Volcano Widget Security & Risk Analysis

wordpress.org/plugins/volcano-widget

The plugin places a customizeable iframe containing an interactive map of volcanoes and earthquakes worldwide as widget into the sidebar.

10 active installs v1.2.2 PHP + WP 3.0.1+ Updated Jun 2, 2016
earthquakesmapvolcanoeswidgetworldwide
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Volcano Widget Safe to Use in 2026?

Generally Safe

Score 85/100

Volcano Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The 'volcano-widget' v1.2.2 plugin exhibits a generally strong security posture in several key areas. The absence of known CVEs and a clean vulnerability history is a positive indicator. Furthermore, all SQL queries are properly prepared, and there are no reported file operations or external HTTP requests, which significantly reduces common attack vectors. The plugin also appears to have a very small attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that are immediately apparent from the static analysis. This suggests a well-contained functionality.

However, there are notable concerns that detract from its overall security. The presence of the `create_function` is a critical red flag. This deprecated and insecure function can lead to arbitrary code execution if its input is not strictly controlled, and it often indicates poor coding practices or a lack of awareness of modern PHP security standards. Additionally, the low percentage of properly escaped output (11%) presents a significant risk of cross-site scripting (XSS) vulnerabilities. Any user-supplied data displayed by the widget without proper sanitization could be exploited. The complete lack of nonce and capability checks, while perhaps justifiable given the zero attack surface, means that if any entry points were to be introduced in the future, they would be entirely unprotected.

Key Concerns

  • Dangerous function create_function used
  • Low percentage of output properly escaped
  • No nonce checks
  • No capability checks
Vulnerabilities
None known

Volcano Widget Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Volcano Widget Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Volcano Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
17
2 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function('', 'return register_widget("VolcanoWidget");') );VolcanoWidget.php:70

Output Escaping

11% escaped19 total outputs
Attack Surface

Volcano Widget Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 2
actionwidgets_initVolcanoWidget.php:70
actionadmin_menuVolcanoWidget.php:95
Maintenance & Trust

Volcano Widget Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedJun 2, 2016
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Volcano Widget Developer Profile

volcanodiscovery

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Volcano Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/volcano-widget/volcano-widget.js/wp-content/plugins/volcano-widget/volcano-widget.css
Script Paths
/wp-content/plugins/volcano-widget/volcano-widget.js
Version Parameters
volcano-widget/volcano-widget.js?ver=volcano-widget/volcano-widget.css?ver=

HTML / DOM Fingerprints

CSS Classes
VolcanoWidget
HTML Comments
<!-- begin VolcanoWidget --><!-- end VolcanoWidget / http://www.volcano-news.com/active-volcanoes-map/get-widget.html -->
Data Attributes
id="VW_bigMap"id="VW_backDiv"id="VW_smallMap"id="VW_mCont"id="VW_iframe"id="VW_mSwitch"
JS Globals
switchFrame
FAQ

Frequently Asked Questions about Volcano Widget