WP-Safety

WP Blog and Widgets Security & Risk Analysis

wordpress.org/plugins/wp-blog-and-widgets

A quick, easy way to add a Blog custom post type, Blog widget to WordPress. Also, work with the Gutenberg shortcode block.

8K active installs v2.6.6 PHP + WP 4.0+ Updated Feb 20, 2026
blog-page-with-custom-post-typecustom-blog-layoutcustom-blog-templatefree-wordpress-blogwordpress-blog
99
A · Safe
CVEs total1
Unpatched0
Last CVEJan 12, 2023
Download
Safety Verdict

Is WP Blog and Widgets Safe to Use in 2026?

Generally Safe

Score 99/100

WP Blog and Widgets has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 12, 2023Updated 1mo ago
Risk Assessment

The wp-blog-and-widgets plugin version 2.6.6 exhibits a generally good security posture due to strong adherence to best practices like using prepared statements for all SQL queries and a high percentage of properly escaped outputs. The static analysis reveals a limited attack surface, with no unprotected entry points identified. However, the presence of the `unserialize` function is a significant concern, as it can lead to deserialization vulnerabilities if not handled with extreme care and proper sanitization. While the taint analysis showed no unsanitized paths, this does not fully mitigate the risk associated with `unserialize` without further context on its usage.

The vulnerability history shows one known high-severity CVE, which has since been patched. This historical trend, particularly the type of vulnerability (Cross-site Scripting), suggests that input validation and output escaping might have been areas of past weakness. Although the current version appears to have addressed this, the potential for similar issues to re-emerge, especially with the identified `unserialize` function, remains a concern. Overall, the plugin has strengths in its secure query handling and output escaping, but the `unserialize` function introduces a specific and potentially serious risk that warrants attention.

Key Concerns

  • Presence of unserialize function
  • Historical high severity vulnerability (XSS)
Vulnerabilities
1

WP Blog and Widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2022-4824high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Blog and Widget <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 2.3.1 (376d)
Code Analysis
Analyzed Mar 16, 2026

WP Blog and Widgets Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
31
354 escaped
Nonce Checks
6
Capability Checks
6
File Operations
3
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$info = @unserialize($data);wpos-analytics\includes\class-anylc-admin.php:696

Output Escaping

92% escaped385 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<solutions-features> (includes\admin\settings\solution-features\solutions-features.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Blog and Widgets Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[blog] includes\shortcode\wpbaw-blog-shortcode.php:218
[recent_blog_post] includes\shortcode\wpbaw-recent-blog-shortcode.php:196
WordPress Hooks 33
actionadmin_menuincludes\admin\class-wpbaw-admin.php:20
actionadd_meta_boxesincludes\admin\class-wpbaw-admin.php:23
actionadmin_initincludes\admin\class-wpbaw-admin.php:26
filterpre_get_postsincludes\admin\class-wpbaw-admin.php:29
actioninitincludes\admin\supports\gutenberg-block.php:150
actionenqueue_block_assetsincludes\admin\supports\gutenberg-block.php:159
actionenqueue_block_editor_assetsincludes\admin\supports\gutenberg-block.php:183
filterblock_categories_allincludes\admin\supports\gutenberg-block.php:204
actionadmin_enqueue_scriptsincludes\class-wpbaw-script.php:20
actionwp_enqueue_scriptsincludes\class-wpbaw-script.php:23
actionwidgets_initincludes\widgets\class-wpbaw-blog.php:235
actioninitincludes\wpbaw-post-types.php:71
actioninitincludes\wpbaw-post-types.php:106
actionplugins_loadedwp-blog-and-widgets.php:91
actionupdate_option_active_pluginswp-blog-and-widgets.php:128
actionadmin_noticeswp-blog-and-widgets.php:191
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:45
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:48
actionadmin_initwpos-analytics\includes\class-anylc-admin.php:51
actionadmin_noticeswpos-analytics\includes\class-anylc-admin.php:54
actionadmin_footerwpos-analytics\includes\class-anylc-admin.php:57
actionwp_loadedwpos-analytics\includes\class-anylc-admin.php:60
actioninitwpos-analytics\includes\class-anylc-admin.php:63
filtercron_scheduleswpos-analytics\includes\class-anylc-admin.php:66
actionwpos_monthly_cron_hookwpos-analytics\includes\class-anylc-admin.php:69
actionrest_api_initwpos-analytics\includes\class-anylc-admin.php:72
filterrest_pre_serve_requestwpos-analytics\includes\class-anylc-admin.php:585
actionadmin_enqueue_scriptswpos-analytics\includes\class-anylc-script.php:20
actionactivated_pluginwpos-analytics\wpos-analytics.php:244
actionplugins_loadedwpos-analytics\wpos-analytics.php:258
actionadmin_menuwpos-plugins\includes\admin\class-espbw-admin.php:19
actionadmin_enqueue_scriptswpos-plugins\includes\class-espbw-script.php:19
actionplugins_loadedwpos-plugins\wpos-recommendation.php:185

Scheduled Events 1

wpos_monthly_cron_hook
Maintenance & Trust

WP Blog and Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 20, 2026
PHP min version
Downloads441K

Community Trust

Rating82/100
Number of ratings27
Active installs8K
Alternatives

WP Blog and Widgets Alternatives

Blog Designer

Blog Designer

blog-designer

C
66

Allows you to create and modify your blog page with 15 unique blog layouts. A quick and easy way to change blog page designs with so easy steps.

10K 1 unpatched
Starter Blog Templates For Faith Blog

Starter Blog Templates For Faith Blog

starter-blog-templates-for-faith-blog

A
85

This Plugin Will only Work With Faith Blog WordPress Theme

30 No CVEs
Simple Blog

Simple Blog

simple-blog

A
85

Enables you to make your Blog section ready for your website. With back-end and front-end with fully responsive layout

20 No CVEs
Display Medium Stories – Medium Articles in a WordPress Site

Display Medium Stories – Medium Articles in a WordPress Site

display-medium-stories

A
100

Display Medium Stories is a powerful, professionally developed tool to show Medium stories in WordPress websites.

10 No CVEs
IntelliDraft

IntelliDraft

intellidraft

A
92

IntelliDraft is a WordPress plugin that uses AI to streamline content creation, helping users easily produce and optimize high-quality content.

0 No CVEs
Developer Profile

WP Blog and Widgets Developer Profile

Essential Plugin

33 plugins · 205K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
219 days
View full developer profile
Detection Fingerprints

How We Detect WP Blog and Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-blog-and-widgets/assets/css/wpbaw-public.css/wp-content/plugins/wp-blog-and-widgets/assets/js/wpbaw-public.js/wp-content/plugins/wp-blog-and-widgets/assets/js/wpbaw-block.js
Script Paths
/wp-content/plugins/wp-blog-and-widgets/assets/js/wpbaw-public.js/wp-content/plugins/wp-blog-and-widgets/assets/js/wpbaw-block.js
Version Parameters
wp-blog-and-widgets/assets/css/wpbaw-public.css?ver=wp-blog-and-widgets/assets/js/wpbaw-public.js?ver=wp-blog-and-widgets/assets/js/wpbaw-block.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpbaw-blog-layoutwpbaw-blog-gridwpbaw-blog-listwpbaw-blog-content
Data Attributes
data-wpbaw-blog-iddata-wpbaw-blog-layout
JS Globals
wpbaw_block_options
Shortcode Output
[wpbaw_blog][wpbaw_recent_blog]
FAQ

Frequently Asked Questions about WP Blog and Widgets