Does WH Tweaks have any unpatched vulnerabilities?

No. All known vulnerabilities in WH Tweaks have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WH Tweaks compatible with WordPress 6.9.4?

According to WordPress.org data, WH Tweaks 1.0.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WH Tweaks updated?

WH Tweaks was last updated on Jan 7, 2026. Frequent updates are generally a positive security signal.

What is WH Tweaks's security score?

WH Tweaks has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WH Tweaks Security & Risk Analysis

wordpress.org/plugins/wh-tweaks

Common functionality WordPress core should have but maybe shouldn't.

100 active installs v1.0.3 PHP + WP 4.0+ Updated Jan 7, 2026

bugscodexfixproblemstrac

A · Safe

CVEs total1

Unpatched0

Last CVEDec 21, 2025

Plugin page Download

Safety Verdict

Is WH Tweaks Safe to Use in 2026?

Generally Safe

Score 99/100

WH Tweaks has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 21, 2025Updated 2mo ago

Risk Assessment

The "wh-tweaks" v1.0.3 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for its SQL queries and maintaining a high percentage of properly escaped output. The absence of dangerous functions, file operations, and external HTTP requests is also a good sign. However, significant concerns arise from its attack surface. The plugin exposes two AJAX handlers, both of which lack authentication checks, creating potential entry points for unauthorized actions. Furthermore, the complete absence of nonce checks on these AJAX endpoints exacerbates the risk, as it leaves them vulnerable to Cross-Site Request Forgery (CSRF) attacks. While the plugin has no currently unpatched vulnerabilities, its history includes one medium-severity Cross-site Scripting (XSS) vulnerability, which, despite being patched in past versions, highlights a past weakness in input sanitization or output escaping that needs continued vigilance. The lack of taint analysis data also makes it difficult to fully assess the impact of any potential unvalidated data flows.

Key Concerns

AJAX handlers without auth checks
Missing nonce checks on AJAX
Medium severity vulnerability history

Vulnerabilities

WH Tweaks Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-67630medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WH Tweaks <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 21, 2025 Patched in 1.0.3 (19d)

Code Analysis

Analyzed Mar 16, 2026

WH Tweaks Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

63 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

97% escaped65 total outputs

Attack Surface

2 unprotected

WH Tweaks Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 2

authwp_ajax_save-widgetwh-tweaks.php:165

authwp_ajax_widgets-orderwh-tweaks.php:166

Shortcodes 2

[year] wh-tweaks.php:88

[date] wh-tweaks.php:89

WordPress Hooks 43

filterwp_die_ajax_handlerfeatures\mu_sidebars.php:51

filtergettextfunctions.php:24

actionadmin_menuoptions-page.php:22

actionadmin_initoptions-page.php:30

actionadmin_enqueue_scriptsoptions-page.php:429

filterplugin_action_linkswh-tweaks.php:36

actionplugins_loadedwh-tweaks.php:56

filterthe_generatorwh-tweaks.php:66

filterscript_loader_srcwh-tweaks.php:68

filterstyle_loader_srcwh-tweaks.php:69

filterwp_login_errorswh-tweaks.php:76

actionlost_passwordwh-tweaks.php:77

actionlostpassword_postwh-tweaks.php:78

filterphpmailer_initwh-tweaks.php:83

filterwidget_textwh-tweaks.php:93

actionadmin_enqueue_scriptswh-tweaks.php:97

actionadmin_enqueue_scriptswh-tweaks.php:101

actionenqueue_block_editor_assetswh-tweaks.php:105

actionpre_pingwh-tweaks.php:109

filterlogin_headertextwh-tweaks.php:116

filterlogin_headertitlewh-tweaks.php:120

filterlogin_headerurlwh-tweaks.php:122

actionlogin_enqueue_scriptswh-tweaks.php:124

filterget_the_excerptwh-tweaks.php:135

filterpage_attributes_dropdown_pages_argswh-tweaks.php:140

filterquick_edit_dropdown_pages_argswh-tweaks.php:141

actioncheck_ajax_refererwh-tweaks.php:147

filterget_the_taxonomieswh-tweaks.php:150

filterget_termswh-tweaks.php:151

filterget_the_termswh-tweaks.php:152

filteredit_tag_form_prewh-tweaks.php:154

filterget_termwh-tweaks.php:155

filterget_post_tagwh-tweaks.php:156

filterterm_namewh-tweaks.php:158

actioncustomize_save_afterwh-tweaks.php:164

actionsidebar_admin_setupwh-tweaks.php:167

filterdynamic_sidebar_has_widgetswh-tweaks.php:171

actiontemplate_redirectwh-tweaks.php:175

filterredirect_canonicalwh-tweaks.php:183

filterembed_oembed_htmlwh-tweaks.php:188

filtervideo_embed_htmlwh-tweaks.php:189

filterwp_footerwh-tweaks.php:190

actioninitwh-tweaks.php:198

Maintenance & Trust

WH Tweaks Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 7, 2026

PHP min version

Downloads4K

Community Trust

Rating100/100

Number of ratings1

Active installs100

Alternatives

WH Tweaks Alternatives

Hotfix

hotfix

100

Provides unofficial fixes for selected WordPress bugs, so you don't have to wait for the next WordPress core release.

4K No CVEs

WP_PingPreserver

wp-pingpreserver

Prevents WordPress from eating pings that come too quickly in succession (i.e. a single post linking to more than one of your pages).

10 No CVEs

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs

Simple History – Track, Log, and Audit WordPress Changes

simple-history

Track changes and user activities on your WordPress site. See who created a page, uploaded an attachment, and more, for a complete audit trail.

300K 4 CVEs

Developer Profile

WH Tweaks Developer Profile

webheadcoder

6 plugins · 95K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

649 days

View full developer profile

Detection Fingerprints

How We Detect WH Tweaks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wh-tweaks/css/public.css/wp-content/plugins/wh-tweaks/css/admin.css/wp-content/plugins/wh-tweaks/js/public.js/wp-content/plugins/wh-tweaks/js/admin.js

Script Paths

/wp-content/plugins/wh-tweaks/js/public.js/wp-content/plugins/wh-tweaks/js/admin.js

Version Parameters

wh-tweaks/css/public.css?ver=wh-tweaks/css/admin.css?ver=wh-tweaks/js/public.js?ver=wh-tweaks/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

wht-video-container

Data Attributes

data-wht-modal

JS Globals

wht_settings

REST Endpoints

/wp-json/wh-tweaks/v1/settings

Shortcode Output

[year][date]

FAQ