XSS vulnerabilities indicate that vigilance is still required.

Key Concerns

No capability checks on entry points
Medium severity XSS vulnerability history
83% output escaping (17% unescaped)

Vulnerabilities

Slope Widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-11902medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slope Widgets <= 4.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 16, 2024 Patched in 4.2.13 (7d)

Code Analysis

Analyzed Mar 16, 2026

Slope Widgets Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

313 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

83% escaped376 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

fetchPromotions (includes\admin\Promotions.php:84)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Slope Widgets Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[slope-promotions] slope-promotions-legacy.php:10

WordPress Hooks 18

actionadmin_menuincludes\admin\GlobalSettings.php:15

actionadmin_initincludes\admin\GlobalSettings.php:16

actionadmin_menuincludes\admin\Promotions.php:29

actionadmin_initincludes\admin\Promotions.php:30

actionwp_enqueue_scriptsincludes\admin\Promotions.php:31

actionadmin_menuincludes\admin\Reservations.php:20

actionadmin_initincludes\admin\Reservations.php:21

actionadmin_menuincludes\admin\WelcomePage.php:9

actionadmin_initslope-widgets.php:63

actionadmin_menuslope-widgets.php:64

actionadmin_enqueue_scriptsslope-widgets.php:65

actionadmin_enqueue_scriptsslope-widgets.php:66

actioninitslope-widgets.php:67

actionwp_enqueue_scriptsslope-widgets.php:68

actionplugins_loadedslope-widgets.php:69

actioninitslope-widgets.php:71

actionplugins_loadedslope-widgets.php:84

actionactivated_pluginslope-widgets.php:92

Maintenance & Trust

Slope Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 9, 2025

PHP min version7.0

Downloads8K

Community Trust

Rating0/100

Number of ratings0

Active installs500

Alternatives

Slope Widgets Alternatives

MotoPress Hotel Booking

motopress-hotel-booking-lite

The #1 Hotel Booking and Vacation Rental Plugin for WordPress. Online payments, seasons, rates, free or paid extras, coupons, taxes & fees.

10K 4 CVEs

VikBooking Hotel Booking Engine & PMS

vikbooking

Famous Booking Engine, PMS and Hotel Reservations plugin for property managers. The best solution for accommodations to drive more direct bookings.

9K 17 CVEs

Sirvoy Booking Engine

sirvoy-booking-engine

100

Sirvoy booking engine - Non-Commission Direct Bookings from Your Website. Sirvoy can also help you to receive bookings from channels, and much more.

1K No CVEs

Redforts Hotel Booking Engine

oscar-hotel-booking-engine

100

This plugin integrates with Redforts Hotel Software, the all-in-one solution for hotels, hostels, apartments, villas, campings, and more.

300 No CVEs

CultBooking Hotel Booking Engine

cultbooking-booking-engine

CultBooking Engine for WordPress is a powerful and easy-to-use plugin that allows you to manage your bookings and channels from your WordPress site.

100 1 unpatched

Developer Profile

Slope Widgets Developer Profile

slope

1 plugin · 500 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

7 days

View full developer profile

Detection Fingerprints

How We Detect Slope Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/slope-widgets/css/slope-admin.css/wp-content/plugins/slope-widgets/css/slope-widgets.css/wp-content/plugins/slope-widgets/js/slope-admin.js/wp-content/plugins/slope-widgets/js/slope-colorpicker.js/wp-content/plugins/slope-widgets/js/slope-modules.js/wp-content/plugins/slope-widgets/js/slope-reservations-block.js/wp-content/plugins/slope-widgets/js/slope-widgets.js

Script Paths

/wp-content/plugins/slope-widgets/js/slope-modules.js/wp-content/plugins/slope-widgets/js/slope-colorpicker.js/wp-content/plugins/slope-widgets/js/slope-admin.js/wp-content/plugins/slope-widgets/js/slope-widgets.js/wp-content/plugins/slope-widgets/js/slope-reservations-block.js

Version Parameters

slope-widgets/css/slope-widgets.css?ver=slope-widgets/js/slope-widgets.js?ver=slope-widgets/js/slope-modules.js?ver=slope-widgets/js/slope-colorpicker.js?ver=slope-widgets/js/slope-admin.js?ver=slope-widgets/js/slope-reservations-block.js?ver=

HTML / DOM Fingerprints

CSS Classes

slope-widget-booking-bar

HTML Comments

<!-- between maintaining data freshness while preventing to many requests. We may need to tweak the value once we have -->

+15 more

Data Attributes

data-current-datedata-initial-date

JS Globals

slpWidgetOptions

REST Endpoints

/wp-json/slope-widgets/v1/promotions

Shortcode Output

[slope_booking_bar][slope_promotions][slope_packages]

FAQ