WP-Safety

Virtual Candles – Memorial Light Display Security & Risk Analysis

wordpress.org/plugins/virtual-candles

Digital memorial candle display where visitors can light virtual candles with personal messages for churches and memorial sites.

0 active installs v2.0.3 PHP 8.1+ WP 6.0+ Updated Feb 23, 2026
candlesmemorialprayerremembrancevirtual-candles
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Virtual Candles – Memorial Light Display Safe to Use in 2026?

Generally Safe

Score 100/100

Virtual Candles – Memorial Light Display has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The virtual-candles v2.0.3 plugin exhibits a mixed security posture. On the positive side, it demonstrates excellent practices in handling SQL queries with 100% prepared statements and a very high rate of output escaping (97%). Furthermore, there is no historical record of vulnerabilities, suggesting a generally stable and well-maintained codebase. The absence of file operations, external HTTP requests, and bundled libraries are also favorable security indicators.

However, a significant concern arises from the attack surface. The plugin exposes 6 AJAX handlers that lack authentication checks, presenting a potential entry point for unauthenticated attackers. While only one capability check is present, and there are 6 nonces, the direct exposure of AJAX actions without proper authorization is a notable weakness. The taint analysis found no issues, which is reassuring, but the identified unprotected AJAX handlers still pose a real risk.

In conclusion, while the plugin has strong internal code hygiene regarding data handling and output, the unprotected AJAX endpoints create a clear security vulnerability. The lack of historical vulnerabilities is a positive sign, but it does not negate the immediate risk posed by the exposed AJAX functionality. Addressing these unprotected AJAX handlers should be the top priority.

Key Concerns

  • Unprotected AJAX handlers
  • Limited capability checks
Vulnerabilities
None known

Virtual Candles – Memorial Light Display Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Virtual Candles – Memorial Light Display Release Timeline

v2.0.3Current
Code Analysis
Analyzed Apr 16, 2026

Virtual Candles – Memorial Light Display Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
11
425 escaped
Nonce Checks
6
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared8 total queries

Output Escaping

97% escaped436 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<AjaxHandler> (includes/Frontend/AjaxHandler.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Virtual Candles – Memorial Light Display Attack Surface

Entry Points10
Unprotected6

AJAX Handlers 6

authwp_ajax_ststudio_vcmld_create_candleincludes/Core/Plugin.php:141
noprivwp_ajax_ststudio_vcmld_create_candleincludes/Core/Plugin.php:142
authwp_ajax_ststudio_vcmld_send_candleincludes/Core/Plugin.php:143
noprivwp_ajax_ststudio_vcmld_send_candleincludes/Core/Plugin.php:144
authwp_ajax_ststudio_vcmld_load_moreincludes/Core/Plugin.php:145
noprivwp_ajax_ststudio_vcmld_load_moreincludes/Core/Plugin.php:146

Shortcodes 4

[virtual_candles_create] includes/Core/Plugin.php:121
[virtual_candles_send] includes/Core/Plugin.php:122
[virtual_candles_display] includes/Core/Plugin.php:126
[virtual_candles_chapel] includes/Core/Plugin.php:127
WordPress Hooks 18
actionadd_meta_boxesincludes/Admin/MetaBoxes.php:27
filterenter_title_hereincludes/Admin/MetaBoxes.php:31
actioninitincludes/Core/Plugin.php:100
actionwp_enqueue_scriptsincludes/Core/Plugin.php:101
actionadmin_enqueue_scriptsincludes/Core/Plugin.php:102
actioninitincludes/Core/Plugin.php:106
actionadmin_menuincludes/Core/Plugin.php:111
actionvirtcan_hourly_expirationincludes/Core/Plugin.php:150
filtercron_schedulesincludes/Core/Plugin.php:153
filterquery_varsincludes/Core/Plugin.php:175
actiontemplate_redirectincludes/Core/Plugin.php:181
actiontemplate_redirectincludes/Frontend/ArchiveHandler.php:28
filtertemplate_includeincludes/Frontend/ArchiveHandler.php:29
actiontemplate_redirectincludes/Frontend/ChapelTemplate.php:27
filtertemplate_includeincludes/Frontend/ChapelTemplate.php:37
filterthe_contentincludes/Frontend/SingleCandleHandler.php:28
actionwp_headincludes/Frontend/SingleCandleHandler.php:29
actionplugins_loadedvirtual-candles.php:41

Scheduled Events 2

virtcan_hourly_expiration
virtcan_hourly_expiration
Maintenance & Trust

Virtual Candles – Memorial Light Display Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version8.1
Downloads188

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Virtual Candles – Memorial Light Display Alternatives

Daily Prayer Time

Daily Prayer Time

daily-prayer-time-for-mosques

A
91

Display prayer time in any screen, in any language and many more.

1K 6 CVEs
Salat Times

Salat Times

salat-times

A
100

Salat (Namaz) timetable for any location around the world!

600 1 CVE
Muslim Prayer Time-Salah/Iqamah

Muslim Prayer Time-Salah/Iqamah

masjidal

A
91

Display the prayer(Athan) and/or Iqamah time for you masjid or location. Use as a widget or use the short codes and format it as you like.

400 1 CVE
GoPrayer

GoPrayer

wp-prayers-request

A
99

An application that allows an organization share, update, and manage prayer requests.

300 2 CVEs
Mourning

Mourning

mourning

A
85

Add black ribbon and grey out the website

200 No CVEs
Developer Profile

Virtual Candles – Memorial Light Display Developer Profile

Saskia Teichmann

7 plugins · 320 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Virtual Candles – Memorial Light Display

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/virtual-candles/assets/css/frontend.css/wp-content/plugins/virtual-candles/assets/js/virtual-candles.js/wp-content/plugins/virtual-candles/assets/js/chapel-display.js
Script Paths
/wp-content/plugins/virtual-candles/assets/js/virtual-candles.js/wp-content/plugins/virtual-candles/assets/js/chapel-display.js
Version Parameters
virtual-candles/assets/css/frontend.css?ver=virtual-candles/assets/js/virtual-candles.js?ver=virtual-candles/assets/js/chapel-display.js?ver=

HTML / DOM Fingerprints

CSS Classes
vc-candle-itemvc-candle-listvc-create-formvc-send-formvc-chapel-container
HTML Comments
<!-- Virtual Candle Create Form --><!-- Virtual Candle Send Form --><!-- Virtual Candle Display --><!-- Virtual Candle Chapel Display -->+3 more
Data Attributes
data-candle-iddata-actiondata-message-iddata-nonce
JS Globals
window.virtualCandlesConfig
REST Endpoints
/wp-json/ststudio-virtual-candles/v1/create/wp-json/ststudio-virtual-candles/v1/send/wp-json/ststudio-virtual-candles/v1/load-more
Shortcode Output
[virtual_candles_create][virtual_candles_send][virtual_candles_display][virtual_candles_chapel]
FAQ

Frequently Asked Questions about Virtual Candles – Memorial Light Display