Does W4 Post List have any unpatched vulnerabilities?

No. All known vulnerabilities in W4 Post List have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is W4 Post List compatible with WordPress 6.9.4?

According to WordPress.org data, W4 Post List 2.5.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is W4 Post List compatible with PHP 7.4+?

W4 Post List requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is W4 Post List updated?

W4 Post List was last updated on Feb 16, 2026. Frequent updates are generally a positive security signal.

What is W4 Post List's security score?

W4 Post List has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

W4 Post List Security & Risk Analysis

wordpress.org/plugins/w4-post-list

W4 Post List lets you create a list of posts, terms, users or a combined one. Decorate output using shortcodes. It's just easy and fun.

3K active installs v2.5.5 PHP 7.4+ WP 5.8+ Updated Feb 16, 2026

custom-post-typemediapostpost-listshortcode

A · Safe

CVEs total5

Unpatched0

Last CVEMar 22, 2023

Plugin page Download

Safety Verdict

Is W4 Post List Safe to Use in 2026?

Generally Safe

Score 99/100

W4 Post List has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Mar 22, 2023Updated 1mo ago

Risk Assessment

The w4-post-list plugin version 2.5.5 exhibits a mixed security posture. On the positive side, the code analysis reveals diligent use of prepared statements for all SQL queries and a high percentage of properly escaped output, significantly mitigating risks of SQL injection and XSS. The absence of file operations and external HTTP requests also reduces the attack surface. However, several concerning factors warrant attention. The plugin has a history of five medium-severity vulnerabilities, including exposure of sensitive information, XSS, and missing authorization. While none are currently unpatched, this past trend suggests a recurring pattern of potential security weaknesses. The lack of nonce checks on AJAX handlers and a single capability check for the entire plugin's entry points are significant concerns, leaving it susceptible to unauthorized actions and potential privilege escalation if input is not strictly validated. Taint analysis results are clean, indicating no critical or high-severity flows were detected in this specific scan.

Key Concerns

Historically significant number of medium vulnerabilities
Missing nonce checks on AJAX handlers
Only one capability check for multiple entry points
81% output escaping (19% unescaped outputs)

Vulnerabilities

W4 Post List Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

4 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2023-1371medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

W4 Post List <= 2.4.5 - Information Disclosure via post_excerpt

Mar 22, 2023 Patched in 2.4.6 (307d)

CVE-2023-0374medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

W4 Post List <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options

Mar 22, 2023 Patched in 2.4.6 (307d)

CVE-2023-1373medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

W4 Post List <= 2.4.5 - Reflected Cross-Site Scripting

Mar 22, 2023 Patched in 2.4.6 (307d)

CVE-2023-27413medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

W4 Post List <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w4pl[no_items_text]'

Mar 8, 2023 Patched in 2.4.5 (321d)

WF-84003388-c47c-41db-8d2d-4643aa375a89-w4-post-listmedium · 4.3Missing Authorization

Appsero <= 1.2.1 - Missing Authorization

Dec 16, 2022 Patched in 2.4.3 (699d)

Code Analysis

Analyzed Mar 16, 2026

W4 Post List Code Analysis

Dangerous Functions

Raw SQL Queries

19 prepared

Unescaped Output

57 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared19 total queries

Output Escaping

81% escaped70 total outputs

Attack Surface

W4 Post List Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 1

authwp_ajax_w4pl_list_edit_form_htmladmin\class-admin-lists-metaboxes.php:29

Shortcodes 4

[w4pl_time] includes\shortcodes\class-date-shortcode.php:22

[w4pl_date] includes\shortcodes\class-date-shortcode.php:23

[postlist] includes\shortcodes\class-list-shortcode.php:22

[w4pl-list] includes\shortcodes\class-list-shortcode.php:23

WordPress Hooks 57

actionedit_form_after_titleadmin\class-admin-lists-metaboxes.php:75

actionadmin_enqueue_scriptsadmin\class-admin-lists-metaboxes.php:78

actionload-edit.phpadmin\class-admin-lists-table-columns.php:22

filtermonths_dropdown_resultsadmin\class-admin-lists-table-columns.php:36

filterpost_updated_messagesadmin\class-admin-main.php:25

actionadmin_menuadmin\pages\class-admin-page-docs.php:23

actionadmin_noticesappsero.php:41

actionadmin_footerappsero.php:107

filterhttp_request_argsappsero.php:202

actioninitblocks.php:58

filterthe_contentincludes\class-list-content.php:17

filterw4pl/pre_save_optionsincludes\class-list-helper.php:23

filterw4pl/pre_get_optionsincludes\class-list-helper.php:24

filterw4pl/list_edit_form_htmlincludes\class-list-helper.php:25

filterw4pl/pre_get_templateincludes\class-list-templates.php:22

filterw4pl/pre_save_templateincludes\class-list-templates.php:23

actioninitincludes\class-post-types.php:22

actioninitincludes\class-w4-post-list.php:177

actionwidgets_initincludes\class-w4-post-list.php:178

actionwp_enqueue_scriptsincludes\class-w4-post-list.php:179

actionadmin_enqueue_scriptsincludes\class-w4-post-list.php:180

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-no-items.php:24

filterw4pl/pre_save_optionsincludes\helpers\class-helper-no-items.php:25

filterw4pl/pre_get_optionsincludes\helpers\class-helper-no-items.php:26

actionw4pl/parse_htmlincludes\helpers\class-helper-no-items.php:27

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-posts-date_query.php:24

filterw4pl/pre_save_optionsincludes\helpers\class-helper-posts-date_query.php:25

filterw4pl/pre_get_optionsincludes\helpers\class-helper-posts-date_query.php:26

filterw4pl/parse_query_argsincludes\helpers\class-helper-posts-date_query.php:27

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-posts-meta_query.php:24

filterw4pl/pre_save_optionsincludes\helpers\class-helper-posts-meta_query.php:25

filterw4pl/pre_get_optionsincludes\helpers\class-helper-posts-meta_query.php:26

filterw4pl/parse_query_argsincludes\helpers\class-helper-posts-meta_query.php:27

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-posts-tax_query.php:24

filterw4pl/pre_save_optionsincludes\helpers\class-helper-posts-tax_query.php:25

filterw4pl/pre_get_optionsincludes\helpers\class-helper-posts-tax_query.php:26

filterw4pl/parse_query_argsincludes\helpers\class-helper-posts-tax_query.php:27

filterw4pl/pre_get_optionsincludes\helpers\class-helper-posts.php:24

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-posts.php:25

filterw4pl/parse_query_argsincludes\helpers\class-helper-posts.php:26

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-presets.php:24

filterw4pl/pre_get_optionsincludes\helpers\class-helper-presets.php:25

filterw4pl/parse_query_argsincludes\helpers\class-helper-presets.php:26

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-style.php:24

filterw4pl/pre_save_optionsincludes\helpers\class-helper-style.php:25

filterw4pl/pre_get_optionsincludes\helpers\class-helper-style.php:26

filterw4pl/parse_htmlincludes\helpers\class-helper-style.php:27

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-terms.php:24

filterw4pl/pre_get_optionsincludes\helpers\class-helper-terms.php:25

filterw4pl/parse_query_argsincludes\helpers\class-helper-terms.php:26

filterw4pl/pre_get_optionsincludes\helpers\class-helper-users.php:24

filterw4pl/list_edit_form_fieldsincludes\helpers\class-helper-users.php:25

filterw4pl/parse_query_argsincludes\helpers\class-helper-users.php:26

filterw4pl/get_shortcodesincludes\template-tags\class-post-template-tags.php:24

filterw4pl/get_shortcodesincludes\template-tags\class-term-template-tags.php:21

filterw4pl/get_shortcodesincludes\template-tags\class-user-template-tags.php:20

actionplugins_loadedw4-post-list.php:49

Maintenance & Trust

W4 Post List Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 16, 2026

PHP min version7.4

Downloads194K

Community Trust

Rating94/100

Number of ratings93

Active installs3K

Alternatives

W4 Post List Alternatives

Custom Post Type List Shortcode

custom-post-type-list-shortcode

A shortcode with which you can easily list all of the posts within a post-type and sort by regular or custom fields.

100 1 unpatched

Apollo13 Framework Extensions

apollo13-framework-extensions

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs

Posts in Page

posts-in-page

Easily add one or more posts to any page using simple shortcodes.

10K 1 CVE

Autoremove Attachments

autoremove-attachments

Remove child attachments when parent post, page or custom post type is deleted.

3K No CVEs

Coupon Creator

coupon-creator

100

Create coupons to display on your site by using a shortcode.

2K 1 CVE

Developer Profile

W4 Post List Developer Profile

Shazzad Hossain Khan

1 plugin · 3K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

388 days

View full developer profile

Detection Fingerprints

How We Detect W4 Post List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/w4-post-list/assets/css/admin-documentation.css/wp-content/plugins/w4-post-list/assets/css/form.css/wp-content/plugins/w4-post-list/assets/css/list-editor.css/wp-content/plugins/w4-post-list/assets/js/admin-documentation.js/wp-content/plugins/w4-post-list/assets/js/list-editor.js/wp-content/plugins/w4-post-list/assets/js/form.js

Script Paths

/wp-content/plugins/w4-post-list/assets/js/admin-documentation.js/wp-content/plugins/w4-post-list/assets/js/list-editor.js/wp-content/plugins/w4-post-list/assets/js/form.js

Version Parameters

w4-post-list/assets/css/admin-documentation.css?ver=w4-post-list/assets/css/form.css?ver=w4-post-list/assets/css/list-editor.css?ver=w4-post-list/assets/js/admin-documentation.js?ver=w4-post-list/assets/js/list-editor.js?ver=w4-post-list/assets/js/form.js?ver=

HTML / DOM Fingerprints

CSS Classes

w4pl-documentation-wrapw4pl-documentation-mainw4pl-documentation-contentw4pl-documentation-sidebar

HTML Comments

<!--<p class="description">As like id (<code>[postlist id=1]</code>), a list can also be called using slug or title.<br /><strong>Ex</strong>: <code>[postlist slug='my-list']</code>, <code>[postlist Title='My List']</code></p>-->

FAQ

W4 Post List Security & Risk Analysis

Is W4 Post List Safe to Use in 2026?

Generally Safe

Key Concerns

W4 Post List Security Vulnerabilities

CVEs by Year

Severity Breakdown

W4 Post List Code Analysis

SQL Query Safety

Output Escaping

W4 Post List Attack Surface

AJAX Handlers 1

Shortcodes 4

W4 Post List Maintenance & Trust

Maintenance Signals

Community Trust

W4 Post List Alternatives

Custom Post Type List Shortcode

Apollo13 Framework Extensions

Posts in Page

Autoremove Attachments

Coupon Creator

W4 Post List Developer Profile

How We Detect W4 Post List

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about W4 Post List