WP-Safety

Visualizer: Tables and Charts Manager for WordPress Security & Risk Analysis

wordpress.org/plugins/visualizer

A simple yet powerful WordPress chart plugin to effortlessly create and embed responsive charts & tables into your site, supporting multiple data …

20K active installs v3.11.15 PHP 7.4+ WP 5.2+ Updated Mar 4, 2026
chartsgraphspietablesvisualization
76
B · Generally Safe
CVEs total12
Unpatched0
Last CVEDec 1, 2025
Plugin page Download
Safety Verdict

Is Visualizer: Tables and Charts Manager for WordPress Safe to Use in 2026?

Mostly Safe

Score 76/100

Visualizer: Tables and Charts Manager for WordPress is generally safe to use. 12 past CVEs were resolved. Keep it updated.

12 known CVEsLast CVE: Dec 1, 2025Updated 29d ago
Risk Assessment

The "visualizer" plugin v3.11.15 presents a mixed security posture. On one hand, the static analysis indicates a relatively small attack surface with no direct AJAX handlers, REST API routes, or shortcodes exposed without authorization. The presence of numerous nonce and capability checks also suggests an effort to secure entry points. However, significant concerns arise from the code analysis, particularly the presence of the `unserialize` function, which is a known vector for deserialization vulnerabilities if not handled with extreme care. Furthermore, a substantial portion of output (53%) is not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, while not showing critical or high severity unsanitized flows in this specific analysis, highlights that 3 out of 8 flows had unsanitized paths, indicating potential for subtle but impactful vulnerabilities.

The plugin's vulnerability history is a major red flag. With 12 known CVEs, including 2 critical and 3 high severity issues, the plugin has a track record of significant security flaws. The types of historical vulnerabilities (SQL Injection, XSS, Missing Authorization, Deserialization, SSRF) directly correlate with the weaknesses identified in the static and taint analysis (unserialize, unescaped output, potential for auth bypass). The fact that the last vulnerability was dated in the future (2025-12-01) is a data anomaly and should be disregarded for this analysis; however, the sheer volume and severity of past vulnerabilities indicate a history of weak security practices within the plugin's development.

In conclusion, while the plugin has made some efforts to secure its entry points, the presence of dangerous functions like `unserialize`, a significant proportion of unescaped output, and a history of severe vulnerabilities paint a picture of a plugin that requires careful scrutiny. The combination of these factors suggests a moderate to high risk, especially considering the potential for attackers to leverage the plugin's known historical weaknesses or exploit the identified code-level concerns.

Key Concerns

  • Dangerous function 'unserialize' used
  • Significant portion of output not escaped
  • History of critical severity CVEs
  • History of high severity CVEs
  • Flows with unsanitized paths found
  • SQL queries not always using prepared statements
Vulnerabilities
12

Visualizer: Tables and Charts Manager for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2019
2019
3 CVEs in 2022
2022
2 CVEs in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
3
Medium
7

12 total CVEs

CVE-2025-12483medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection

Dec 1, 2025 Patched in 3.11.13 (1d)
CVE-2025-1065medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer: Tables and Charts Manager for WordPress <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File

Feb 18, 2025 Patched in 3.11.9 (1d)
CVE-2024-35736critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Visualizer <= 3.11.1 - Authenticated (Subscriber+) SQL Injection

Jun 6, 2024 Patched in 3.11.2 (8d)
CVE-2024-3750high · 8.8Missing Authorization

Visualizer: Tables and Charts Manager for WordPress <= 3.10.15 - Missing Authorization to Arbitrary SQL Execution

May 15, 2024 Patched in 3.11.0 (1d)
CVE-2024-27958medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer <= 3.10.5 - Reflected Cross-Site Scripting

Mar 13, 2024 Patched in 3.10.6 (8d)
CVE-2023-23708medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Feb 20, 2023 Patched in 3.9.5 (337d)
CVE-2022-46848medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer <= 3.9.1 - Authenticated(Contributor+) Stored Cross-Site Scripting

Feb 6, 2023 Patched in 3.9.2 (351d)
CVE-2022-2256high · 8.8Deserialization of Untrusted Data

Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization

Jul 5, 2022 Patched in 3.7.10 (567d)
CVE-2022-2444high · 8.8Deserialization of Untrusted Data

Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization

Jul 5, 2022 Patched in 3.7.10 (567d)
WF-abc14a00-5560-440b-a5ba-4ff41a6c54c3-visualizermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer <= 3.7.6 - Reflected Cross-Site Scripting

May 31, 2022 Patched in 3.7.7 (602d)
CVE-2019-16932critical · 9.3Server-Side Request Forgery (SSRF)

Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Server-Side Request Forgery

Sep 28, 2019 Patched in 3.3.1 (1578d)
CVE-2019-16931medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Stored Cross-Site Scripting

Sep 28, 2019 Patched in 3.3.1 (1578d)
Code Analysis
Analyzed Mar 16, 2026

Visualizer: Tables and Charts Manager for WordPress Code Analysis

Dangerous Functions
7
Raw SQL Queries
2
3 prepared
Unescaped Output
275
242 escaped
Nonce Checks
15
Capability Checks
26
File Operations
8
External Requests
2
Bundled Libraries
2

Dangerous Functions Found

unserialize$data['visualizer-data'] = apply_filters( Visualizer_Plugin::FILTER_GET_CHART_DATA, unserialize( htmclasses\Visualizer\Gutenberg\Block.php:370
unserializeif ( is_string( $temp ) && is_array( unserialize( $temp ) ) ) {classes\Visualizer\Gutenberg\Block.php:787
unserializeif ( is_string( $content ) && is_array( unserialize( $content ) ) ) {classes\Visualizer\Module\Chart.php:1238
unserialize$json = unserialize( $content );classes\Visualizer\Module\Chart.php:1239
unserialize$data = unserialize( $chart->post_content );classes\Visualizer\Module\Utility.php:213
unserialize$data = unserialize( $post_content );classes\Visualizer\Module.php:782
unserialize$data = unserialize( html_entity_decode( $chart->post_content ) );classes\Visualizer\Source\Csv\Remote.php:77

Bundled Libraries

DataTablesjQuery

SQL Query Safety

60% prepared5 total queries

Output Escaping

47% escaped517 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

8 flows3 with unsanitized paths
getDisplayForm (classes\Visualizer\Render\Library.php:77)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Visualizer: Tables and Charts Manager for WordPress Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 23
actionenqueue_block_editor_assetsclasses\Visualizer\Gutenberg\Block.php:60
actioninitclasses\Visualizer\Gutenberg\Block.php:61
actionrest_api_initclasses\Visualizer\Gutenberg\Block.php:62
filterrest_visualizer_queryclasses\Visualizer\Gutenberg\Block.php:63
filtervisualizer_query_argsclasses\Visualizer\Module\Admin.php:136
actionadmin_footerclasses\Visualizer\Module\Admin.php:761
filterwidget_textclasses\Visualizer\Module\Frontend.php:74
filterterm_descriptionclasses\Visualizer\Module\Frontend.php:79
actionrest_api_initclasses\Visualizer\Module\Frontend.php:82
actionadmin_enqueue_scriptsclasses\Visualizer\Module\Wizard.php:108
filterwp_revisions_to_keepclasses\Visualizer\Module.php:434
actionthemeisle_log_eventclasses\Visualizer\Plugin.php:152
filtervisualizer_assets_renderclasses\Visualizer\Render\Sidebar\ChartJS.php:74
filtervisualizer_assets_renderclasses\Visualizer\Render\Sidebar\Google.php:95
filtervisualizer_assets_renderclasses\Visualizer\Render\Sidebar\Type\DataTable\DataTable.php:54
filtervisualizer_assets_renderclasses\Visualizer\Render\Sidebar\Type\DataTable\Tabular.php:52
actionplugins_loadedindex.php:108
filterthemeisle_sdk_productsindex.php:138
filterpirate_parrot_logindex.php:139
filtervisualizer_about_us_metadataindex.php:150
filterthemeisle_sdk_enable_telemetryindex.php:164
filterthemeisle_sdk_telemetry_productsindex.php:165
actionthemeisle_log_eventindex.php:226

Scheduled Events 1

visualizer_schedule_refresh_db
Maintenance & Trust

Visualizer: Tables and Charts Manager for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version7.4
Downloads2.0M

Community Trust

Rating88/100
Number of ratings225
Active installs20K
Alternatives

Visualizer: Tables and Charts Manager for WordPress Alternatives

Chartify – WordPress Chart Plugin

Chartify – WordPress Chart Plugin

chart-builder

A
89

Chartify is a powerful WordPress Chart Builder Plugin that will help you to create WordPress Graphs & Charts easily and quickly.

4K 8 CVEs
UberChart – WordPress Chart Plugin

UberChart – WordPress Chart Plugin

daext-uberchart

A
92

UberChart brings the endless customization possibilities included in the Chart.js library to WordPress.

300 No CVEs
Graphina – Charts and Graphs For Elementor

Graphina – Charts and Graphs For Elementor

graphina-elementor-charts-and-graphs

A
89

Most Powerful Data visualization plugin for WordPress Elementor. The easiest way to build gorgeous Charts & Graphs on your Elementor website.

10K 7 CVEs
M Chart

M Chart

m-chart

A
100

Manage data sets and display them as charts in WordPress.

4K 1 CVE
Embed charts graphs tables and forms with Vixo

Embed charts graphs tables and forms with Vixo

vixo-embeddable-tables-charts-and-spreadsheets

A
85

Lets you embed graphs and graphs, tables, spreadsheets, forms and quotation engines from the Vixo online spreadsheet.

20 No CVEs
Developer Profile

Visualizer: Tables and Charts Manager for WordPress Developer Profile

Themeisle

37 plugins · 2.2M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
420 days
View full developer profile
Detection Fingerprints

How We Detect Visualizer: Tables and Charts Manager for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/visualizer/css/admin-settings.css/wp-content/plugins/visualizer/css/admin-styles.css/wp-content/plugins/visualizer/css/charts.css/wp-content/plugins/visualizer/css/charts.min.css/wp-content/plugins/visualizer/css/colors.css/wp-content/plugins/visualizer/css/frontend.css/wp-content/plugins/visualizer/css/frontend.min.css/wp-content/plugins/visualizer/css/modules.css+20 more
Script Paths
/wp-content/plugins/visualizer/js/visualizer-plugin.min.js/wp-content/plugins/visualizer/js/gutenberg-block.min.js/wp-content/plugins/visualizer/js/frontend.min.js
Version Parameters
visualizer/css/admin-settings.css?ver=visualizer/css/admin-styles.css?ver=visualizer/css/charts.css?ver=visualizer/css/charts.min.css?ver=visualizer/css/colors.css?ver=visualizer/css/frontend.css?ver=visualizer/css/frontend.min.css?ver=visualizer/css/modules.css?ver=visualizer/css/modules.min.css?ver=visualizer/css/new-frontend.css?ver=visualizer/css/new-frontend.min.css?ver=visualizer/css/setup-wizard.css?ver=visualizer/js/admin-scripts.js?ver=visualizer/js/charts.js?ver=visualizer/js/charts.min.js?ver=visualizer/js/customizer.js?ver=visualizer/js/frontend.js?ver=visualizer/js/frontend.min.js?ver=visualizer/js/gutenberg-block.js?ver=visualizer/js/gutenberg-block.min.js?ver=visualizer/js/modules.js?ver=visualizer/js/modules.min.js?ver=visualizer/js/new-frontend.js?ver=visualizer/js/new-frontend.min.js?ver=visualizer/js/setup-wizard.js?ver=visualizer/js/vendor/jquery/jquery.min.js?ver=visualizer/js/visualizer-plugin.js?ver=visualizer/js/visualizer-plugin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
visualizer-chartvisualizer-tablevisualizer-pro-upsell-notice
HTML Comments
<!-- Visualizer Chart --><!-- Visualizer Table --><!-- Visualizer Pro Upsell Notice -->
Data Attributes
data-visualizer-chartdata-visualizer-table
JS Globals
VisualizerVisualizerChartsVisualizerTablesvisualizer_pro_paramsvisualizer_frontend_params
REST Endpoints
/wp-json/visualizer/v1/charts/wp-json/visualizer/v1/tables
Shortcode Output
[visualizer][visualizer id="%s"][visualizer type="chart"][visualizer type="table"]
FAQ

Frequently Asked Questions about Visualizer: Tables and Charts Manager for WordPress