Does Featured Posts have any unpatched vulnerabilities?

No. All known vulnerabilities in Featured Posts have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Featured Posts compatible with WordPress 4.3.34?

According to WordPress.org data, Featured Posts 1.1.1 has been tested up to WordPress 4.3.34. Check the plugin's changelog for the latest compatibility information.

How often is Featured Posts updated?

Featured Posts was last updated on Jan 13, 2017. Frequent updates are generally a positive security signal.

What is Featured Posts's security score?

Featured Posts has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Featured Posts Security & Risk Analysis

wordpress.org/plugins/wordpress-mu-featured-posts

Featured posts plugin & widget for WordPress or WordPress MU.

10 active installs v1.1.1 PHP + WP 2.6+ Updated Jan 13, 2017

featured-postfeedssitewidewidgetwpmu

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Featured Posts Safe to Use in 2026?

Generally Safe

Score 85/100

Featured Posts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The "wordpress-mu-featured-posts" plugin v1.1.1 exhibits a mixed security posture. On the positive side, there are no known vulnerabilities (CVEs) in its history, suggesting a history of secure development or limited exposure. The attack surface is small, with only one shortcode and no unprotected entry points. The plugin also shows an effort towards secure database interactions, with 80% of SQL queries using prepared statements.

However, significant concerns arise from the static code analysis. The most alarming finding is a "flow with unsanitized paths" identified during taint analysis. While no critical or high severity issues were flagged in taint analysis, the presence of an unsanitized path is a serious indicator of potential vulnerabilities, especially if it can be exploited through user-controlled input. Furthermore, the extremely low percentage (6%) of properly escaped output is a major red flag. This indicates a high likelihood of cross-site scripting (XSS) vulnerabilities, where malicious scripts could be injected and executed in users' browsers.

While the lack of known CVEs is encouraging, the significant number of unescaped outputs and the identified unsanitized path strongly suggest that potential vulnerabilities may simply be undiscovered or unreported. The plugin's strengths lie in its limited attack surface and some database query practices. However, the weaknesses in output sanitization and the presence of unsanitized paths present a considerable risk that outweighs the positive indicators. Users should exercise caution with this plugin.

Key Concerns

Flow with unsanitized paths
Low percentage of properly escaped output
No nonce checks

Vulnerabilities

None known

Featured Posts Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Featured Posts Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

80% prepared10 total queries

Output Escaping

6% escaped32 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

ra_featured_posts_page (ra-featured-posts\ra-featured-posts-admin.php:108)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Featured Posts Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[ra-featured] ra-featured-posts.php:87

WordPress Hooks 3

actionadmin_headra-featured-posts\ra-featured-posts-admin.php:249

actionwidgets_initra-featured-posts-widget.php:49

actionadmin_menura-featured-posts.php:33

Maintenance & Trust

Featured Posts Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34

Last updatedJan 13, 2017

PHP min version

Downloads17K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Featured Posts Alternatives

Feature A Page Widget

feature-a-page-widget

A widget to display an attractive summary of any page in any widget area.

3K No CVEs

WP Twitter Feeds

wp-twitter-feeds

WP Twitter Feeds - A simple widget which lets you add your latest tweets in just a few clicks on your website.

3K No CVEs

Featured Post Creative

featured-post-creative

Display Featured post on your website with 2 shortcode and 1 widget. Also work with Gutenberg shortcode block.

1K 2 CVEs

AK Featured Post Widget

akfeatured-post-widget

A widget that you can use to display your blog posts, custom post types, or woocommerce products!

400 No CVEs

Nelio Featured Posts

nelio-featured-posts

Select the featured posts you want to show at any time and include them in your theme using a widget.

400 No CVEs

Developer Profile

Featured Posts Developer Profile

Ron Rennick

10 plugins · 1K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Featured Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wordpress-mu-featured-posts/ra-featured-posts-admin.php/wp-content/plugins/wordpress-mu-featured-posts/ra-featured-posts-install.php

HTML / DOM Fingerprints

CSS Classes

ra-avatarra-feature-post

Data Attributes

id="feature_.*"name="ra_feature_check[]"

Shortcode Output

<div class="ra-avatar"><div class="ra-feature-post"><h2>

FAQ