Does WP-Appbox have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-Appbox compatible with WordPress 6.9.0?

According to WordPress.org data, WP-Appbox 4.5.11 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

How often is WP-Appbox updated?

WP-Appbox was last updated on Apr 10, 2026. Frequent updates are generally a positive security signal.

What is WP-Appbox's security score?

WP-Appbox has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-Appbox Security & Risk Analysis

wordpress.org/plugins/wp-appbox

With WP-Appbox you can add beautiful mobile app badges to your WordPress posts and pages simply by adding a shortcode.

2K active installs v4.5.11 PHP + WP 5.0+ Updated Apr 10, 2026

app-storeappboxappsgoogle-playmicrosoft-store

A · Safe

CVEs total4

Unpatched0

Last CVEFeb 20, 2025

Plugin page Download

Safety Verdict

Is WP-Appbox Safe to Use in 2026?

Generally Safe

Score 96/100

WP-Appbox has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Feb 20, 2025Updated 1mo ago

Risk Assessment

The "wp-appbox" v4.5.10 plugin exhibits a mixed security posture. On the positive side, the static analysis shows a relatively small attack surface with no unprotected entry points identified. The plugin also demonstrates good practices in SQL query handling, with 76% using prepared statements, and a high percentage (90%) of output escaping. The limited number of external HTTP requests and the presence of nonce and capability checks are also encouraging signs.

However, concerns arise from the presence of dangerous functions like `unserialize` and `create_function`, which can be risky if not handled with extreme care. The taint analysis revealed one flow with unsanitized paths, which is a potential vector for attacks, although its severity was not classified as critical or high. The vulnerability history is a significant red flag. With 4 known CVEs, including one high and three medium severity vulnerabilities, and a recent vulnerability in early 2025, this indicates a recurring pattern of security weaknesses. The common vulnerability types suggest a susceptibility to Cross-site Scripting and PHP Remote File Inclusion, which are serious security flaws.

In conclusion, while "wp-appbox" v4.5.10 has some robust security implementations, particularly in input sanitization and output escaping, the persistent history of medium to high severity vulnerabilities and the presence of dangerous functions like `unserialize` cannot be ignored. The unsanitized path flow in the taint analysis, though not critical, adds to the risk. Users should be aware of the past issues and the potential for future ones, especially considering the recent vulnerability date.

Key Concerns

Presence of dangerous functions (unserialize, create_function)
Flow with unsanitized paths in taint analysis
History of 4 known CVEs
1 High severity CVE
3 Medium severity CVEs
Recent vulnerability (2025-02-20)

Vulnerabilities

4 published

WP-Appbox Security Vulnerabilities

CVEs by Year

2 CVEs in 2022

2022

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2025-1489medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode

Feb 20, 2025 Patched in 4.5.5 (1d)

CVE-2024-12710medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Appbox <= 4.5.3 - Reflected Cross-Site Scripting

Dec 23, 2024 Patched in 4.5.4 (1d)

CVE-2021-36910medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Appbox <= 4.3.20 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 5, 2022 Patched in 4.3.21 (657d)

WF-6c718d65-eb40-43db-821f-344c6eca2384-wp-appboxhigh · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP-Appbox <= 4.3.17 - Local File Inclusion

Jan 17, 2022 Patched in 4.3.18 (736d)

Version History

WP-Appbox Release Timeline

v4.5.11Current

v4.5.10

v4.5.9

v4.5.8

v4.5.7

v4.5.6

v4.5.5

v4.5.41 CVE

CVE-2025-1489

v4.5.32 CVEs

CVE-2024-12710 CVE-2025-1489

v4.5.22 CVEs

CVE-2024-12710 CVE-2025-1489

v4.5.12 CVEs

CVE-2024-12710 CVE-2025-1489

v4.5.02 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.192 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.182 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.172 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.162 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.152 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.142 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.132 CVEs

CVE-2024-12710 CVE-2025-1489

v4.4.122 CVEs

CVE-2024-12710 CVE-2025-1489

Code Analysis

Analyzed Mar 16, 2026

WP-Appbox Code Analysis

Dangerous Functions

Raw SQL Queries

34 prepared

Unescaped Output

186 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeif ( isset( unserialize( $appData->app_extend )['apple-arcade'] ) )admin\settings-cache-list.php:119

unserialize'app_icon_bg' => ( isset( unserialize( $appData->app_extend )['windowsstorebg'] ) ? unserialize( $apadmin\settings-cache-list.php:127

unserialize$appData['app_extend'] = ( null !== $cachedApp->app_extend ) ? unserialize( $cachedApp->app_extend )inc\getappinfo.class.php:332

unserialize$appData['app_screenshots'] = ( null !== $cachedApp->app_extend ) ? unserialize( $cachedApp->app_scrinc\getappinfo.class.php:333

unserializeif ( !is_array( $imgURLs ) ) $imgURLs = unserialize( $imgURLs );inc\imagecache.class.php:303

create_function$this->callback = create_function($paramList, $code);inc\queryelements.php:1047

create_functioncreate_function('$node', 'inc\queryelements.php:2109

create_functioncreate_function('$node', 'inc\queryelements.php:2116

create_functioncreate_function('$node', 'inc\queryelements.php:2131

create_functioncreate_function('$node',inc\queryelements.php:2137

create_functioncreate_function('$node',inc\queryelements.php:2160

create_functioncreate_function('$node', 'return pq($node)->prevAll()->size() == 0 ? $node : null;')inc\queryelements.php:2166

create_functioncreate_function('$node', 'return pq($node)->nextAll()->size() == 0 ? $node : null;')inc\queryelements.php:2171

create_functioncreate_function('$node, $param',inc\queryelements.php:2184

create_functioncreate_function('$node, $param',inc\queryelements.php:2197

create_functioncreate_function('$node, $index',inc\queryelements.php:2237

create_functioncreate_function('$m',inc\queryelements.php:4780

Bundled Libraries

TinyMCE

SQL Query Safety

76% prepared45 total queries

Output Escaping

90% escaped206 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

wpAppbox_saveSettings (admin\settings.php:186)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP-Appbox Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[appbox] wp-appbox.php:1003

WordPress Hooks 26

actionadmin_noticesadmin\settings.php:56

filterdashboard_glance_itemsadmin\settings.php:77

filterset-screen-optionadmin\settings.php:162

filtermce_buttonsadmin\tinymce.php:95

filtermce_buttonsadmin\tinymce.php:96

filtermce_buttons_2admin\tinymce.php:99

filtermce_buttons_2admin\tinymce.php:100

actionadmin_print_footer_scriptsadmin\tinymce.php:124

actionwp_enqueue_scriptsadmin\tinymce.php:155

filtermce_external_pluginsadmin\tinymce.php:182

actionhttp_api_curlinc\createoutput.class.php:28

actionhttp_api_curlinc\getappinfo.class.php:446

actioninitwp-appbox.php:85

actionadmin_initwp-appbox.php:86

actioninitwp-appbox.php:98

filtercron_scheduleswp-appbox.php:131

actionwpAppbox_cacheCronwp-appbox.php:132

filterthe_contentwp-appbox.php:458

actioninitwp-appbox.php:694

actionwpmu_new_blogwp-appbox.php:936

filterplugin_action_linkswp-appbox.php:986

filterplugin_row_metawp-appbox.php:987

actionplugins_loadedwp-appbox.php:988

actionadmin_menuwp-appbox.php:989

actionwp_enqueue_scriptswp-appbox.php:997

actionwp_print_styleswp-appbox.php:998

Scheduled Events 1

wpAppbox_cacheCron

Maintenance & Trust

WP-Appbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedApr 10, 2026

PHP min version

Downloads427K

Community Trust

Rating90/100

Number of ratings63

Active installs2K

Alternatives

WP-Appbox Alternatives

AppStore Reviews Viewer

appstore-reviews-viewer

Adds a shortcode that displays reviews and ratings of an app from the iOS AppStore’s country you chose.

40 No CVEs

App Store Assistant

app-store-assistant

Lets you display the detail of an item or an RSS feed from Apple's App Store, iTunes Stores or Amazon.com. Affiliate ready.

30 No CVEs

App Display Page

app-display-page

Adds a shortcode to display information about iOS apps from Apple's App Store.

10 No CVEs

App Link Generator

app-link-generator

100

App StoreとGoogle Play Storeのアプリインストールリンクをブロックエディタで簡単に表示できるプラグインです。

0 No CVEs

Application download banner

application-download-banner

Plugin Description

0 No CVEs

Developer Profile

WP-Appbox Developer Profile

Marcelismus

1 plugin · 2K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

349 days

View full developer profile

Detection Fingerprints

How We Detect WP-Appbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-appbox/css/style.css/wp-content/plugins/wp-appbox/js/wp-appbox.js

Script Paths

/wp-content/plugins/wp-appbox/js/wp-appbox.js

Version Parameters

wp-appbox/style.css?ver=wp-appbox.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-appboxwp-appbox-innerwp-appbox-imgwp-appbox-titlewp-appbox-linkwp-appbox-rating-starswp-appbox-link-wrapperwp-appbox-description+4 more

Data Attributes

data-wp-appbox-iddata-wp-appbox-typedata-wp-appbox-storedata-wp-appbox-titledata-wp-appbox-imagedata-wp-appbox-rating+6 more

JS Globals

wpAppboxwpAppboxFirstShortcode

Shortcode Output

<div class="wp-appbox-shortcode-wrapper"><div class="wp-appbox appbox-wrapper"><div class="wp-appbox-inner"><div class="wp-appbox-app-wrapper">

FAQ

WP-Appbox Security & Risk Analysis

Is WP-Appbox Safe to Use in 2026?

Generally Safe

Key Concerns

WP-Appbox Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP-Appbox Release Timeline

WP-Appbox Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP-Appbox Attack Surface

Shortcodes 1

Scheduled Events 1

WP-Appbox Maintenance & Trust

Maintenance Signals

Community Trust

WP-Appbox Alternatives

AppStore Reviews Viewer

App Store Assistant

App Display Page

App Link Generator

Application download banner

WP-Appbox Developer Profile

How We Detect WP-Appbox

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP-Appbox