Does Category Dropdown by GCS Design have any unpatched vulnerabilities?

Yes — Category Dropdown by GCS Design currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Category Dropdown by GCS Design compatible with WordPress 6.6.5?

According to WordPress.org data, Category Dropdown by GCS Design 1.9 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is Category Dropdown by GCS Design compatible with PHP 7.0+?

Category Dropdown by GCS Design requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Category Dropdown by GCS Design updated?

Category Dropdown by GCS Design was last updated on Oct 9, 2024. Frequent updates are generally a positive security signal.

What is Category Dropdown by GCS Design's security score?

Category Dropdown by GCS Design has a WP-Safety security score of 69/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Category Dropdown by GCS Design Security & Risk Analysis

wordpress.org/plugins/wp-category-dropdown

Display a parent and child categories in a dropdown. Works with custom taxonomies and WooCommerce product categories.

1K active installs v1.9 PHP 7.0+ WP 5.0+ Updated Oct 9, 2024

ajax-wordpress-categorychild-category-dropdownparent-and-child-categorieswordpress-category-dropdown

C · Use Caution

CVEs total2

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Category Dropdown by GCS Design Safe to Use in 2026?

Use With Caution

Score 69/100

Category Dropdown by GCS Design has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 1yr ago

Risk Assessment

The "wp-category-dropdown" v1.9 plugin presents a concerning security posture, largely due to a significant number of unprotected entry points. The static analysis reveals 8 out of 9 total entry points, specifically AJAX handlers, lack authentication checks. This creates a wide attack surface that could be exploited by unauthenticated users. While the plugin demonstrates good practices in its use of prepared statements for SQL queries and an absence of file operations or external HTTP requests, the output escaping is poor, with only 27% of outputs properly escaped. This, combined with taint analysis showing flows with unsanitized paths, strongly suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history further exacerbates these concerns. The plugin has two known CVEs, with one currently unpatched, both rated as medium severity and identified as Cross-Site Scripting issues. This pattern indicates a recurring problem with input sanitization and output escaping, reinforcing the risks identified in the static analysis. The recent nature of the last vulnerability (2025-09-22) is also a red flag. In conclusion, while the plugin has some strengths in its SQL handling, the numerous unprotected AJAX endpoints, poor output escaping, and a history of XSS vulnerabilities make it a high-risk plugin that requires immediate attention and patching.

Key Concerns

8 unprotected AJAX handlers
27% output escaping is proper
Unpatched CVE (medium severity)
2 flows with unsanitized paths
0 nonce checks
0 capability checks

Vulnerabilities

Category Dropdown by GCS Design Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-58239medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Category Dropdown <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

CVE-2024-8103medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Category Dropdown <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

Sep 23, 2024 Patched in 1.9 (26d)

Code Analysis

Analyzed Mar 16, 2026

Category Dropdown by GCS Design Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

27% escaped55 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wpcd_show_child_cat_dropdown (wp-category-dropdown.php:143)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

8 unprotected

Category Dropdown by GCS Design Attack Surface

Entry Points9

Unprotected8

AJAX Handlers 8

authwp_ajax_wpcd_widget_exclude_categoriescategory_widget.php:254

noprivwp_ajax_wpcd_widget_exclude_categoriescategory_widget.php:255

authwp_ajax_wpcd_get_taxonomies_actionfunctions.php:30

noprivwp_ajax_wpcd_get_taxonomies_actionfunctions.php:31

authwp_ajax_wpcd_get_taxonomy_terms_actionfunctions.php:52

noprivwp_ajax_wpcd_get_taxonomy_terms_actionfunctions.php:53

authwp_ajax_wpcd_show_child_cat_dropdownwp-category-dropdown.php:267

noprivwp_ajax_wpcd_show_child_cat_dropdownwp-category-dropdown.php:268

Shortcodes 1

[wpcd_child_categories_dropdown] wp-category-dropdown.php:141

WordPress Hooks 4

actionwidgets_initcategory_widget.php:3

actionadmin_enqueue_scriptsfunctions.php:8

actionenqueue_block_editor_assetsfunctions.php:63

actionenqueue_block_editor_assetswp-category-dropdown.php:53

Maintenance & Trust

Category Dropdown by GCS Design Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedOct 9, 2024

PHP min version7.0

Downloads21K

Community Trust

Rating100/100

Number of ratings3

Active installs1K

Alternatives

Category Dropdown by GCS Design Alternatives

No alternatives data available yet.

Developer Profile

Category Dropdown by GCS Design Developer Profile

Chandrika Sista

1 plugin · 1K total installs

trust score

Avg Security Score

69/100

Avg Patch Time

26 days

View full developer profile

Detection Fingerprints

How We Detect Category Dropdown by GCS Design

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-category-dropdown/build/index.asset.php/wp-content/plugins/wp-category-dropdown/build/index.js/wp-content/plugins/wp-category-dropdown/js/scripts.js

Script Paths

wp-content/plugins/wp-category-dropdown/build/index.jswp-content/plugins/wp-category-dropdown/js/scripts.js

Version Parameters

wp-category-dropdown/build/index.asset.php?ver=wp-category-dropdown/build/index.js?ver=wp-category-dropdown/js/scripts.js

HTML / DOM Fingerprints

CSS Classes

wpcd_dropdown_categorieswpcd_child_cat_loaderwpcd_child_cat_dropdown

Data Attributes

id="wpcd_parent"id="child_cat_default_text"id="taxonomy"id="random_id"id="hide_empty"id="show_count"+4 more

JS Globals

wpcdajax

Shortcode Output

[wpcd_child_categories_dropdown]

FAQ