Worldtides Widget Security & Risk Analysis
wordpress.org/plugins/worldtides-widgetThis widget is perfect for anyone who wants accurate, low-cost tide predictions on their website. WorldTides.info provides tide predictions at consume …
Is Worldtides Widget Safe to Use in 2026?
Generally Safe
Score 85/100Worldtides Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "worldtides-widget" v1.3.0 plugin exhibits a mixed security posture. On the positive side, it has a very small attack surface with only one shortcode and no other readily apparent entry points like AJAX handlers or REST API routes. Critically, the static analysis did not reveal any dangerous functions, file operations, or external HTTP requests that are typically associated with high-risk vulnerabilities. The absence of any recorded CVEs in its vulnerability history further suggests a relatively stable and secure past. However, there are significant areas of concern that detract from its overall security.
The most notable weakness is the complete lack of nonces and capability checks across all identified entry points. This means that even the single shortcode, if it were to perform any sensitive action or display user-controlled data, would be vulnerable to various attacks like Cross-Site Request Forgery (CSRF) if not properly secured on the WordPress side. Furthermore, the single SQL query is not using prepared statements, which presents a direct risk of SQL injection vulnerabilities. While the output escaping percentage is low, the number of outputs is also small, making it harder to definitively assess the risk without deeper analysis, but the 13% proper escaping is concerning.
In conclusion, while the plugin's limited attack surface and clean vulnerability history are strong points, the absence of fundamental security checks like nonces and capability checks, coupled with the unescaped SQL query, creates exploitable weaknesses. The current version is not recommended for deployment without addressing these critical security oversights to prevent potential attacks.
Key Concerns
- SQL queries without prepared statements
- Missing nonce checks on entry points
- Missing capability checks on entry points
- Low percentage of properly escaped output
Worldtides Widget Security Vulnerabilities
Worldtides Widget Code Analysis
SQL Query Safety
Output Escaping
Worldtides Widget Attack Surface
Shortcodes 1
WordPress Hooks 6
Maintenance & Trust
Worldtides Widget Maintenance & Trust
Maintenance Signals
Community Trust
Worldtides Widget Alternatives
Tide Graph
tide-graph
The Tide Graph Wordpress plugin shows a graph of the water levels in various areas in the US.
Waiting for the tide (UK)
waiting-for-the-tide-uk
Show tide times and heights for over 700 ports and beaches in Cornwall, Devon, Dorset, Hampshire, Sussex, Kent, London, Essex, Suffolk and Norfolk.
Worldtides Widget Developer Profile
2 plugins · 200 total installs
How We Detect Worldtides Widget
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/worldtides-widget/admin/js/wp-color-picker-alpha.min.js/wp-content/plugins/worldtides-widget/admin/js/worldtides-admin.min.jswp-content/plugins/worldtides-widget/admin/js/wp-color-picker-alpha.min.jswp-content/plugins/worldtides-widget/admin/js/worldtides-admin.min.jsworldtides-widget/admin/js/wp-color-picker-alpha.min.js?ver=worldtides-widget/admin/js/worldtides-admin.min.js?ver=HTML / DOM Fingerprints
worldtides-widget<!-- WorldTides Widget --><!-- Widget End -->data-wt-keydata-wt-latitudedata-wt-longitudedata-wt-timezonedata-wt-unitsdata-wt-days+5 moreworldtides_api_keyworldtides_locale_settingsworldtides_site_url<div class="worldtides-widget"