WP-Safety

Themify Shortcodes Security & Risk Analysis

wordpress.org/plugins/themify-shortcodes

Allows you to use all Themify shortcodes on any WordPress theme.

8K active installs v2.1.4 PHP 7.2+ WP 4.0+ Updated Apr 3, 2025
shortcodethemify
96
A · Safe
CVEs total5
Unpatched0
Last CVEApr 16, 2025
Plugin page Download
Safety Verdict

Is Themify Shortcodes Safe to Use in 2026?

Generally Safe

Score 96/100

Themify Shortcodes has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Apr 16, 2025Updated 1yr ago
Risk Assessment

The themify-shortcodes plugin version 2.1.4 exhibits a mixed security posture. While the static analysis shows a limited attack surface with no immediately apparent unprotected entry points (AJAX, REST API, cron) and all SQL queries utilize prepared statements, there are some concerning indicators. The complete lack of nonce checks and the fact that capability checks are only present on one entry point suggest potential authorization bypass vulnerabilities if other unprotected entry points were to emerge or if existing ones were misused. The high percentage of properly escaped output (83%) is a positive sign, but the remaining 17% could still be a vector for cross-site scripting if that data is user-controlled.

The plugin's vulnerability history is a significant concern. With a total of 5 known CVEs, all of which are medium severity and focused on Cross-Site Scripting, it indicates a pattern of input sanitization issues. Although there are no currently unpatched vulnerabilities, the frequency and type of past issues highlight a recurring weakness that could resurface. The last reported vulnerability being very recent (April 2025) suggests that even though currently patched, the underlying code patterns may still be present and susceptible to future discovery. The absence of taint analysis results might be due to the analysis tools' limitations or the specific code paths analyzed, but it doesn't negate the historical XSS findings.

In conclusion, while the current static analysis doesn't reveal critical flaws in version 2.1.4 itself, the substantial history of medium-severity XSS vulnerabilities demands caution. The lack of comprehensive nonce and capability checks across its limited attack surface is a weakness. Users should remain vigilant, ensure the plugin is always updated to the latest version, and be aware of the potential for new vulnerabilities to be discovered given the past track record.

Key Concerns

  • Significant history of medium severity CVEs (5 total)
  • Lack of nonce checks on any entry points
  • Capability checks on only 1 of 1 entry points
  • 17% of outputs not properly escaped
  • Bundled library (TinyMCE) may have vulnerabilities
Vulnerabilities
5

Themify Shortcodes Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
3 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-39581medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Shortcodes <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 2.1.4 (7d)
CVE-2024-43133medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 7, 2024 Patched in 2.1.2 (8d)
CVE-2024-4567medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode

May 8, 2024 Patched in 2.1.0 (2d)
CVE-2024-2732medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Shortcodes <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 2.0.9 (1d)
CVE-2022-4787medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Shortcodes <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 4, 2023 Patched in 2.0.8 (384d)
Code Analysis
Analyzed Mar 16, 2026

Themify Shortcodes Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
11
55 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

83% escaped66 total outputs
Attack Surface

Themify Shortcodes Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[themify_video] includes\system.php:141
WordPress Hooks 14
actionadmin_menuincludes\admin.php:8
actionadmin_initincludes\admin.php:9
filterimage_resize_dimensionsincludes\functions.php:163
actioninitincludes\system.php:17
actioninitincludes\system.php:18
actioninitincludes\system.php:19
actionwp_enqueue_scriptsincludes\system.php:20
actioninitincludes\theme-options.php:53
filtermce_external_pluginsincludes\tinymce.php:9
filtermce_buttonsincludes\tinymce.php:10
filterinitincludes\tinymce.php:11
actionprint_media_templatesincludes\tinymce.php:12
actionafter_setup_themeinit.php:38
filterplugin_row_metainit.php:39
Maintenance & Trust

Themify Shortcodes Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedApr 3, 2025
PHP min version7.2
Downloads140K

Community Trust

Rating60/100
Number of ratings2
Active installs8K
Alternatives

Themify Shortcodes Alternatives

WP Shortcodes Plugin — Shortcodes Ultimate

WP Shortcodes Plugin — Shortcodes Ultimate

shortcodes-ultimate

A
88

A comprehensive collection of visual components for your site

400K 32 CVEs
MW WP Form

MW WP Form

mw-wp-form

B
81

MW WP Form is shortcode base contact form plugin. This plugin have many features. For example you can use many validation rules, inquiry data saving, &hellip;

200K 5 CVEs
Shortcoder — Create Shortcodes for Anything

Shortcoder — Create Shortcodes for Anything

shortcoder

A
98

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K 2 CVEs
Display Posts – Easy lists, grids, navigation, and more

Display Posts – Easy lists, grids, navigation, and more

display-posts-shortcode

A
92

Add a listing of content on your website using a simple shortcode. Filter the results by category, author, and more.

80K No CVEs
WP Show Posts

WP Show Posts

wp-show-posts

A
90

Add posts to your website from any post type using a simple shortcode.

70K 3 CVEs
Developer Profile

Themify Shortcodes Developer Profile

themifyme

10 plugins · 140K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
145 days
View full developer profile
Detection Fingerprints

How We Detect Themify Shortcodes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/themify-shortcodes/assets/styles.css/wp-content/plugins/themify-shortcodes/assets/themify-icons/themify-icons.css/wp-content/plugins/themify-shortcodes/assets/fontawesome/css/font-awesome.min.css/wp-content/plugins/themify-shortcodes/assets/scripts.js
Script Paths
/wp-content/plugins/themify-shortcodes/assets/scripts.js
Version Parameters
themify-shortcodes/assets/scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
themify-shortcodesthemify-builder-shortcodesthemify-shortcodes-wrapthemify-icon-listthemify-icon-list-item
HTML Comments
Copyright (C) ThemifyShortcodes:Functions:DO NOT EDIT THIS FILE
Data Attributes
data-themify-shortcode
JS Globals
themifyShortcodes
Shortcode Output
[themify_button[themify_quote[themify_col[themify_img
FAQ

Frequently Asked Questions about Themify Shortcodes