WP-Safety

WP Carousel Security & Risk Analysis

wordpress.org/plugins/wp-carousel

WP Carousel is a plugin that allows you to add a carousel with posts, categories, tags, authors, pages, and much more. It is easy to install and use.

80 active installs v1.1 PHP + WP 3.0+ Updated Dec 6, 2011
carouselimagespostssidebartheme
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Carousel Safe to Use in 2026?

Generally Safe

Score 85/100

WP Carousel has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 14yr ago
Risk Assessment

WP Carousel v1.1 presents a mixed security posture. On the positive side, there are no known CVEs associated with this plugin, and the static analysis indicates that the single SQL query uses prepared statements, which is a strong security practice. Furthermore, the plugin's attack surface is limited, with no unprotected AJAX handlers or REST API routes. However, significant concerns arise from the code analysis. The high number of 'dangerous functions' like unserialize and create_function, coupled with a complete lack of output escaping (0% properly escaped), creates a substantial risk. The taint analysis also reveals multiple flows with unsanitized paths, although thankfully, none are classified as critical or high severity. The absence of nonce checks is another critical weakness, especially concerning given the presence of shortcodes, which can be triggered by users and potentially manipulated.

Key Concerns

  • No output escaping
  • High count of dangerous functions
  • Unsanitized paths in taint flows
  • No nonce checks
  • Bundled library (TinyMCE)
Vulnerabilities
None known

WP Carousel Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Carousel Code Analysis

Dangerous Functions
39
Raw SQL Queries
0
1 prepared
Unescaped Output
669
2 escaped
Nonce Checks
0
Capability Checks
6
File Operations
3
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-taxonomy\extra.php:77
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-type\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-type\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-type\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-type\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\any-kind-of-post-type\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\internal-carousel\extra.php:47
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-category\extra.php:77
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-singleproduct\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-singleproduct\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-singleproduct\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-singleproduct\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-singleproduct\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-supplier\extra.php:77
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:9
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:23
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:37
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:51
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:65
unserialize$extra = unserialize(base64_decode($extra));extras\tcp-tag\extra.php:77
unserialize$config = unserialize(get_option('wp_carousel_config'));js\init.all.stepcarousel.php:4
unserialize$config = unserialize(get_option('wp_carousel_config'));js\init.jcarousel.php:5
create_functionadd_action('widgets_init', create_function('', 'return register_widget("WP_Carousel_Widget");')); //wp-carousel.php:255
unserialize$config = unserialize(get_option(WP_CAROUSEL_CONFIG_TABLE));wp-carousel.php:1238

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped671 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

13 flows9 with unsanitized paths
<get_db> (get_db.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Carousel Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wp_carousel] wp-carousel.php:5353
WordPress Hooks 23
actioninitwp-carousel.php:236
actioninitwp-carousel.php:248
actionadmin_menuwp-carousel.php:254
actionwidgets_initwp-carousel.php:255
actioninitwp-carousel.php:350
actionadmin_headwp-carousel.php:358
actioninitwp-carousel.php:365
actionadmin_headwp-carousel.php:391
actioninitwp-carousel.php:404
actionwp_headwp-carousel.php:406
actionwp_headwp-carousel.php:407
filtercontextual_helpwp-carousel.php:641
actionadmin_print_scriptswp-carousel.php:651
filteradmin_footer_textwp-carousel.php:823
actionwp_footerwp-carousel.php:1051
actionwp_footerwp-carousel.php:1083
actionwp_footerwp-carousel.php:1117
filtermce_external_pluginswp-carousel.php:5371
filtermce_buttonswp-carousel.php:5372
actioninitwp-carousel.php:5376
filtertiny_mce_versionwp-carousel.php:5424
actionloop_startwp-carousel.php:5439
actionloop_endwp-carousel.php:5454
Maintenance & Trust

WP Carousel Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2
Last updatedDec 6, 2011
PHP min version
Downloads64K

Community Trust

Rating0/100
Number of ratings0
Active installs80
Alternatives

WP Carousel Alternatives

Newpost Catch

Newpost Catch

newpost-catch

A
91

Thumbnails in new articles setting widget.

10K 1 CVE
Share Theme Plugin

Share Theme Plugin

share-theme

A
85

This is a extension for Share Theme

0 No CVEs
WP Shortcodes Plugin — Shortcodes Ultimate

WP Shortcodes Plugin — Shortcodes Ultimate

shortcodes-ultimate

A
88

A comprehensive collection of visual components for your site

400K 32 CVEs
Recent Posts Widget With Thumbnails

Recent Posts Widget With Thumbnails

recent-posts-widget-with-thumbnails

A
100

List the most recent posts with post titles, thumbnails, excerpts, authors, categories, dates and more!

100K No CVEs
Post Grid

Post Grid

post-grid

F
20

Post Grid is a powerful WordPress plugin for creating customizable post grid layouts with advanced query options, allowing users to display posts dyna &hellip;

30K 2 unpatched
Developer Profile

WP Carousel Developer Profile

sumolari

3 plugins · 100 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Carousel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-carousel/css/style.css/wp-content/plugins/wp-carousel/js/jquery.jcarousel.min.js/wp-content/plugins/wp-carousel/js/wp-carousel.js
Script Paths
/wp-content/plugins/wp-carousel/js/jquery.jcarousel.min.js/wp-content/plugins/wp-carousel/js/wp-carousel.js
Version Parameters
wp-carousel/css/style.css?ver=wp-carousel/js/jquery.jcarousel.min.js?ver=wp-carousel/js/wp-carousel.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-carousel-containerwp-carousel-items-containerwp-carousel-pagination-container
HTML Comments
<!-- WP Carousel --><!-- WP Carousel Carousel -->
Data Attributes
data-wp-carousel-options
JS Globals
wp_carousel_objects
Shortcode Output
[wp_carousel[carousel_wp
FAQ

Frequently Asked Questions about WP Carousel