Does Viral Loops WP Integration have any unpatched vulnerabilities?

Yes — Viral Loops WP Integration currently has 3 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Viral Loops WP Integration compatible with WordPress 6.0.11?

According to WordPress.org data, Viral Loops WP Integration 3.8.1 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

How often is Viral Loops WP Integration updated?

Viral Loops WP Integration was last updated on May 27, 2025. Frequent updates are generally a positive security signal.

What is Viral Loops WP Integration's security score?

Viral Loops WP Integration has a WP-Safety security score of 46/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Viral Loops WP Integration Security & Risk Analysis

wordpress.org/plugins/viral-loops-wp-integration

The simplest way to install your Viral Loops campaign to your WordPress website.

200 active installs v3.8.1 PHP + WP 3.9+ Updated May 27, 2025

giveawaysreferral-marketingreferralssweepstakesviral-marketing

D · High Risk

CVEs total3

Unpatched3

Last CVEJun 5, 2025

Plugin page Download

Safety Verdict

Is Viral Loops WP Integration Safe to Use in 2026?

High Risk

Score 46/100

Viral Loops WP Integration carries significant security risk with 3 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 3 unpatched Last CVE: Jun 5, 2025Updated 10mo ago

Risk Assessment

The "viral-loops-wp-integration" plugin version 3.8.1 exhibits significant security concerns, primarily due to a large number of unprotected entry points and a history of unpatched vulnerabilities. While the plugin demonstrates good practices by exclusively using prepared statements for SQL queries and having no dangerous functions or file operations, the absence of authentication checks on 22 out of 26 identified entry points (AJAX handlers and REST API routes) creates a substantial attack surface. This means unauthorized users could potentially interact with these endpoints and trigger unintended actions.

The vulnerability history is particularly alarming, with 3 known CVEs, all of which remain unpatched. The common themes of "Missing Authorization" and "Exposure of Sensitive Information to an Unauthorized Actor" directly correlate with the findings in the static analysis, indicating a recurring pattern of authorization bypasses and data leakage. The recent nature of the last vulnerability (2025-06-05) suggests ongoing security weaknesses.

While the plugin avoids some common pitfalls like raw SQL and dangerous functions, the high number of unprotected entry points and the unpatched CVEs present a critical risk. The low percentage of properly escaped output also raises concerns about potential cross-site scripting (XSS) vulnerabilities, though this is not explicitly detailed in the taint analysis. The plugin's security posture is therefore precarious, leaning heavily towards high risk due to the combination of a wide-open attack surface and a persistent history of exploitable flaws.

Key Concerns

Unpatched CVEs (3)
Unprotected AJAX handlers (18)
Unprotected REST API routes (4)
Low output escaping percentage (5%)
Limited nonce checks (2)

Vulnerabilities

Viral Loops WP Integration Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

Low

3 total CVEs

CVE-2025-28995medium · 5.3Missing Authorization

Viral Loops WP Integration <= 3.8.1 - Missing Authorization

Jun 5, 2025Unpatched

CVE-2025-28994low · 3.1Missing Authorization

Viral Loops WP Integration <= 3.8.1 - Missing Authorization

Jun 5, 2025Unpatched

CVE-2025-31842medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Viral Loops WP Integration <= 3.8.1 - Unauthenticated Sensitive Information Disclosure

Apr 1, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Viral Loops WP Integration Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

5% escaped82 total outputs

Attack Surface

22 unprotected

Viral Loops WP Integration Attack Surface

Entry Points26

Unprotected22

AJAX Handlers 18

noprivwp_ajax_js_vloops_ajax_save_campaignincludes\class-vloops-wp-plugin.php:159

authwp_ajax_js_vloops_ajax_save_campaignincludes\class-vloops-wp-plugin.php:160

noprivwp_ajax_js_vloops_ajax_activate_campaignincludes\class-vloops-wp-plugin.php:161

authwp_ajax_js_vloops_ajax_activate_campaignincludes\class-vloops-wp-plugin.php:162

noprivwp_ajax_js_vloops_ajax_deactivate_campaignincludes\class-vloops-wp-plugin.php:163

authwp_ajax_js_vloops_ajax_deactivate_campaignincludes\class-vloops-wp-plugin.php:164

authwp_ajax_js_vloops_ajax_delete_campaignincludes\class-vloops-wp-plugin.php:165

noprivwp_ajax_js_vloops_ajax_reload_campaignsincludes\class-vloops-wp-plugin.php:166

authwp_ajax_js_vloops_ajax_reload_campaignsincludes\class-vloops-wp-plugin.php:167

noprivwp_ajax_js_vloops_ajax_save_campaigntrunk\includes\class-vloops-wp-plugin.php:159

authwp_ajax_js_vloops_ajax_save_campaigntrunk\includes\class-vloops-wp-plugin.php:160

noprivwp_ajax_js_vloops_ajax_activate_campaigntrunk\includes\class-vloops-wp-plugin.php:161

authwp_ajax_js_vloops_ajax_activate_campaigntrunk\includes\class-vloops-wp-plugin.php:162

noprivwp_ajax_js_vloops_ajax_deactivate_campaigntrunk\includes\class-vloops-wp-plugin.php:163

authwp_ajax_js_vloops_ajax_deactivate_campaigntrunk\includes\class-vloops-wp-plugin.php:164

authwp_ajax_js_vloops_ajax_delete_campaigntrunk\includes\class-vloops-wp-plugin.php:165

noprivwp_ajax_js_vloops_ajax_reload_campaignstrunk\includes\class-vloops-wp-plugin.php:166

authwp_ajax_js_vloops_ajax_reload_campaignstrunk\includes\class-vloops-wp-plugin.php:167

REST API Routes 4

GET/wp-json/vl-routes/campaignspublic\elements\vl-block\vl-block.php:139

GET/wp-json/vl-routes/campaignspublic\elements\vloops-divi-extension\includes\modules\ViralLoopsModule\ViralLoopsModule.php:187

GET/wp-json/vl-routes/campaignstrunk\public\elements\vl-block\vl-block.php:139

GET/wp-json/vl-routes/campaignstrunk\public\elements\vloops-divi-extension\includes\modules\ViralLoopsModule\ViralLoopsModule.php:187

Shortcodes 4

[vl_form] public\class-vloops-wp-plugin-public.php:44

[vc_vl_element] public\elements\vc-element\vl-element.php:9

[vl_form] trunk\public\class-vloops-wp-plugin-public.php:44

[vc_vl_element] trunk\public\elements\vc-element\vl-element.php:9

WordPress Hooks 52

actionplugins_loadedincludes\class-vloops-wp-plugin.php:142

actionadmin_enqueue_scriptsincludes\class-vloops-wp-plugin.php:157

actionadmin_enqueue_scriptsincludes\class-vloops-wp-plugin.php:158

actionadmin_initincludes\class-vloops-wp-plugin.php:169

actionadmin_menuincludes\class-vloops-wp-plugin.php:171

actionenqueue_block_editor_assetsincludes\class-vloops-wp-plugin.php:172

actionwp_enqueue_scriptsincludes\class-vloops-wp-plugin.php:187

actionwp_enqueue_scriptsincludes\class-vloops-wp-plugin.php:188

actionvc_before_initincludes\class-vloops-wp-plugin.php:189

actionthe_postincludes\class-vloops-wp-plugin.php:190

actiondivi_extensions_initincludes\class-vloops-wp-plugin.php:191

actionwp_headpublic\class-vloops-wp-plugin-public.php:101

actionwp_footerpublic\class-vloops-wp-plugin-public.php:103

actionelementor/editor/before_enqueue_scriptspublic\class-vloops-wp-plugin-public.php:229

actionelementor/element/before_section_endpublic\elements\elementor-widget\elementor-widget.php:63

actionelementor/element/before_section_endpublic\elements\elementor-widget\elementor-widget.php:70

actionvc_after_initpublic\elements\vc-element\vl-element.php:50

actionvc_after_initpublic\elements\vc-element\vl-element.php:60

actioninitpublic\elements\vl-block\vl-block.php:62

actionrest_api_initpublic\elements\vl-block\vl-block.php:147

actionadmin_headpublic\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:10

filtermce_external_pluginspublic\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:18

filtermce_buttonspublic\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:19

actionafter_wp_tiny_mcepublic\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:21

actionrest_api_initpublic\elements\vloops-divi-extension\includes\modules\ViralLoopsModule\ViralLoopsModule.php:20

actiondivi_extensions_initpublic\elements\vloops-divi-extension\vloops-divi-extension.php:15

actionplugins_loadedtrunk\includes\class-vloops-wp-plugin.php:142

actionadmin_enqueue_scriptstrunk\includes\class-vloops-wp-plugin.php:157

actionadmin_enqueue_scriptstrunk\includes\class-vloops-wp-plugin.php:158

actionadmin_inittrunk\includes\class-vloops-wp-plugin.php:169

actionadmin_menutrunk\includes\class-vloops-wp-plugin.php:171

actionenqueue_block_editor_assetstrunk\includes\class-vloops-wp-plugin.php:172

actionwp_enqueue_scriptstrunk\includes\class-vloops-wp-plugin.php:187

actionwp_enqueue_scriptstrunk\includes\class-vloops-wp-plugin.php:188

actionvc_before_inittrunk\includes\class-vloops-wp-plugin.php:189

actionthe_posttrunk\includes\class-vloops-wp-plugin.php:190

actiondivi_extensions_inittrunk\includes\class-vloops-wp-plugin.php:191

actionwp_headtrunk\public\class-vloops-wp-plugin-public.php:101

actionwp_footertrunk\public\class-vloops-wp-plugin-public.php:103

actionelementor/editor/before_enqueue_scriptstrunk\public\class-vloops-wp-plugin-public.php:229

actionelementor/element/before_section_endtrunk\public\elements\elementor-widget\elementor-widget.php:63

actionelementor/element/before_section_endtrunk\public\elements\elementor-widget\elementor-widget.php:70

actionvc_after_inittrunk\public\elements\vc-element\vl-element.php:50

actionvc_after_inittrunk\public\elements\vc-element\vl-element.php:60

actioninittrunk\public\elements\vl-block\vl-block.php:62

actionrest_api_inittrunk\public\elements\vl-block\vl-block.php:147

actionadmin_headtrunk\public\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:10

filtermce_external_pluginstrunk\public\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:18

filtermce_buttonstrunk\public\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:19

actionafter_wp_tiny_mcetrunk\public\elements\vl-classic-editor-shortcode\vl-classic-editor-shortcode.php:21

actionrest_api_inittrunk\public\elements\vloops-divi-extension\includes\modules\ViralLoopsModule\ViralLoopsModule.php:20

actiondivi_extensions_inittrunk\public\elements\vloops-divi-extension\vloops-divi-extension.php:15

Maintenance & Trust

Viral Loops WP Integration Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedMay 27, 2025

PHP min version

Downloads23K

Community Trust

Rating60/100

Number of ratings2

Active installs200

Alternatives

Viral Loops WP Integration Alternatives

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs

Woobox

woobox

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs

Run Contests, Raffles, and Giveaways with ContestsWP

contest-code-checker

An easy to use WordPress plugin to do giveaways.

100 1 unpatched

Contests & Giveaways – WordPress Contest Plugin

giveaways-contests

Contest Cat Lets You Create Incredible Contests, Giveaways & Sweepstakes With Ease.

100 No CVEs

Contests by Rewards Fuel

contests-from-rewards-fuel

Contests by Rewards Fuel encourages your audience to take actions that build your business; it's a win-win for you and your customers!

60 3 CVEs

Developer Profile

Viral Loops WP Integration Developer Profile

viralloops

1 plugin · 200 total installs

trust score

Avg Security Score

46/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Viral Loops WP Integration

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/viral-loops-wp-integration/admin/css/vloops-wp-plugin-admin.css/wp-content/plugins/viral-loops-wp-integration/admin/js/vloops-wp-plugin-admin.js/wp-content/plugins/viral-loops-wp-integration/public/css/vloops-wp-plugin-public.css/wp-content/plugins/viral-loops-wp-integration/public/js/vloops-wp-plugin-public.js/wp-content/plugins/viral-loops-wp-integration/public/js/jquery.countdown.min.js/wp-content/plugins/viral-loops-wp-integration/public/js/vloops.js/wp-content/plugins/viral-loops-wp-integration/public/js/Chart.bundle.min.js

Script Paths

/wp-content/plugins/viral-loops-wp-integration/admin/js/vloops-wp-plugin-admin.js/wp-content/plugins/viral-loops-wp-integration/public/js/vloops-wp-plugin-public.js/wp-content/plugins/viral-loops-wp-integration/public/js/jquery.countdown.min.js/wp-content/plugins/viral-loops-wp-integration/public/js/vloops.js/wp-content/plugins/viral-loops-wp-integration/public/js/Chart.bundle.min.js

Version Parameters

viral-loops-wp-integration/admin/css/vloops-wp-plugin-admin.css?ver=viral-loops-wp-integration/admin/js/vloops-wp-plugin-admin.js?ver=viral-loops-wp-integration/public/css/vloops-wp-plugin-public.css?ver=viral-loops-wp-integration/public/js/vloops-wp-plugin-public.js?ver=viral-loops-wp-integration/public/js/jquery.countdown.min.js?ver=viral-loops-wp-integration/public/js/vloops.js?ver=viral-loops-wp-integration/public/js/Chart.bundle.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

vloops_widget_title

HTML Comments

Data Attributes

data-vloops-user-iddata-vloops-campaign-iddata-vloops-api-keydata-vloops-target-url

JS Globals

vloops_campaign_datavloops_user_dataVLoops_Countdown_Timervloops_chart_datavloops_settings

REST Endpoints

/wp-json/vloops-wp-integration/v1/campaign

Shortcode Output

[viral_loops_campaign][viral_loops_referral_link][viral_loops_stats]

FAQ