WP-Safety

Vanilla Bean – Icon Setter Security & Risk Analysis

wordpress.org/plugins/vanilla-bean-icon-setter

Icon Setter (Iconifier) is a simple set-site-icon plugin for all devices.

20 active installs v2.81 PHP + WP 4.0+ Updated Jul 21, 2020
brandingfaviconiconiconifysite-icon
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Vanilla Bean – Icon Setter Safe to Use in 2026?

Generally Safe

Score 85/100

Vanilla Bean – Icon Setter has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The vanilla-bean-icon-setter v2.81 plugin exhibits a generally good security posture based on the provided static analysis. The plugin has a minimal attack surface with no detected AJAX handlers, REST API routes, shortcodes, or cron events, and all identified entry points appear to be protected. The code also demonstrates good practices by exclusively using prepared statements for SQL queries and making no external HTTP requests. Capability checks are in place for the few identified file operations.

However, a significant concern arises from the output escaping results, where only 40% of the 45 outputs are properly escaped. This indicates a potential for Cross-Site Scripting (XSS) vulnerabilities if user-controlled data is directly outputted without adequate sanitization. The absence of any taint analysis flows is positive, suggesting no immediately obvious critical or high-severity vulnerabilities related to unsanitized paths or sensitive data flows. The plugin's history of zero known CVEs further reinforces a perception of a stable and secure codebase over time.

Despite the lack of historical vulnerabilities and a small attack surface, the unescaped output is a notable weakness that requires attention. While the plugin has strengths in its minimal attack surface and adherence to secure SQL practices, the potential for XSS due to insufficient output escaping is the primary security concern. Addressing this should be the priority for improving the plugin's security.

Key Concerns

  • Poor output escaping (40% properly escaped)
Vulnerabilities
None known

Vanilla Bean – Icon Setter Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Vanilla Bean – Icon Setter Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
27
18 escaped
Nonce Checks
0
Capability Checks
3
File Operations
3
External Requests
0
Bundled Libraries
0

Output Escaping

40% escaped45 total outputs
Attack Surface

Vanilla Bean – Icon Setter Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 8
actionadmin_print_scriptsinc\admin\settings.php:36
actionadmin_print_stylesinc\admin\settings.php:37
actionadmin_enqueue_scriptsvanilla-bean-icon-setter.php:66
actionadmin_menuvanilla-bean-icon-setter.php:74
actionadmin_initvanilla-bean-icon-setter.php:99
actionwp_headvanilla-bean-icon-setter.php:458
actionadmin_headvanilla-bean-icon-setter.php:459
actionlogin_headvanilla-bean-icon-setter.php:460
Maintenance & Trust

Vanilla Bean – Icon Setter Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedJul 21, 2020
PHP min version
Downloads4K

Community Trust

Rating100/100
Number of ratings2
Active installs20
Alternatives

Vanilla Bean – Icon Setter Alternatives

Custom Favicon – Easily Add a Favicon in WordPress

Custom Favicon – Easily Add a Favicon in WordPress

custom-favicon

A
100

Easily add a custom favicon and Apple touch icon to your WordPress site, including support for dark mode, SVG icons, and admin dashboard branding.

5K No CVEs
Site Favicon

Site Favicon

site-favicon

A
99

Add a favicon.

5K 1 CVE
Remove Site Icon

Remove Site Icon

remove-site-icon

A
85

This plugin will remove site icon/favicon from frontend and admin.

80 No CVEs
Huntsman Dark Mode Site Icon

Huntsman Dark Mode Site Icon

huntsman-dark-mode-site-icon

A
100

Set separate site icons for light and dark mode based on the visitor’s system theme.

0 No CVEs
Favicon by RealFaviconGenerator

Favicon by RealFaviconGenerator

favicon-by-realfavicongenerator

A
96

Create and install your favicon for all platforms: PC/Mac, iPhone/iPad, Android devices, Windows 8 tablets...

200K 4 CVEs
Developer Profile

Vanilla Bean – Icon Setter Developer Profile

vsmash

5 plugins · 70 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Vanilla Bean – Icon Setter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/settings.css/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/settings.js/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/colourpicker/css/bootstrap-colorpicker.min.css/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/colourpicker/js/bootstrap-colorpicker.min.js/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/colourpicker/js/colorpicker.js
Script Paths
/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/settings.js/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/colourpicker/js/bootstrap-colorpicker.min.js/wp-content/plugins/vanilla-bean-icon-setter/inc/admin/colourpicker/js/colorpicker.js
Version Parameters
vanilla-bean-icon-setter/inc/admin/settings.css?ver=vanilla-bean-icon-setter/inc/admin/settings.js?ver=vanilla-bean-icon-setter/inc/admin/colourpicker/css/bootstrap-colorpicker.min.css?ver=vanilla-bean-icon-setter/inc/admin/colourpicker/js/bootstrap-colorpicker.min.js?ver=vanilla-bean-icon-setter/inc/admin/colourpicker/js/colorpicker.js?ver=

HTML / DOM Fingerprints

CSS Classes
vbean-settings-page
HTML Comments
<!-- Settings API -->
Data Attributes
data-current-color
JS Globals
vbean_colorpicker_init
FAQ

Frequently Asked Questions about Vanilla Bean – Icon Setter