Does Widget Instance have any unpatched vulnerabilities?

No. All known vulnerabilities in Widget Instance have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Widget Instance compatible with WordPress 4.9.29?

According to WordPress.org data, Widget Instance 0.9.4 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is Widget Instance updated?

Widget Instance was last updated on Jul 11, 2018. Frequent updates are generally a positive security signal.

What is Widget Instance's security score?

Widget Instance has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Widget Instance Security & Risk Analysis

wordpress.org/plugins/widget-instance

Display an active widget added to a sidebar within the editor or by using a shortcode, function or action.

500 active installs v0.9.4 PHP + WP 2.9.1+ Updated Jul 11, 2018

display-widgetwidgetwidget-instancewidgets

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Widget Instance Safe to Use in 2026?

Generally Safe

Score 85/100

Widget Instance has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "widget-instance" plugin v0.9.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and shows no history of known vulnerabilities (CVEs), suggesting a generally stable codebase. The absence of file operations and external HTTP requests also reduces potential attack vectors.

However, significant concerns arise from the static analysis. A notable portion of the attack surface, specifically 2 out of 3 entry points (AJAX handlers), lacks authentication checks. Furthermore, none of the outputs are properly escaped, creating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of unprotected AJAX handlers combined with unescaped output presents a critical threat, as attackers could potentially inject malicious scripts through these entry points, leading to data theft or session hijacking.

The lack of taint analysis results is neutral, as it could mean no critical flows were found or the analysis was not comprehensive enough to detect them. The outdated bundled TinyMCE library is a minor concern but could potentially be exploited if vulnerabilities exist in that specific version. Overall, the plugin has a concerning weakness in input sanitization and access control for its AJAX endpoints, outweighing its strengths in SQL handling and vulnerability history.

Key Concerns

Unprotected AJAX handlers
No output escaping
Bundled outdated library: TinyMCE v1.0

Vulnerabilities

None known

Widget Instance Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Widget Instance Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE1.0

Output Escaping

0% escaped1 total outputs

Attack Surface

2 unprotected

Widget Instance Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 2

authwp_ajax_getWidgetsAjax.php:6

noprivwp_ajax_getWidgetsAjax.php:7

Shortcodes 1

[widget_instance] Public.php:21

WordPress Hooks 7

actionadmin_initAdmin.php:6

filtertiny_mce_versionAdmin.php:13

filtermce_external_pluginsAdmin.php:14

filtermce_buttonsAdmin.php:15

actionadmin_enqueue_scriptsAdmin.php:17

actioninitPublic.php:11

actionwidget_instancePublic.php:12

Maintenance & Trust

Widget Instance Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedJul 11, 2018

PHP min version

Downloads13K

Community Trust

Rating68/100

Number of ratings9

Active installs500

Alternatives

Widget Instance Alternatives

AH Display Widgets

ah-display-widgets

Simply hide widgets on specified pages. Adds checkboxes to each widget to either show or hide it on every site page.

9K No CVEs

Warm Welcome

warm-welcome

Add Warm Welcome bubble, signature, business card and page widgets to your pages.

40 No CVEs

Classic Widgets

classic-widgets

100

Enables the previous "classic" widgets settings screens in Appearance - Widgets and the Customizer. Disables the block editor from managing widgets.

2.0M No CVEs

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M 22 CVEs

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs

Developer Profile

Widget Instance Developer Profile

Global

3 plugins · 520 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Widget Instance

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/widget-instance/tinymce.js

Script Paths