WP-Safety

Tweakr – Utility Toolkit Security & Risk Analysis

wordpress.org/plugins/tweakr

Supercharges your Blog with production grade Tweaks, Features and Utilities

30 active installs v2.1 PHP 5.6+ WP 4.7+ Updated Apr 2, 2020
apijsonsecuritytoolstweaks
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Tweakr – Utility Toolkit Safe to Use in 2026?

Generally Safe

Score 85/100

Tweakr – Utility Toolkit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago
Risk Assessment

The "tweakr" plugin v2.1 exhibits a generally good security posture with no known vulnerabilities or critical taint analysis findings. The static analysis reveals a small attack surface with only two shortcodes and no AJAX handlers or REST API routes exposed without authentication, which is a strong positive indicator. The presence of capability checks and a significant portion of properly escaped outputs also suggest adherence to secure coding practices.

However, a notable concern is the complete lack of prepared statements for the single SQL query found. This presents a significant risk of SQL injection vulnerabilities, as user-supplied data is likely being directly incorporated into database queries without proper sanitization or parameterization. Additionally, the absence of nonce checks on the entry points, though currently showing no unprotected handlers, could become a weakness if new AJAX or REST API endpoints are introduced in the future without proper nonce implementation. The use of bundled libraries like TinyMCE also requires attention, as outdated versions of such libraries can introduce their own security risks, though no specific issues were highlighted here.

Overall, "tweakr" v2.1 demonstrates a solid foundation in security, particularly regarding its limited and authenticated attack surface. The primary area for improvement is the handling of database queries to prevent SQL injection. Addressing this, along with a proactive approach to nonce checks for future development, would further solidify its security. The plugin's clean vulnerability history is reassuring but should not lead to complacency, especially given the identified SQL query issue.

Key Concerns

  • SQL queries without prepared statements
  • No nonce checks on entry points
  • Less than 100% output escaping
Vulnerabilities
None known

Tweakr – Utility Toolkit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Tweakr – Utility Toolkit Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
20
34 escaped
Nonce Checks
0
Capability Checks
4
File Operations
7
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

0% prepared1 total queries

Output Escaping

63% escaped54 total outputs
Attack Surface

Tweakr – Utility Toolkit Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[googleanalytics-optout] modules\core\Tweakr.php:216
[piwikanalytics-optout] modules\core\Tweakr.php:231
WordPress Hooks 52
filterwp_headersmodules\core\API.php:41
filterrest_authentication_errorsmodules\core\API.php:56
filterautomatic_updater_disabledmodules\core\AutomaticUpdates.php:10
filterwp_mail_frommodules\core\EMail.php:27
filterwp_mail_from_namemodules\core\EMail.php:32
actionphpmailer_initmodules\core\EMail.php:41
actiondo_feed_rssmodules\core\Feeds.php:14
actiondo_feed_rss2modules\core\Feeds.php:15
actiondo_feed_rss2_commentsmodules\core\Feeds.php:16
actiondo_feed_atommodules\core\Feeds.php:20
actiondo_feed_atom_commentsmodules\core\Feeds.php:21
actiondo_feed_rdfmodules\core\Feeds.php:25
filtershow_admin_barmodules\core\Frontend.php:9
filterthe_generatormodules\core\Frontend.php:16
filterembed_oembed_discovermodules\core\Frontend.php:57
filterembed_template_hierarchymodules\core\Frontend.php:62
filterwp_resource_hintsmodules\core\Frontend.php:69
filterpings_openmodules\core\Frontend.php:76
filterwp_headersmodules\core\HttpHeader.php:18
filterwp_link_querymodules\core\LinkManager.php:12
filterwp_prepare_attachment_for_jsmodules\core\LinkManager.php:28
filterthe_contentmodules\core\LinkManager.php:38
filterwp_enqueue_scriptsmodules\core\MatomoAnalytics.php:22
filterdocument_title_partsmodules\core\MatomoAnalytics.php:38
actionwp_headmodules\core\Metadata.php:28
actionrest_api_initmodules\core\Monitoring.php:11
actionadmin_enqueue_scriptsmodules\core\ResourceLoader.php:28
filteruser_trailingslashitmodules\core\RewriteRules.php:60
filterterm_linkmodules\core\RewriteRules.php:63
filter_get_page_linkmodules\core\RewriteRules.php:67
filterrobots_txtmodules\core\Robots.php:16
filtermce_cssmodules\core\TinyMCE.php:68
filterplugin_action_linksmodules\core\Tweakr.php:276
filterplugin_row_metamodules\core\Tweakr.php:277
actionadmin_initmodules\core\Tweakr.php:283
actionregister_new_usermodules\core\UserNotification.php:27
actionedit_user_created_usermodules\core\UserNotification.php:31
filterauto_core_update_send_emailmodules\core\UserNotification.php:42
actionadmin_menumodules\skltn\Plugin.php:64
actionin_plugin_update_message-tweakr/Tweakr.phpmodules\skltn\Plugin.php:67
actionadmin_noticesmodules\skltn\Plugin.php:72
actionnetwork_admin_noticesmodules\skltn\Plugin.php:73
actionadmin_initmodules\skltn\Plugin.php:89
filterplugin_action_linksmodules\skltn\Plugin.php:92
filterplugin_row_metamodules\skltn\Plugin.php:93
actioninitmodules\skltn\Plugin.php:294
actioninitmodules\skltn\Plugin.php:295
filterrewrite_rules_arraymodules\skltn\RewriteRuleHelper.php:78
actiontemplate_redirectmodules\skltn\VirtualPageManager.php:32
actiontweakr_rewriterules_initmodules\skltn\VirtualPageManager.php:35
actionadmin_noticesTweakr.php:76
actionnetwork_admin_noticesTweakr.php:77
Maintenance & Trust

Tweakr – Utility Toolkit Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedApr 2, 2020
PHP min version5.6
Downloads5K

Community Trust

Rating100/100
Number of ratings1
Active installs30
Alternatives

Tweakr – Utility Toolkit Alternatives

REST XML-RPC Data Checker

REST XML-RPC Data Checker

rest-xmlrpc-data-checker

A
85

REST XML-RPC Data Checker allow to check JSON REST and XML-RPC API requests and grant access permissions.

1K No CVEs
Hostinger Tools

Hostinger Tools

hostinger

A
99

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE
Admin and Site Enhancements (ASE)

Admin and Site Enhancements (ASE)

admin-site-enhancements

A
92

Duplicate post, post order, image resize, email via SMTP, admin menu editor, custom css / code, disable gutenberg and much more in a single plugin.

200K 7 CVEs
Advanced Access Manager – Access Governance for WordPress

Advanced Access Manager – Access Governance for WordPress

advanced-access-manager

A
95

Access Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.

100K 11 CVEs
Disable REST API

Disable REST API

disable-json-api

A
85

Disable the use of the REST API on your website to site users. Now with User Role support!

90K No CVEs
Developer Profile

Tweakr – Utility Toolkit Developer Profile

Andi Dittrich

3 plugins · 11K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Tweakr – Utility Toolkit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tweakr/resources/css/tweakr.css/wp-content/plugins/tweakr/resources/js/tweakr.js
Script Paths
/wp-content/plugins/tweakr/resources/js/tweakr.js/wp-content/plugins/tweakr/resources/analytics/matomo-analytics.min.js
Version Parameters
tweakr/resources/css/tweakr.css?ver=tweakr/resources/js/tweakr.js?ver=tweakr/resources/analytics/matomo-analytics.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
tweakr-php-error
JS Globals
tweakrTweakr
FAQ

Frequently Asked Questions about Tweakr – Utility Toolkit