Sub domain theme switch Security & Risk Analysis

wordpress.org/plugins/subdomain-theme-switch

This plugin switch if your site is being on subdomain to an different, selectable theme.

10 active installs v0.1 PHP + WP 3.8+ Updated Nov 3, 2014
multiple-website-one-backendone-database-multiple-themesub-domaintheme-switch
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Sub domain theme switch Safe to Use in 2026?

Generally Safe

Score 85/100

Sub domain theme switch has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The "subdomain-theme-switch" v0.1 plugin exhibits a mixed security posture. On the positive side, it has a very small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events, which significantly limits potential entry points. Furthermore, all SQL queries are prepared, and there are no recorded vulnerabilities in its history. This suggests a generally careful approach to certain aspects of development.

However, there are significant concerns. The most critical issue highlighted by the static analysis is that 100% of the identified output operations are not properly escaped. This presents a high risk of Cross-Site Scripting (XSS) vulnerabilities, as any user-controlled data that is outputted without proper sanitization could be exploited by attackers to inject malicious scripts.

While the plugin boasts no dangerous functions or file operations, the lack of output escaping is a glaring weakness. The presence of one unsanitized taint flow, even if not classified as critical or high severity in the taint analysis itself, coupled with the universal lack of output escaping, creates a dangerous combination. The plugin's vulnerability history being clean could be due to its limited functionality or simply a lack of thorough historical review; it does not negate the immediate risks identified in the current code analysis. In conclusion, despite a clean history and limited attack surface, the severe lack of output escaping makes this plugin a significant XSS risk.

Key Concerns

  • Output escaping is not implemented
  • Taint flow found with unsanitized paths
Vulnerabilities
None known

Sub domain theme switch Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Sub domain theme switch Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

Sub domain theme switch Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
0 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped5 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<subdomain-theme-switch-admin> (subdomain-theme-switch-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Sub domain theme switch Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
filterstylesheetsubdomain-theme-switch.php:62
filtertemplatesubdomain-theme-switch.php:63
actionadmin_menusubdomain-theme-switch.php:87
Maintenance & Trust

Sub domain theme switch Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedNov 3, 2014
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

Sub domain theme switch Developer Profile

Bijaya Oli

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Sub domain theme switch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Sub domain theme switch