WP-Safety

Wishful Companion Security & Risk Analysis

wordpress.org/plugins/wishful-companion

Wishful Companion add extra features to all WishfulThemes themes like demo import and other widgets.

300 active installs v1.1.0 PHP 5.6+ WP 4.4+ Updated Apr 8, 2024
demoelementorimportshortcodeswidgets
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Wishful Companion Safe to Use in 2026?

Generally Safe

Score 92/100

Wishful Companion has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The wishful-companion plugin v1.1.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing a significant number of nonce and capability checks. The absence of known CVEs and a clean vulnerability history are also strong indicators of responsible development in the past.

However, several concerns arise from the static analysis. The presence of one AJAX handler without authentication checks presents a direct entry point for potential attackers. Furthermore, two flows with unsanitized paths identified in the taint analysis, although not classified as critical or high severity, suggest potential vulnerabilities if data is not handled rigorously. The use of the `unserialize` function is a known risk vector, especially if the data being unserialized originates from an untrusted source.

In conclusion, while the plugin has a strong track record and implements several security best practices, the identified unprotected AJAX handler and unsanitized taint flows warrant attention. The potential for misuse of `unserialize` also adds a layer of risk. Addressing these specific areas would significantly improve the plugin's overall security.

Key Concerns

  • AJAX handler without auth checks
  • Flows with unsanitized paths
  • Use of dangerous function (unserialize)
Vulnerabilities
None known

Wishful Companion Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Wishful Companion Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
62
185 escaped
Nonce Checks
14
Capability Checks
17
File Operations
14
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = @unserialize( $raw );includes\panel\classes\importers\class-settings-importer.php:25

SQL Query Safety

100% prepared4 total queries

Output Escaping

75% escaped247 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

9 flows2 with unsanitized paths
wishful_companion_review_notice_message (includes\notify\notify.php:45)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Wishful Companion Attack Surface

Entry Points9
Unprotected1

AJAX Handlers 9

authwp_ajax_wishful_companion_getting_startedinc\init.php:47
authwp_ajax_wishful_blog_ajax_get_demo_dataincludes\panel\demos.php:56
authwp_ajax_wishful_blog_ajax_required_plugins_activateincludes\panel\demos.php:57
authwp_ajax_wishful_blog_ajax_get_import_dataincludes\panel\demos.php:60
authwp_ajax_wishful_blog_ajax_import_xmlincludes\panel\demos.php:63
authwp_ajax_wishful_blog_ajax_import_theme_settingsincludes\panel\demos.php:66
authwp_ajax_wishful_blog_ajax_import_widgetsincludes\panel\demos.php:69
authwp_ajax_wishful_blog_after_importincludes\panel\demos.php:72
authwp_ajax_wishful_blog_wizzard_ajax_get_demo_dataincludes\wizard\classes\WizardAjax.php:9
WordPress Hooks 24
filteradvanced_import_demo_listsinc\init.php:45
filteradmin_menuinc\init.php:46
filteradmin_enqueue_scriptsinc\init.php:48
filteradmin_enqueue_scriptsinc\init.php:49
actionadvanced_import_replace_term_idsinc\init.php:52
actionadvanced_import_replace_post_idsinc\init.php:53
actionadmin_noticesincludes\notify\notify.php:36
actionadmin_noticesincludes\notify\notify.php:151
actionadmin_initincludes\notify\notify.php:156
actionadmin_menuincludes\panel\classes\class-install-demos.php:21
filterimport_post_meta_keyincludes\panel\classes\importers\class-wordpress-importer.php:101
filterhttp_request_timeoutincludes\panel\classes\importers\class-wordpress-importer.php:102
filterwishful_blog_demos_dataincludes\panel\demos-pro.php:218
actionadmin_initincludes\panel\demos.php:36
actionadmin_enqueue_scriptsincludes\panel\demos.php:39
filterupload_mimesincludes\panel\demos.php:42
actionadmin_footerincludes\panel\demos.php:45
actionadmin_menuincludes\wizard\wizard.php:37
actionadmin_initincludes\wizard\wizard.php:38
actionwp_loadedincludes\wizard\wizard.php:39
actionadmin_print_stylesincludes\wizard\wizard.php:40
actionadd_second_noticeincludes\wizard\wizard.php:41
actionplugins_loadedwishful-companion.php:48
actionadmin_initwishful-companion.php:116

Scheduled Events 2

add_second_notice
add_second_notice
Maintenance & Trust

Wishful Companion Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedApr 8, 2024
PHP min version5.6
Downloads12K

Community Trust

Rating0/100
Number of ratings0
Active installs300
Alternatives

Wishful Companion Alternatives

Popularis Extra

Popularis Extra

popularis-extra

B
74

Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.

8K 1 unpatched
aThemes Starter Sites

aThemes Starter Sites

athemes-starter-sites

A
99

We've got a full and ever-growing library stocked with ready-made templates for any kind of business.

40K 1 CVE
Bosa Elementor Addons and Templates for WooCommerce

Bosa Elementor Addons and Templates for WooCommerce

bosa-elementor-for-woocommerce

A
99

Elementor Addon with widgets and templates for WooCommerce.

30K 1 CVE
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Futurio Extra

Futurio Extra

futurio-extra

A
96

Futurio Extra add extra features to Futurio theme like widgets, WooCommerce options, Elementor widgets, one click demo import and much more.

20K 7 CVEs
Developer Profile

Wishful Companion Developer Profile

wishfulthemes

3 plugins · 1K total installs

82
trust score
Avg Security Score
83/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Wishful Companion

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wishful-companion/assets/css/dashboard.min.css/wp-content/plugins/wishful-companion/assets/js/dashboard.min.js/wp-content/plugins/wishful-companion/assets/css/common.min.css/wp-content/plugins/wishful-companion/assets/js/common.min.js/wp-content/plugins/wishful-companion/assets/css/builder.min.css/wp-content/plugins/wishful-companion/assets/js/builder.min.js/wp-content/plugins/wishful-companion/assets/css/wizard.min.css/wp-content/plugins/wishful-companion/assets/js/wizard.min.js
Version Parameters
wishful-companion/assets/css/dashboard.min.css?ver=wishful-companion/assets/js/dashboard.min.js?ver=wishful-companion/assets/css/common.min.css?ver=wishful-companion/assets/js/common.min.js?ver=wishful-companion/assets/css/builder.min.css?ver=wishful-companion/assets/js/builder.min.js?ver=wishful-companion/assets/css/wizard.min.css?ver=wishful-companion/assets/js/wizard.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wc-dashboard-contentwc-dashboard-sidebarwc-wizard-stepwc-builder-canvas
HTML Comments
<!-- wishful_companion_builder_render --><!-- wishful_companion_dashboard_render -->
Data Attributes
data-wc-builder-elementdata-wc-dashboard-widget
JS Globals
wishfulCompanionDashboardwishfulCompanionBuilder
REST Endpoints
/wp-json/wishful-companion/v1/builder/save/wp-json/wishful-companion/v1/dashboard/widgets
Shortcode Output
[wishful_companion_builder][wishful_companion_dashboard]
FAQ

Frequently Asked Questions about Wishful Companion