WP-Safety

Switch CTA Box Security & Risk Analysis

wordpress.org/plugins/switch-cta-box

CTA box plugin is developed to embed a title, some text content, and a button with actions with some beautiful premade templates.

30 active installs v1.1 PHP + WP 3.2+ Updated Jul 25, 2019
add-managementcall-to-actioncontentsembed-call-to-actionpromotion
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 21, 2026
Plugin page Download
Safety Verdict

Is Switch CTA Box Safe to Use in 2026?

Use With Caution

Score 63/100

Switch CTA Box has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 21, 2026Updated 6yr ago
Risk Assessment

The "switch-cta-box" plugin version 1.1 exhibits a generally good security posture based on the provided static analysis. It has a minimal attack surface, with only one entry point identified (a shortcode), and crucially, no unprotected entry points. The code also demonstrates good practices by utilizing prepared statements for all SQL queries and including nonce and capability checks. The absence of dangerous functions, file operations, and external HTTP requests further bolsters its security.

However, a significant concern arises from the output escaping. With 33% of its 46 output operations being improperly escaped, there is a notable risk of Cross-Site Scripting (XSS) vulnerabilities. While the taint analysis reported no flows with unsanitized paths, the high percentage of unescaped output suggests potential for XSS if user-supplied data is directly rendered without proper sanitization. The plugin's vulnerability history is clean, indicating a lack of past exploited weaknesses, which is a positive sign, but it does not mitigate the risks identified in the current code analysis.

In conclusion, "switch-cta-box" v1.1 has strengths in its limited attack surface and proper use of prepared statements and authentication checks. The primary weakness lies in its insufficient output escaping, creating a significant XSS risk. While past vulnerabilities are absent, proactive attention to output sanitization is essential for maintaining a secure plugin.

Key Concerns

  • Insufficient output escaping
Vulnerabilities
1 published

Switch CTA Box Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-4088medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 21, 2026Unpatched
Version History

Switch CTA Box Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

Switch CTA Box Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
31
15 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

33% escaped46 total outputs
Attack Surface

Switch CTA Box Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wppw_cta_box] inc\shortcode_setup.php:23
WordPress Hooks 10
actionadmin_enqueue_scriptsinc\admin\admin_enuqe.php:9
actionadmin_print_scripts-post-new.phpinc\admin\admin_enuqe.php:12
actionadmin_print_scripts-post.phpinc\admin\admin_enuqe.php:13
filterpost_updated_messagesinc\admin\admin_modify.php:2
actioninitinc\post_type.php:65
actionadd_meta_boxesinc\post_type_meta_feilds.php:13
actionsave_postinc\post_type_meta_feilds.php:168
filterwidget_textwp-ss-box.php:17
actionwp_enqueue_scriptswp-ss-box.php:26
filtergettextwp-ss-box.php:27
Maintenance & Trust

Switch CTA Box Maintenance & Trust

Maintenance Signals

WordPress version tested5.2.24
Last updatedJul 25, 2019
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings2
Active installs30
Alternatives

Switch CTA Box Alternatives

ExtraSpace

ExtraSpace

extraspace

A
100

Add a small, unobtrusive tab to your site that opens a lightweight, accessible slide-in panel for announcements, promos, CTAs, custom HTML, or shortco &hellip;

0 No CVEs
Easy Table of Contents

Easy Table of Contents

easy-table-of-contents

A
95

Adds a user friendly and fully automatic way to create and display a table of contents generated from the page content.

600K 6 CVEs
Table of Contents Plus

Table of Contents Plus

table-of-contents-plus

A
89

A powerful yet user friendly plugin that automatically creates a table of contents. Can also output a sitemap listing all pages and categories.

200K 5 CVEs
LuckyWP Table of Contents

LuckyWP Table of Contents

luckywp-table-of-contents

A
89

Creates SEO-friendly table of contents for your posts/pages. Works automatically or manually (via shortcode, Gutenberg block or widget).

100K 5 CVEs
Boxzilla – Pop-Ups for WordPress

Boxzilla – Pop-Ups for WordPress

boxzilla

A
100

Flexible pop-ups or slide-ins, showing up at just the right time.

20K No CVEs
Developer Profile

Switch CTA Box Developer Profile

Jaber Molla

2 plugins · 80 total installs

81
trust score
Avg Security Score
82/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Switch CTA Box

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/switch-cta-box/css/cta_style.css/wp-content/plugins/switch-cta-box/inc/admin/css/cta_admin_style.css/wp-content/plugins/switch-cta-box/inc/admin/js/cta_boxadmin.js

HTML / DOM Fingerprints

CSS Classes
cta_wrapcta_tem_orngcta_tem_onecta_tem_widcta_titleboxtittlecta_descta_bbtn+1 more
Data Attributes
id="cta_box_description"id="cta_box_button_text"id="cta_box_button_id"id="cta_box_button_link"id="cta_box_show_shortcode"
Shortcode Output
<div class="cta_wrap cta_tem_orng container"><div class="cta_wrap cta_tem_one container"><div class="cta_wrap cta_tem_wid container">
FAQ

Frequently Asked Questions about Switch CTA Box