Does Built-in Widgets Query extend (Custom Post Types & more) have any unpatched vulnerabilities?

No. All known vulnerabilities in Built-in Widgets Query extend (Custom Post Types & more) have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Built-in Widgets Query extend (Custom Post Types & more) compatible with WordPress 6.5.8?

According to WordPress.org data, Built-in Widgets Query extend (Custom Post Types & more) 1.09 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

What is Built-in Widgets Query extend (Custom Post Types & more)'s security score?

Built-in Widgets Query extend (Custom Post Types & more) has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Built-in Widgets Query extend (Custom Post Types & more) Security & Risk Analysis

wordpress.org/plugins/widget-extend-builtin-query

[ ✅ 𝐒𝐄𝐂𝐔𝐑𝐄 𝐏𝐋𝐔𝐆𝐈𝐍𝐒 𝐵𝓎 𝒫𝓊𝓋𝑜𝓍 ] Plugin extends built-in widgets, so you could add your arguments and query.

0 active installs v1.09 PHP + WP 6.0+ Updated Oct 30, 2024

builtextendinwidgetwidgets

A · Safe

CVEs total1

Unpatched0

Last CVEAug 1, 2022

Plugin page Download

Safety Verdict

Is Built-in Widgets Query extend (Custom Post Types & more) Safe to Use in 2026?

Generally Safe

Score 92/100

Built-in Widgets Query extend (Custom Post Types & more) has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 1, 2022Updated 1yr ago

Risk Assessment

The "widget-extend-builtin-query" plugin v1.09 presents a mixed security posture. While it demonstrates some good practices such as a relatively low attack surface and a majority of SQL queries utilizing prepared statements, significant concerns arise from the static analysis. The presence of the `unserialize` function without explicit safeguards is a critical risk, as it can lead to Remote Code Execution if untrusted data is passed to it. Furthermore, the taint analysis reveals a high number of flows with unsanitized paths and one high-severity taint flow, indicating potential vulnerabilities for data manipulation or exposure.

The vulnerability history, specifically a past medium-severity Cross-Site Scripting (XSS) vulnerability, suggests a pattern of potential input validation or output escaping issues within the plugin's codebase. While there are no currently unpatched CVEs, the historical presence of XSS warrants caution. The plugin's limited capability and nonce checks in its attack surface are concerning, especially when combined with the identified potential for unsanitized data flows and the dangerous `unserialize` function. Overall, while the plugin has strengths in its limited attack surface and SQL practices, the identified risks in code analysis and its vulnerability history necessitate careful consideration and potential mitigation.

Key Concerns

Presence of unserialize() without clear sanitization
High number of unsanitized taint flows
1 high severity taint flow found
Only 52% of output properly escaped
Past medium severity XSS vulnerability
Limited capability checks (2)

Vulnerabilities

Built-in Widgets Query extend (Custom Post Types & more) Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

WF-87b8386e-863e-4a33-8beb-aab3e704ecb6-widget-extend-builtin-querymedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Built-in Widgets Query extend <= 1.05 - Reflected Cross-Site Scripting

Aug 1, 2022 Patched in 1.06 (540d)

Code Analysis

Analyzed Mar 17, 2026

Built-in Widgets Query extend (Custom Post Types & more) Code Analysis

Dangerous Functions

Raw SQL Queries

46 prepared

Unescaped Output

79 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeif ( @unserialize($serialized_string) !== false ) return $serialized_string;library.php:3813

SQL Query Safety

77% prepared60 total queries

Output Escaping

52% escaped153 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths

force_redirect_to_https (library.php:103)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Built-in Widgets Query extend (Custom Post Types & more) Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 37

actionin_widget_formindex.php:61

actionwidget_update_callbackindex.php:63

actioninitindex.php:66

filterwidget_display_callbackindex.php:69

actionwp_headlibrary.php:4768

actionadmin_headlibrary.php:4769

actionwp_enqueue_scriptslibrary_wp.php:73

actionadmin_enqueue_scriptslibrary_wp.php:74

actionadmin_footerlibrary_wp.php:148

actioninitlibrary_wp.php:163

actionadmin_initlibrary_wp.php:210

filtermce_external_pluginslibrary_wp.php:212

filtermce_buttons_2library_wp.php:213

filtertiny_mce_versionlibrary_wp.php:215

actionwplibrary_wp.php:231

actionplugins_loadedlibrary_wp.php:540

actionwplibrary_wp.php:550

actionwp_footerlibrary_wp.php:700

actioninitlibrary_wp.php:711

actionwp_loadedlibrary_wp.php:854

actionshutdownlibrary_wp.php:859

actioninitlibrary_wp.php:1732

actionadmin_headlibrary_wp.php:1743

actioncurrent_screenlibrary_wp.php:1744

actionwplibrary_wp.php:1753

filterupload_mimeslibrary_wp.php:1759

filterwp_handle_uploadlibrary_wp.php:1760

actioninitlibrary_wp.php:1822

actionnetwork_admin_menulibrary_wp.php:1912

actionadmin_menulibrary_wp.php:1914

actionactivated_pluginlibrary_wp.php:1916

actionnetwork_admin_noticeslibrary_wp.php:2103

actionadmin_noticeslibrary_wp.php:2104

filterwp_php_error_messagelibrary_wp.php:2187

actionwp_footerlibrary_wp.php:2375

filterwidget_textlibrary_wp.php:2399

filtersite_transient_update_pluginslibrary_wp.php:3266

Maintenance & Trust

Built-in Widgets Query extend (Custom Post Types & more) Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedOct 30, 2024

PHP min version

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Built-in Widgets Query extend (Custom Post Types & more) Alternatives

One Click Demo Import

one-click-demo-import

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs

Classic Editor +

classic-editor-addon

The "Classic Editor +" plugin disables the block editor, removes enqueued scripts/styles and brings back classic Widgets.

50K 1 CVE

Stratum Widgets for Elementor

stratum

20+ Premium widgets for Elementor, including Advanced Slider, Instagram, Google Maps, Advanced Accordion, Post Grid.

30K 6 CVEs

Desert Companion

desert-companion

100

Desert Companion Enhances Desert Themes with additional functionality.

20K No CVEs

Livemesh SiteOrigin Widgets

livemesh-siteorigin-widgets

A collection of premium quality widgets for use in any widgetized area or in SiteOrigin page builder. SiteOrigin Widgets Bundle is required.

20K 2 CVEs

Developer Profile

Built-in Widgets Query extend (Custom Post Types & more) Developer Profile

Puvox Software

16 plugins · 51K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

540 days

View full developer profile

Detection Fingerprints

How We Detect Built-in Widgets Query extend (Custom Post Types & more)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/widget-extend-builtin-query/library.php/wp-content/plugins/widget-extend-builtin-query/library_wp.php

HTML / DOM Fingerprints

REST Endpoints

/wp-json/wp/v2/movies

FAQ