WP-Safety

WP Testimonials Security & Risk Analysis

wordpress.org/plugins/testimonial-widgets

Display your Testimonials on your website fast and easily. 21 widget types, 25 widget styles available. (Free Plugin)

10K active installs v1.4.12 PHP 7.0+ WP 6.2+ Updated Dec 18, 2025
ratingsrecommendationsreviewstestimonialswidget
99
A · Safe
CVEs total2
Unpatched0
Last CVEJan 12, 2024
Plugin page Download
Safety Verdict

Is WP Testimonials Safe to Use in 2026?

Generally Safe

Score 99/100

WP Testimonials has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 12, 2024Updated 3mo ago
Risk Assessment

The "testimonial-widgets" plugin v1.4.12 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in handling SQL queries, utilizing prepared statements for all 14 queries, and a significant majority (76%) of its output is properly escaped. The attack surface is also relatively small, with only one entry point identified (an AJAX handler) and no publicly accessible REST API routes or shortcodes. However, several concerning signals are present. The presence of 20 instances of the `unserialize` function is a significant red flag, as it can lead to remote code execution vulnerabilities if not handled with extreme care, especially when dealing with untrusted input. This is corroborated by a single "high severity" taint flow with unsanitized paths, indicating a potential for malicious data to be processed in a dangerous way.

The plugin's vulnerability history is also a cause for concern. While there are no currently unpatched CVEs, the plugin has had two known vulnerabilities in the past, specifically SQL injection and CSRF. The fact that these vulnerabilities have been addressed suggests a reactive approach to security rather than a proactive one. The previous existence of these vulnerability types, combined with the static analysis findings, suggests that careful input validation and sanitization are critical areas for ongoing attention within the plugin's development process. While the current version appears to have patched past issues, the presence of `unserialize` and the high-severity taint flow warrant vigilance.

Key Concerns

  • Dangerous unserialize function usage detected
  • High severity taint flow with unsanitized paths
  • Vulnerability history: High severity SQL injection
  • Vulnerability history: Medium severity CSRF
  • Output escaping: 24% of outputs are not properly escaped
  • Capability checks are missing
  • Nonce checks are present but limited
Vulnerabilities
2

WP Testimonials Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2024-25924high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Testimonials <= 1.4.3 - Authenticated (Contributor+) SQL Injection

Jan 12, 2024 Patched in 1.4.4 (40d)
CVE-2023-2830medium · 4.3Cross-Site Request Forgery (CSRF)

WP Testimonials <= 1.4.2 - Cross-Site Request Forgery to Widget Deletion

Jul 14, 2023 Patched in 1.4.3 (193d)
Code Analysis
Analyzed Mar 16, 2026

WP Testimonials Code Analysis

Dangerous Functions
20
Raw SQL Queries
0
14 prepared
Unescaped Output
134
414 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$widget_value = unserialize($w->value);tabs\create-widget-header.php:104
unserialize$widget_value = unserialize($w->value);tabs\create-widget-header.php:114
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:238
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:285
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:318
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:338
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:365
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:393
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:417
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:438
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:459
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:479
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:499
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:519
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:539
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:559
unserialize$widget = unserialize($w->value);tabs\create-widget-header.php:579
unserialize$widget_value = unserialize($widget->value);tabs\index-widget.php:55
unserialize$widget = unserialize($w->value);testimonials-plugin.class.php:463
unserialize$val = unserialize($widget->value);testimonials-plugin.class.php:802

SQL Query Safety

100% prepared14 total queries

Output Escaping

76% escaped548 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<create-widget-header> (tabs\create-widget-header.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Testimonials Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpttst_edit_ratingpost-editor.class.php:15
WordPress Hooks 27
actionadd_meta_boxes_wpt-testimonialpost-editor.class.php:12
filterhidden_meta_boxespost-editor.class.php:13
actionsave_post_wpt-testimonialpost-editor.class.php:14
filterwp_insert_post_datapost-editor.class.php:16
actioninitpost-types.php:17
filterwpttst_testimonial_supportspost-types.php:96
filterpost_updated_messagespost-types.php:139
filterbulk_post_updated_messagespost-types.php:150
actionadmin_menutestimonial-widgets.php:25
filterparent_filetestimonial-widgets.php:26
filterplugin_action_linkstestimonial-widgets.php:27
filterplugin_row_metatestimonial-widgets.php:28
actionload-edit.phptestimonial-widgets.php:31
actionload-post.phptestimonial-widgets.php:32
actionload-post-new.phptestimonial-widgets.php:33
actionload-edit-tags.phptestimonial-widgets.php:34
actionadmin_enqueue_scriptstestimonial-widgets.php:39
actionafter_setup_themetestimonial-widgets.php:40
filtermanage_edit-wpt-testimonial_columnstestimonial-widgets.php:41
actionmanage_wpt-testimonial_posts_custom_columntestimonial-widgets.php:42
actioninittestimonial-widgets.php:43
actionplugins_loadedtestimonial-widgets.php:44
actionall_admin_noticestestimonials-plugin.class.php:178
actionall_admin_noticestestimonials-plugin.class.php:228
actionhttp_api_curltestimonials-plugin.class.php:542
filterhttps_ssl_verifytestimonials-plugin.class.php:875
filterblock_local_requeststestimonials-plugin.class.php:876
Maintenance & Trust

WP Testimonials Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 18, 2025
PHP min version7.0
Downloads72K

Community Trust

Rating72/100
Number of ratings19
Active installs10K
Alternatives

WP Testimonials Alternatives

Widgets for Thumbtack Reviews

Widgets for Thumbtack Reviews

widgets-for-thumbtack-reviews

A
100

Embed Thumbtack reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Thumbtack reviews.

800 No CVEs
Widgets for Ebay Reviews

Widgets for Ebay Reviews

widgets-for-ebay-reviews

A
100

Embed Ebay reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Ebay reviews.

500 No CVEs
Widgets for Capterra Reviews

Widgets for Capterra Reviews

review-widgets-for-capterra

A
100

Embed Capterra reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Capterra reviews.

100 No CVEs
Proofratings

Proofratings

proofratings

A
100

Display social proof ratings on your website. Boost your website sales and conversion rate.

0 No CVEs
Widgets for Alibaba Reviews

Widgets for Alibaba Reviews

widgets-for-alibaba-reviews

A
100

Embed Alibaba reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Alibaba reviews.

0 No CVEs
Developer Profile

WP Testimonials Developer Profile

Trustindex

32 plugins · 976K total installs

87
trust score
Avg Security Score
99/100
Avg Patch Time
87 days
View full developer profile
Detection Fingerprints

How We Detect WP Testimonials

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/testimonial-widgets/css/testimonial-widgets-admin.css/wp-content/plugins/testimonial-widgets/css/testimonial-widgets.css/wp-content/plugins/testimonial-widgets/js/testimonial-widgets-admin.js/wp-content/plugins/testimonial-widgets/js/testimonial-widgets.js
Script Paths
https://cdn.trustindex.io/assets/ti-preview-box.css
Version Parameters
testimonial-widgets/css/testimonial-widgets-admin.css?ver=testimonial-widgets/css/testimonial-widgets.css?ver=testimonial-widgets/js/testimonial-widgets-admin.js?ver=testimonial-widgets/js/testimonial-widgets.js?ver=

HTML / DOM Fingerprints

CSS Classes
ti-toggle-opacityti-free-title
HTML Comments
<!-- WP Testimonials --><!-- BEGIN WP Testimonials by Trustindex.io --><!-- END WP Testimonials by Trustindex.io --><!-- START HERE FOR CUSTOM CODE -->+1 more
Data Attributes
data-ti-modedata-ti-sourcedata-ti-id
JS Globals
trustindex_testimonials_pm
Shortcode Output
[trustindex_ui_widget]
FAQ

Frequently Asked Questions about WP Testimonials