WP-Safety

Sticky Posts – Switch Security & Risk Analysis

wordpress.org/plugins/sticky-posts-switch

This plugin adds a sticky post switch functionality to the admin list post/custom post type pages.

6K active installs v2.1.3 PHP + WP 4.0+ Updated Jul 29, 2022
admincptpoststickyswitch
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Sticky Posts – Switch Safe to Use in 2026?

Generally Safe

Score 85/100

Sticky Posts – Switch has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The plugin "sticky-posts-switch" v2.1.3 exhibits a generally strong security posture based on the provided static analysis. The absence of known CVEs, raw SQL queries, file operations, and external HTTP requests are positive indicators. The presence of capability checks and nonces on its single AJAX handler suggests a good understanding of WordPress security best practices for entry points. However, a significant concern is the low percentage of properly escaped output (27%). This indicates a potential risk for Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data or dynamic content could be rendered without proper sanitization, allowing attackers to inject malicious scripts into the user's browser.

While taint analysis shows no current issues, the limited output escaping is a weakness that could be exploited. The vulnerability history being clean is reassuring, but it doesn't negate the risks identified in the code analysis. In conclusion, the plugin is well-designed in terms of core security features like authentication and SQL handling. The primary area for improvement and the main security risk lies in the insufficient output escaping, which could lead to XSS vulnerabilities if not addressed.

Key Concerns

  • Low output escaping percentage
Vulnerabilities
None known

Sticky Posts – Switch Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Sticky Posts – Switch Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
8
3 escaped
Nonce Checks
1
Capability Checks
7
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

27% escaped11 total outputs
Attack Surface

Sticky Posts – Switch Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_process_sticky_poststicky-posts-switch.php:157
WordPress Hooks 12
actionadmin_enqueue_scriptssettings\class-settings.php:184
actionadmin_menusettings\class-settings.php:185
actionadmin_initsettings\class-settings.php:186
actionplugins_loadedsticky-posts-switch.php:135
actionadmin_enqueue_scriptssticky-posts-switch.php:148
actionquick_edit_custom_boxsticky-posts-switch.php:160
actionbulk_edit_custom_boxsticky-posts-switch.php:161
actionadd_meta_boxessticky-posts-switch.php:163
filterpre_get_postssticky-posts-switch.php:169
filterthe_postssticky-posts-switch.php:170
filterpost_classsticky-posts-switch.php:171
filterthe_postssticky-posts-switch.php:601
Maintenance & Trust

Sticky Posts – Switch Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedJul 29, 2022
PHP min version
Downloads54K

Community Trust

Rating88/100
Number of ratings18
Active installs6K
Alternatives

Sticky Posts – Switch Alternatives

Brozzme Switch and Duplicate

Brozzme Switch and Duplicate

brozzme-switch-duplicate

A
85

A set of tools dedicated to post type, Post-type Switcher and Post Duplicate (works with any custom post-type).

100 No CVEs
Custom Post Type Sticky

Custom Post Type Sticky

custom-post-type-sticky

A
85

Extends sticky post functionality to custom post types in a way that is identical to default posts.

900 No CVEs
AStickyPostOrderER Show Sticky

AStickyPostOrderER Show Sticky

astickypostorderer-show-sticky

A
85

Adds a new column to the posts table in the admin to display if a post is sticky or not.

20 No CVEs
Better WP-Admin Search

Better WP-Admin Search

better-wp-admin-search

A
92

Add essential search functionality to your WP Admin.

20 No CVEs
CPT Toggle – Disable Custom Post Types

CPT Toggle – Disable Custom Post Types

cpt-toggle-disable-custom-post-types

A
100

Enable or disable any post type. Tabs group post types by source (Core, theme, plugin) for a tidy WordPress admin.

20 No CVEs
Developer Profile

Sticky Posts – Switch Developer Profile

Markus Wiesenhofer

3 plugins · 10K total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Sticky Posts – Switch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sticky-posts-switch/assets/css/admin-sticky-posts.css/wp-content/plugins/sticky-posts-switch/assets/jquery/jquery.ajaxQueue.min.js/wp-content/plugins/sticky-posts-switch/assets/js/admin-sticky-posts.js/wp-content/plugins/sticky-posts-switch/assets/js/admin-quick-edit.js
Script Paths
/wp-content/plugins/sticky-posts-switch/assets/js/admin-sticky-posts.js/wp-content/plugins/sticky-posts-switch/assets/js/admin-quick-edit.js
Version Parameters
sticky-posts-switch/assets/css/admin-sticky-posts.css?ver=sticky-posts-switch/assets/jquery/jquery.ajaxQueue.min.js?ver=sticky-posts-switch/assets/js/admin-sticky-posts.js?ver=sticky-posts-switch/assets/js/admin-quick-edit.js?ver=

HTML / DOM Fingerprints

CSS Classes
dashicons-sticky
HTML Comments
<!-- Sticky Post Switch -->
Data Attributes
data-original-sticky-value
JS Globals
stickyPostObject
FAQ

Frequently Asked Questions about Sticky Posts – Switch