Does Plugin Name: WP Business Hours have any unpatched vulnerabilities?

Yes — Plugin Name: WP Business Hours currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Plugin Name: WP Business Hours compatible with WordPress 3.7.41?

According to WordPress.org data, Plugin Name: WP Business Hours 1.4 has been tested up to WordPress 3.7.41. Check the plugin's changelog for the latest compatibility information.

How often is Plugin Name: WP Business Hours updated?

Plugin Name: WP Business Hours was last updated on May 16, 2014. Frequent updates are generally a positive security signal.

What is Plugin Name: WP Business Hours's security score?

Plugin Name: WP Business Hours has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Plugin Name: WP Business Hours Security & Risk Analysis

wordpress.org/plugins/wp-business-hours

This Plugin is to show Business hours, Admin can manage the business hours Weekly, can show using widget and shortcode.

60 active installs v1.4 PHP + WP 3.5+ Updated May 16, 2014

business-hours-widgetbusiness-pluginbusiness-widgetwp-business-hourswp-business-hours-plugin

C · Use Caution

CVEs total1

Unpatched1

Last CVEOct 7, 2025

Plugin page Download

Safety Verdict

Is Plugin Name: WP Business Hours Safe to Use in 2026?

Use With Caution

Score 63/100

Plugin Name: WP Business Hours has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Oct 7, 2025Updated 12yr ago

Risk Assessment

The wp-business-hours plugin v1.4 presents a mixed security posture. While it demonstrates good practices in database querying with 100% prepared statements and avoids external HTTP requests and file operations, several critical concerns emerge from the static analysis. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if used with untrusted input, especially without proper sanitization. Compounding this, the taint analysis reveals two flows with unsanitized paths, indicating potential vulnerabilities that could be exploited. Furthermore, the complete lack of output escaping is alarming, exposing the plugin to Cross-Site Scripting (XSS) attacks. The vulnerability history, which includes a past medium-severity CSRF vulnerability and a currently unpatched medium-severity CVE, suggests a pattern of security oversights and a need for more robust security development. While the small attack surface and absence of unprotected entry points are positive, the identified risks, particularly `unserialize` usage and lack of output escaping, elevate the overall risk profile.

Key Concerns

Unpatched CVE
Dangerous function: unserialize
Taint flows with unsanitized paths
Output escaping: 0% properly escaped
Nonce checks: 0
Capability checks: 0

Vulnerabilities

1 published

Plugin Name: WP Business Hours Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62934medium · 4.3Cross-Site Request Forgery (CSRF)

WP Business Hours <= 1.4 - Cross-Site Request Forgery

Oct 7, 2025Unpatched

Version History

Plugin Name: WP Business Hours Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

Plugin Name: WP Business Hours Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$arr = unserialize(base64_decode(get_option('wp_business_hours')));wp-business-hours.php:41

unserialize$arr = unserialize(base64_decode($unsArr));wp-business-hours.php:76

Output Escaping

0% escaped18 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wpbusinesHours (wp-business-hours.php:57)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Plugin Name: WP Business Hours Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[WPBUSINESSHOURS] wp-business-hours.php:35

WordPress Hooks 2

actionadmin_menuwp-business-hours.php:29

actionwidgets_initwp-business-hours.php:115

Maintenance & Trust

Plugin Name: WP Business Hours Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41

Last updatedMay 16, 2014

PHP min version

Downloads4K

Community Trust

Rating60/100

Number of ratings2

Active installs60

Alternatives

Plugin Name: WP Business Hours Alternatives

WP Open Hour Widget

wp-open-hours

WP Open Hours give your customers definite answer when you will be open or closed!

30 No CVEs

Better Business Hours

better-business-hours

Easily set and display your business hours. A shortcode and widget are included so you can put it anywhere on your site.

70 No CVEs

Developer Profile

Plugin Name: WP Business Hours Developer Profile

Mejar

2 plugins · 70 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Plugin Name: WP Business Hours

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-business-hours/wp-business-hours.php

HTML / DOM Fingerprints

CSS Classes

bHoursgreybh_daybh_timealert

HTML Comments

------ Outer div------ ------ Inner Table------ ------ day and time ------

Data Attributes

data-widget-id

Shortcode Output

<div class="bHours"><table cellspacing="0" cellpadding="4" width="100%"><tr<td width="44%" class="bh_day">

FAQ