WP-Safety

Widget Manager Light Security & Risk Analysis

wordpress.org/plugins/widget-manager-light

Widget Manager lets you control on which pages widgets appear via nice and easy interface. Show or hide widgets. Display relevant content on your page …

600 active installs v1.18 PHP + WP 3.0+ Updated Mar 3, 2022
adminconditional-tagscontextfilterhide-widgets
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 2, 2025
Plugin page Download
Safety Verdict

Is Widget Manager Light Safe to Use in 2026?

Use With Caution

Score 64/100

Widget Manager Light has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 2, 2025Updated 4yr ago
Risk Assessment

The widget-manager-light plugin exhibits a concerning security posture due to significant vulnerabilities in its attack surface and historical patterns. The presence of two unprotected AJAX handlers represents a critical entry point for attackers. This, combined with three high-severity taint flows with unsanitized paths, suggests a strong likelihood of exploitable vulnerabilities that could lead to unauthorized actions or data breaches. While the plugin demonstrates good practices in using prepared statements for SQL queries and a substantial percentage of proper output escaping, these strengths are overshadowed by the identified weaknesses.

The plugin's vulnerability history, including a currently unpatched medium-severity CVE, further reinforces the elevated risk. The repeated pattern of "Missing Authorization" vulnerabilities indicates a systemic issue with how the plugin handles user permissions and controls access to its functionalities. While the plugin has some defensive measures like nonce checks, the lack of capability checks on its entry points is a major flaw. In conclusion, the plugin has a weak security posture. While some code hygiene is present, the unprotected AJAX handlers, critical taint flows, and a history of authorization vulnerabilities make it a high-risk plugin that requires immediate attention and patching.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows with unsanitized paths
  • Unpatched CVE (medium)
  • Missing capability checks on entry points
  • Dangerous function 'unserialize'
  • Unescaped output (34%)
Vulnerabilities
1 published

Widget Manager Light Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31768medium · 5.3Missing Authorization

Widget Manager Light <= 1.18 - Missing Authorization

Apr 2, 2025Unpatched
Version History

Widget Manager Light Release Timeline

v1.171 CVE
CVE-2025-31768
v1.161 CVE
CVE-2025-31768
v1.151 CVE
CVE-2025-31768
v1.141 CVE
CVE-2025-31768
v1.131 CVE
CVE-2025-31768
v1.121 CVE
CVE-2025-31768
v1.111 CVE
CVE-2025-31768
v1.101 CVE
CVE-2025-31768
v1.91 CVE
CVE-2025-31768
v1.81 CVE
CVE-2025-31768
v1.71 CVE
CVE-2025-31768
v1.61 CVE
CVE-2025-31768
v1.51 CVE
CVE-2025-31768
v1.41 CVE
CVE-2025-31768
v1.31 CVE
CVE-2025-31768
v1.21 CVE
CVE-2025-31768
v1.01 CVE
CVE-2025-31768
Code Analysis
Analyzed Mar 16, 2026

Widget Manager Light Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
60
117 escaped
Nonce Checks
2
Capability Checks
0
File Operations
9
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$value = unserialize( urldecode( $value ) );include\otw_components\otw_functions\otw_functions.php:596

Output Escaping

66% escaped177 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
otw_get (include\otw_components\otw_functions\otw_functions.php:558)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Widget Manager Light Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_otw_wml_widget_dialogotw_widget_manager.php:159
authwp_ajax_otw_wml_items_by_typeotw_widget_manager.php:160
WordPress Hooks 19
actionadmin_menuinclude\otw_components\otw_factory\otw_factory.class.php:34
actionadmin_print_stylesinclude\otw_components\otw_factory\otw_factory.class.php:36
actionadmin_noticesinclude\otw_components\otw_factory\otw_factory.class.php:38
filterpre_set_site_transient_update_pluginsinclude\otw_components\otw_factory\otw_factory.class.php:40
filterplugins_apiinclude\otw_components\otw_factory\otw_factory.class.php:42
actionwp_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:90
actionadmin_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:94
filterposts_whereinclude\otw_sbm_core.php:930
filterposts_whereinclude\otw_sbm_core.php:1006
filterposts_whereinclude\otw_sbm_core.php:1572
actionplugins_loadedotw_widget_manager.php:143
actionadmin_menuotw_widget_manager.php:147
actionadmin_noticesotw_widget_manager.php:148
filtersidebars_widgetsotw_widget_manager.php:149
filterotwfcr_noticeotw_widget_manager.php:150
actionadmin_enqueue_scriptsotw_widget_manager.php:154
actionadmin_print_stylesotw_widget_manager.php:155
actionenqueue_block_editor_assetsotw_widget_manager.php:161
actioninitotw_widget_manager.php:166
Maintenance & Trust

Widget Manager Light Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMar 3, 2022
PHP min version
Downloads49K

Community Trust

Rating76/100
Number of ratings11
Active installs600
Alternatives

Widget Manager Light Alternatives

Widget Logic Visual

Widget Logic Visual

widget-logic-visual

C
63

Widget Logic Visual Version lets you control on which pages widgets appear using WP's conditional tags without having to know how conditional tag &hellip;

200 1 unpatched
Conditional Menus

Conditional Menus

conditional-menus

A
98

This plugin enables you to set conditional menus per posts, pages, categories, archive pages, etc.

60K 2 CVEs
Admin Taxonomy Filter

Admin Taxonomy Filter

admin-taxonomy-filter

A
100

Filter posts or custom post types in the admin area by custom taxonomies.

5K No CVEs
Advanced Post Manager

Advanced Post Manager

advanced-post-manager

A
98

Turbo charge your posts admin for any custom post type with sortable filters and columns, and auto-registration of metaboxes.

4K 1 CVE
Filter Orders by Product for WooCommerce

Filter Orders by Product for WooCommerce

woocommerce-filter-orders-by-product

A
100

Simplify order management by filtering WooCommerce orders by any specific product or product category using this plugin

4K No CVEs
Developer Profile

Widget Manager Light Developer Profile

OTWthemes

12 plugins · 6K total installs

70
trust score
Avg Security Score
66/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Widget Manager Light

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/widget-manager-light/css/otw_sbm_admin.css/wp-content/plugins/widget-manager-light/js/otw_widgets.js/wp-content/plugins/widget-manager-light/js/otw_widgets_appearence.js
Script Paths
/wp-content/plugins/widget-manager-light/js/otw_widgets.js/wp-content/plugins/widget-manager-light/js/otw_widgets_appearence.js
Version Parameters
widget-manager-light/js/otw_widgets.js?ver=widget-manager-light/js/otw_widgets_appearence.js?ver=widget-manager-light/css/otw_sbm_admin.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-otw-wml-widget-id
JS Globals
otw_wml_plugin_url
FAQ

Frequently Asked Questions about Widget Manager Light